Microsoft Windows has a specific server component called the Remote Access Service RAS that is designed to facilitate the management of remote access connections through dial-up modems..
Trang 1Remote access enables users outside a network to have network access and privileges as
if they were inside the network Being outside a network means that the user is working
on a machine that is not physically connected to the network and must therefore
estab-lish a connection through a remote means, such as dialing in, connecting via the
Inter-net, or connecting through a wireless connection A user accessing resources from the
Internet through an Internet service provider (ISP) is also connecting remotely to the
resources via the Internet
Authentication is the process of establishing a user’s identity to enable the granting
of permissions To establish network connections, a variety of methods are used, which
depend on network type, the hardware and software employed, and any security
re-quirements Microsoft Windows has a specific server component called the Remote
Access Service (RAS) that is designed to facilitate the management of remote access
connections through dial-up modems Cisco has implemented a variety of remote
ac-cess methods through its networking hardware and software UNIX systems also have
built-in methods to enable remote access
The Remote Access Process
The process of connecting by remote access involves two elements: a temporary
net-work connection and a series of protocols to negotiate privileges and commands The
temporary network connection can occur via a dial-up service, the Internet, wireless
access, or any other method of connecting to a network Once the connection is made,
the primary issue is authenticating the identity of the user and establishing proper
privileges for that user This is accomplished using a combination of protocols and the
operating system on the host machine
251
Trang 2The three steps in the establishment of proper privileges are authentication,
autho-rization, and accounting (AAA) Authentication is the matching of user-supplied
creden-tials to previously stored credencreden-tials on a host machine, and it usually involves an account username and password Once the user is authenticated, the authorization step
takes place Authorization is the granting of specific permissions based on the privileges
held by the account Does the user have permission to use the network at this time, or
is her use restricted? Does the user have access to specific applications, such as mail and FTP, or are some of these restricted? These checks are carried out as part of authoriza-tion, and in many cases this is a function of the operating system in conjunction with
its established security policies A last function, accounting, is the collection of billing
and other detail records Network access is often a billable function, and a log of how much time, bandwidth, file transfer space, or other resources were used needs to be maintained Other accounting functions include keeping detailed security logs to maintain an audit trail of tasks being performed All of these standard functions are part of normal and necessary overhead in maintaining a computer system, and the protocols used in remote access provide the necessary input for these functions
By using encryption, remote access protocols can securely authenticate and authorize
a user according to previously established privilege levels The authorization phase can keep unauthorized users out, but after that, encryption of the communications channel becomes very important in preventing nonauthorized users from breaking in on an authorized session and hijacking an authorized user’s credentials As more and more networks rely on the Internet for connecting remote users, the need for and importance
of remote access protocols and secure communication channels will continue to grow.When a user dials in to the Internet through an ISP, this is similarly a case of remote access—the user is establishing a connection to her ISP’s network, and the same secu-
rity issues apply The issue of authentication, the matching of user-supplied credentials
to previously stored credentials on a host machine, is usually done via a user account name and password Once the user is authenticated, the authorization step takes place.Access controls define what actions a user can perform or what objects a user is al-lowed to access Access controls are built upon the foundation of elements designed to
facilitate the matching of a user to a process These elements are identification, cation, and authorization.
authenti-Identification
Identification is the process of ascribing a computer ID to a specific user, computer, network device, or computer process The identification process is typically performed only once, when a user ID is issued to a particular user User identification enables au-thentication and authorization to form the basis for accountability For accountability purposes, user IDs should not be shared, and for security purposes, they should not be descriptive of job function This practice enables you to trace activities to individual users or computer processes so that they can be held responsible for their actions Iden-tification usually takes the form of a logon ID or user ID A required characteristic of such IDs is that they must be unique
Trang 3Authentication
Authentication is the process of binding a specific ID to a specific computer connection
Historically, three categories are used to authenticate the identity of a user Originally
published by the U.S government in one of the Rainbow series manuals on computer
security, these categories are
These methods can be used individually or in combination These controls assume
that the identification process has been completed and the identity of the user has been
verified It is the job of authentication mechanisms to ensure that only valid users are
admitted Described another way, authentication is using some mechanism to prove
that you are who you claimed to be when the identification process was completed
The most common method of authentication is the use of a password For greater
security, you can add an element from a separate group, such as a smart card token—
something a user has in her possession Passwords are common because they are one
of the simplest forms and use memory as a prime component Because of their
simplic-ity, passwords have become ubiquitous across a wide range of systems
Another method to provide authentication involves the use of something that only
valid users should have in their possession A physical-world example of this would be a
simple lock and key Only those individuals with the correct key will be able to open the
lock and thus gain admittance to a house, car, office, or whatever the lock was protecting
EXAM TIP Theuseofatokenisacommonmethodofusing“something
A similar method can be used to authenticate users for a computer system or
net-work (though the key may be electronic and could reside on a smart card or similar
device) The problem with this technology, however, is that people do lose their keys
(or cards), which means they can’t log in to the system and somebody else who finds
the key may then be able to access the system, even though they are not authorized To
address this problem, a combination of the something-you-know/something-you-have
methods is often used so that the individual with the key can also be required to
pro-vide a password or passcode The key is useless unless you know this code
Trang 4The third general method to provide authentication involves something that is unique about you We are accustomed to this concept in our physical world, where our fingerprints or a sample of our DNA can be used to identify us This same concept can
be used to provide authentication in the computer world The field of authentication
that uses something about you or something that you are is known as biometrics A
number of different mechanisms can be used to accomplish this type of authentication, such as a fingerprint, iris scan, retinal scan, or hand geometry All of these methods obviously require some additional hardware in order to operate The inclusion of fin-gerprint readers on laptop computers is becoming common as the additional hardware
is becoming cost effective
While these three approaches to authentication appear to be easy to understand and in most cases easy to implement, authentication is not to be taken lightly, since it
is such an important component of security Potential attackers are constantly ing for ways to get past the system’s authentication mechanism, and they have em-ployed some fairly ingenious methods to do so Consequently, security professionals are constantly devising new methods, building on these three basic approaches, to pro-vide authentication mechanisms for computer systems and networks
search-Kerberos
Developed as part of MIT’s project Athena, Kerberos is a network authentication col designed for a client/server environment The current version is Kerberos Version 5 release 1.6.3 and is supported by all major operating systems Kerberos securely passes
proto-a symmetric key over proto-an insecure network using the Needhproto-am-Schroeder symmetric
key protocol Kerberos is built around the idea of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an authentica-
tion server (AS) and a ticket granting server (TGS) Kerberos communicates via “tickets” that serve to prove the identity of users
Taking its name from the three-headed dog of Greek mythology, Kerberos is signed to work across the Internet, an inherently insecure environment Kerberos uses strong encryption so that a client can prove its identity to a server and the server can in turn authenticate itself to the client A complete Kerberos environment is referred to as
de-a Kerberos rede-alm The Kerberos server contde-ains user IDs de-and hde-ashed pde-asswords for de-all
users that will have authorizations to realm services The Kerberos server also has shared secret keys with every server to which it will grant access tickets
The basis for authentication in a Kerberos environment is the ticket Tickets are
used in a two-step process with the client The first ticket is a ticket-granting ticket issued
by the AS to a requesting client The client can then present this ticket to the Kerberos
server with a request for a ticket to access a specific server This client-to-server ticket is
used to gain access to a server’s service in the realm Since the entire session can be crypted, this will eliminate the inherently insecure transmission of items such as a password that can be intercepted on the network Tickets are time-stamped and have a lifetime, so attempting to reuse a ticket will not be successful
Trang 5To illustrate how the Kerberos authentication service works, think about the
com-mon driver’s license You have received a license that you can present to other entities
to prove you are who you claim to be Because other entities trust the state in which the
license was issued, they will accept your license as proof of your identity The state in
which the license was issued is analogous to the Kerberos authentication service realm
and the license acts as a client to server ticket It is the trusted entity both sides rely on
to provide valid identifications This analogy is not perfect, because we all probably
have heard of individuals who obtained a phony driver’s license, but it serves to
illus-trate the basic idea behind Kerberos
Certificates
Certificates are a method of establishing authenticity of specific objects such as an
indi-vidual’s public key or downloaded software A digital certificate is generally an
attach-ment to a message and is used to verify that the message did indeed come from the
entity it claims to have come from The digital certificate can also contain a key that can
be used to encrypt future communication For more information on this subject, refer
to Chapter 5
Tokens
A token is a hardware device that can be used in a challenge/response authentication
process In this way, it functions as both a have and
something-you-know authentication mechanism Several variations on this type of device exist, but
they all work on the same basic principles The device has an LCD screen and may or
may not have a numeric keypad Devices without a keypad will display a password
(often just a sequence of numbers) that changes at a constant interval, usually about
every 60 seconds When an individual attempts to log in to a system, he enters his own
user ID number and then the number that is showing on the LCD These two numbers
are either entered separately or concatenated The user’s own ID number is secret and
this prevents someone from using a lost device The system knows which device the
user has and is synchronized with it so that it will know the number that should have
been displayed Since this number is constantly changing, a potential attacker who is
able to see the sequence will not be able to use it later, since the code will have changed
Trang 6Devices with a keypad work in a similar fashion (and may also be designed to function
as a simple calculator) The individual who wants to log in to the system will first type his personal identification number into the calculator He will then attempt to log in The system will then provide a challenge; the user must enter that challenge into the calculator and press a special function key The calculator will then determine the cor-rect response and display it The user provides the response to the system he is attempt-ing to log in to, and the system verifies that this is the correct response Since each user has a different PIN, two individuals receiving the same challenge will have different responses The device can also use the date or time as a variable for the response calcu-lation so that the same challenge at different times will yield different responses, even for the same individual
Multifactor
Multifactor is a term that describes the use of more than one authentication mechanism
at the same time An example of this is the hardware token, which requires both a sonal ID number (PIN) or password and the device itself to determine the correct re-sponse in order to authenticate to the system This means that both the something-you-have and something-you-know mechanisms are used as factors in verifying authenticity
per-of the user Biometrics are also per-often used in conjunction with a PIN so that they, too, can be used as part of a multifactor authentication scheme, in this case something you are as well as something you know The purpose of multifactor authentication is to in-crease the level of security, since more than one mechanism would have to be spoofed
in order for an unauthorized individual to gain access to a computer system or network The most common example of multifactor security is the common ATM card most of
us carry in our wallets The card is associated with a PIN that only the authorized holder should know Knowing the PIN without having the card is useless, just as having the card without knowing the PIN will also not provide you access to your account
card-EXAM TIP Therequireduseofmorethanoneauthenticationsystemisknownasmultifactorauthentication.Themostcommonexampleisthecombinationofpasswordwithahardwaretoken.Forhighsecurity,threefactorscanbeused:password,token,andbiometric
Trang 7Mutual Authentication
Mutual authentication describes a process in which each side of an electronic
communi-cation verifies the authenticity of the other We are accustomed to the idea of having to
authenticate ourselves to our ISP before we access the Internet, generally through the
use of a user ID/password pair, but how do we actually know that we are really
com-municating with our ISP and not some other system that has somehow inserted itself
into our communication (a man-in-the-middle attack)? Mutual authentication would
provide a mechanism for each side of a client/server relationship to verify the
authen-ticity of the other to address this issue
Authorization
Authorization is the process of permitting or denying access to a specific resource Once
identity is confirmed via authentication, specific actions can be authorized or denied
Many types of authorization schemes are used, but the purpose is the same: determine
whether a given user who has been identified has permissions for a particular object or
resource being requested This functionality is frequently part of the operating system
and is transparent to users
The separation of tasks, from identification to authentication to authorization, has
several advantages Many methods can be used to perform each task, and on many
systems several methods are concurrently present for each task Separation of these
tasks into individual elements allows combinations of implementations to work
to-gether Any system or resource, be it hardware (router or workstation) or a software
component (database system) that requires authorization can use its own
authoriza-tion method once authenticaauthoriza-tion has occurred This makes for efficient and consistent
application of these principles
IEEE 802.1X
IEEE 802.1X is an authentication standard that supports communications between a
user and an authorization device, such as an edge router IEEE 802.1X is used by all
types of networks, including Ethernet, token ring, and wireless This standard describes
methods used to authenticate a user prior to granting access to an authentication server,
such as a RADIUS server 802.1X acts through an intermediate device, such as an edge
switch, enabling ports to carry normal traffic if the connection is properly
authenticat-ed This prevents unauthorized clients from accessing the publicly available ports on a
switch, keeping unauthorized users out of a LAN Until a client has successfully
authen-ticated itself to the device, only Extensible Authentication Protocol over LAN (EAPOL)
traffic is passed by the switch
EAPOL is an encapsulated method of passing EAP messages over 802 frames EAP
is a general protocol that can support multiple methods of authentication, including
one-time passwords, Kerberos, public keys, and security device methods such as smart
Trang 8cards Once a client successfully authenticates itself to the 802.1X device, the switch opens ports for normal traffic At this point, the client can communicate with the sys-tem’s AAA method, such as a RADIUS server, and authenticate itself to the network.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a protocol that was developed originally by Livingston Enterprises (acquired by Lucent) as an AAA protocol It was submitted to the Internet Engineering Task Force (IETF) as a series of RFCs: RFC 2058 (RADIUS specification), RFC 2059 (RADIUS accounting standard), and updated RFCs 2865–2869 are now standard protocols The IETF AAA Working Group has proposed extensions to RADIUS (RFC 2882) and a replacement protocol DIAMETER (Internet Draft DIAMETER Base Protocol)
RADIUS is designed as a connectionless protocol utilizing User Datagram Protocol (UDP) as its transport level protocol Connection type issues, such as timeouts, are handled by the RADIUS application instead of the transport layer RADIUS utilizes UDP ports 1812 for authentication and authorization and 1813 for accounting func-tions (see Table 9-1 in the “Chapter Review” section)
RADIUS is a client/server protocol The RADIUS client is typically a network access server (NAS) The RADIUS server is a process or daemon running on a UNIX or Win-dows Server machine Communications between a RADIUS client and RADIUS server are encrypted using a shared secret that is manually configured into each entity and not shared over a connection Hence, communications between a RADIUS client (typically
a NAS) and a RADIUS server are secure, but the communications between a user cally a PC) and the RADIUS client are subject to compromise This is important to note, for if the user’s machine (the PC) is not the RADIUS client (the NAS), then communica-tions between the PC and the NAS are typically not encrypted and are passed in the clear
(typi-RADIUS Authentication
The RADIUS protocol is designed to allow a RADIUS server to support a wide variety of methods to authenticate a user When the server is given a username and password, it can support Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), UNIX login, and other mecha-nisms, depending on what was established when the server was set up A user login authentication consists of a query (Access-Request) from the RADIUS client and a cor-responding response (Access-Accept or Access-Reject) from the RADIUS server, as you can see in Figure 9-1
The Access-Request message contains the username, encrypted password, NAS IP address, and port The message also contains information concerning the type of session the user wants to initiate Once the RADIUS server receives this information, it searches its database for a match on the username If a match is not found, either a default profile is loaded or an Access-Reject reply is sent If the entry is found or the default profile is used, the next phase involves authorization, for in RADIUS, these steps are performed in sequence Figure 9-1 shows the interaction between a user and the RADIUS client and RADIUS server and the steps taken to make a connection
Trang 91 A user initiates PPP authentication to the NAS
2 The NAS prompts for
a username and password (if PAP), or
b challenge (if CHAP)
3 User replies with credentials
4 RADIUS client sends username and encrypted password to the RADIUS server
5 RADIUS server responds with Accept, Reject, or Challenge
6 The RADIUS client acts upon services requested by user
Figure 9-1 RADIUScommunicationsequence
Trang 10RADIUS Authorization
In the RADIUS protocol, the authentication and authorization steps are performed gether in response to a single Access-Request message, although they are sequential steps (see Figure 9-1) Once an identity has been established, either known or default, the authorization process determines what parameters are returned to the client Typi-cal authorization parameters include the service type allowed (shell or framed), the protocols allowed, the IP address to assign to the user (static or dynamic), and the ac-cess list to apply or static route to place in the NAS routing table These parameters are all defined in the configuration information on the RADIUS client and server during setup Using this information, the RADIUS server returns an Access-Accept message with these parameters to the RADIUS client
to-RADIUS Accounting
The RADIUS accounting function is performed independently of RADIUS tion and authorization The accounting function uses a separate UDP port, 1813 (see Table 9-1 in the “Chapter Review” section) The primary functionality of RADIUS ac-counting was established to support ISPs in their user accounting, and it supports typi-cal accounting functions for time billing and security logging The RADIUS accounting functions are designed to allow data to be transmitted at the beginning and end of a session, and it can indicate resource utilization, such as time, bandwidth, and so on.When RADIUS was first designed in the mid 1990s, the role of ISP NASs was rela-tively simple Allowing and denying access to a network and timing usage were the major concerns Today, the Internet and its access methods have changed dramatically, and so have the AAA requirements As individual firms extended RADIUS to meet these needs, interoperability became an issue, and a new AAA protocol called DIAMETER, designed to address these issues in a comprehensive fashion, has been proposed and is entering the final stages of the Internet draft/RFC process
authentica-DIAMETER
DIAMETER is a proposed name for the new AAA protocol suite, designated by the IETF
to replace the aging RADIUS protocol DIAMETER operates in much the same way as RADIUS in a client/server configuration, but it improves upon RADIUS, resolving dis-covered weaknesses DIAMETER is a TCP-based service and has more extensive capa-bilities in authentication, authorization, and accounting DIAMETER is also designed for all types of remote access, not just modem pools As more and more users adopt broadband and other connection methods, these newer services require more options
to determine permissible usage properly and to account for and log the usage ETER is designed with these needs in mind
DIAM-DIAMETER also has an improved method of encrypting message exchanges to hibit replay and man-in-the-middle attacks Taken all together, DIAMETER, with its enhanced functionality and security, is an improvement on the proven design of the old RADIUS standard
Trang 11TACACS+
The Terminal Access Controller Access Control System+ (TACACS+) protocol is the current
generation of the TACACS family Originally TACACS was developed by BBN Planet
Corporation for MILNET, an early military network, but it has been enhanced by Cisco
and expanded twice The original BBN TACACS system provided a combination process
of authentication and authorization Cisco extended this to Extended Terminal Access
Controller Access Control System (XTACACS), which provided for separate
authentica-tion, authorizaauthentica-tion, and accounting processes The current generaauthentica-tion, TACACS+, has
extended attribute control and accounting processes
One of the fundamental design aspects is the separation of authentication,
authori-zation, and accounting in this protocol Although there is a straightforward lineage of
these protocols from the original TACACS, TACACS+ is a major revision and is not
backward-compatible with previous versions of the protocol series
TACACS+ uses TCP as its transport protocol, typically operating over TCP port 49
This port is used for the login process and is reserved in the assigned numbers RFC, RFC
3232, manifested in a database from IANA In the IANA specification, both UDP and
TCP port 49 are reserved for TACACS login host protocol (see Table 9-1 in the “Chapter
Review” section)
TACACS+ is a client/server protocol, with the client typically being a NAS and the
server being a daemon process on a UNIX, Linux, or Windows server This is important
to note, for if the user’s machine (usually a PC) is not the client (usually a NAS), then
communications between PC and NAS are typically not encrypted and are passed in the
clear Communications between a TACACS+ client and TACACS+ server are encrypted
using a shared secret that is manually configured into each entity and is not shared over
a connection Hence, communications between a TACACS+ client (typically a NAS)
and a TACACS+ server are secure, but the communications between a user (typically a
PC) and the TACACS+ client are subject to compromise
TACACS+ Authentication
TACACS+ allows for arbitrary length and content in the authentication exchange
se-quence, enabling many different authentication mechanisms to be used with TACACS+
clients Authentication is optional and is determined as a site-configurable option
When authentication is used, common forms include PPP PAP, PPP CHAP, PPP EAP,
token cards, and Kerberos The authentication process is performed using three
differ-ent packet types: START, CONTINUE, and REPLY START and CONTINUE packets
orig-inate from the client and are directed to the TACACS+ server The REPLY packet is used
to communicate from the TACACS+ server to the client
The authentication process is illustrated in 9-2, and it begins with a START message
from the client to the server This message may be in response to an initiation from a
PC connected to the TACACS+ client The START message describes the type of
authen-tication being requested (simple plaintext password, PAP, CHAP, and so on) This
START message may also contain additional authentication data, such as username and
password A START message is also sent as a response to a restart request from the
server in a REPLY message A START message always has its sequence number set to 1
Trang 12When a TACACS+ server receives a START message, it sends a REPLY message This REPLY message will indicate whether the authentication is complete or needs to be continued If the process needs to be continued, the REPLY message also specifies what additional information is needed The response from a client to a REPLY message re-questing additional data is a CONTINUE message This process continues until the server has all the information needed, and the authentication process concludes with a success or failure.
Figure 9-2 TACAS+communicationsequence
Trang 13TACACS+ Authorization
Authorization is defined as the action associated with determining permission
associ-ated with a user action This generally occurs after authentication, as shown in Figure
9-3, but this is not a firm requirement A default state of “unknown user” exists before
a user is authenticated, and permissions can be determined for an unknown user As
with authentication, authorization is an optional process and may or may not be part
of a site-specific operation When it is used in conjunction with authentication, the
authorization process follows the authentication process and uses the confirmed user
identity as input in the decision process
The authorization process is performed using two message types: REQUEST and
RESPONSE The authorization process is performed using an authorization session
consisting of a single pair of REQUEST and RESPONSE messages The client issues an
authorization REQUEST message containing a fixed set of fields that enumerate the
authenticity of the user or process requesting permission and a variable set of fields
enumerating the services or options for which authorization is being requested
The RESPONSE message in TACACS+ is not a simple yes or no; it can also include
qualifying information, such as a user time limit or IP restrictions These limitations
have important uses, such as enforcing time limits on shell access or IP access list
re-strictions for specific user accounts
TACACS+ Accounting
As with the two previous services, accounting is also an optional function of TACACS+
When utilized, it typically follows the other services Accounting in TACACS+ is defined
as the process of recording what a user or process has done Accounting can serve two
important purposes:
• Itcanbeusedtoaccountforservicesbeingutilized,possiblyforbilling
purposes
• Itcanbeusedforgeneratingsecurityaudittrails
TACACS+ accounting records contain several pieces of information to support these
tasks The accounting process has the information revealed in the authorization and
authentication processes, so it can record specific requests by user or process To
sup-port this functionality, TACACS+ has three types of accounting records: START, STOP,
and UPDATE Note that these are record types, not message types as earlier discussed
START records indicate the time and user or process that began an authorized
pro-cess STOP records enumerate the same information concerning the stop times for
spe-cific actions UPDATE records act as intermediary notices that a particular task is still
being performed Together these three message types allow the creation of records that
delineate the activity of a user or process on a system
Trang 14L2TP and PPTP
Layer Two Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) are
both OSI layer two tunneling protocols Tunneling is the encapsulation of one packet
within another, which allows you to hide the original packet from view or change the nature of the network transport This can be done for both security and practical reasons.From a practical perspective, assume that you are using TCP/IP to communicate between two machines Your message may pass over various networks, such as an Asyn-chronous Transfer Mode (ATM) network, as it moves from source to destination As the ATM protocol can neither read nor understand TCP/IP packets, something must be done to make them passable across the network By encapsulating a packet as the pay-load in a separate protocol, so it can be carried across a section of a network, a mecha-
nism called a tunnel is created At each end of the tunnel, called the tunnel endpoints, the
payload packet is read and understood As it goes into the tunnel, you can envision your packet being placed in an envelope with the address of the appropriate tunnel endpoint on the envelope When the envelope arrives at the tunnel endpoint, the orig-inal message (the tunnel packet’s payload) is re-created, read, and sent to its appropri-ate next stop The information being tunneled is understood only at the tunnel endpoints; it is not relevant to intermediate tunnel points because it is only a payload.PPP is a widely used protocol for establishing dial-in connections over serial lines
or Integrated Services Digital Network (ISDN) services PPP has several authentication mechanisms, including PAP, CHAP, and the Extensible Authentication Protocol (EAP) These protocols are used to authenticate the peer device, not a user of the system PPP
is a standardized Internet encapsulation of IP traffic over point-to-point links, such as serial lines The authentication process is performed only when the link is established
PPTP
Microsoft led a consortium of networking companies to extend PPP to enable the ation of virtual private networks (VPNs) The result was PPTP, a network protocol that enables the secure transfer of data from a remote PC to a server by creating a VPN across
cre-a TCP/IP network This remote network connection ccre-an cre-also spcre-an cre-a public switched telephone network (PSTN) and is thus an economical way of connecting remote dial-in users to a corporate data network The incorporation of PPTP into the Microsoft Win-dows product line provides a built-in secure method of remote connection using the operating system, and this has given PPTP a large marketplace footprint
For most PPTP implementations, three computers are involved: the PPTP client, the NAS, and a PPTP server, as shown in Figure 9-3 The connection between the remote client and the network is established in stages, as illustrated in Figure 9-4 First the cli-ent makes a PPP connection to a NAS, typically an ISP Once the PPP connection is established, a second connection is made over the PPP connection to the PPTP server This second connection creates the VPN connection between the remote client and the PPTP server This connection acts as a tunnel for future data transfers Although these diagrams are drawn illustrating a telephone connection, this first link can be virtually any method Common in hotels today are wired connections to the Internet These wired connections to the hotel-provided local ISP replaces the phone connection and offers the same services, albeit at a much higher data transfer rate
Trang 15As mentioned earlier in this chapter, tunneling is the process of sending packets as
data within other packets across a section of a network This encapsulation enables a
network to carry a packet type that it cannot ordinarily route, and it also provides the
opportunity to secure the contents of the first packet through encryption PPTP
estab-lishes a tunnel from the remote PPTP client to the PPTP server and enables encryption
within this tunnel This provides a secure method of transport To do this and still
en-able routing, an intermediate addressing scheme, Generic Routing Encapsulation
(GRE), is used
To establish the connection, PPTP uses communications across TCP port 1723 (see
Table 9-1 in the “Chapter Review” section), so this port must remain open across the
network firewalls for PPTP to be initiated Although PPTP allows the use of any PPP
authentication scheme, CHAP is used when encryption is specified to provide an
ap-propriate level of security For the encryption methodology, Microsoft chose the RSA
Figure 9-3 PPTPcommunicationdiagram
Figure 9-4 PPTPmessageencapsulationduringtransmission
Trang 16RC4 cipher, either with a 40-bit or 128-bit session key length, and this is system driven Microsoft Point-to-Point Encryption (MPPE) is an extension to PPP that enables VPNs to use PPTP as the tunneling protocol.
operating-PPP
PPP is a commonly used data link protocol to connect devices Defined in RFC 1661, PPP originally was created as an encapsulation protocol to carry IP traffic over point-to-point links PPP has been extended upon with multiple RFCs to carry a variety of net-work traffic types over a variety of network types PPP uses Link Control Protocols (LCP) and Network Control Protocols (NCP) to establish the desired connections over
a network
EXAM TIP PPPsupportsthreefunctions:1)Encapsulatedatagramsacrossseriallinks;2)Establish,configure,andtestlinksusingLCP;and3)Establish andconfiguredifferentnetworkprotocolsusingNCP.PPPsupportstwoauthenticationprotocols:PasswordAuthenticationProtocol(PAP)and
ChallengeHandshakeAuthenticationProtocol(CHAP)
CHAP
CHAP is used to provide authentication across a point-to-point link using PPP In this protocol, authentication after the link has been established is not mandatory CHAP is designed to provide authentication periodically through the use of a challenge/re-
sponse system sometimes described as a three-way handshake, as illustrated in Figure
9-5 The initial challenge (a randomly generated number) is sent to the client The ent uses a one-way hashing function to calculate what the response should be and then sends this back The server compares the response to what it calculated the response should be If they match, communication continues If the two values don’t match, then the connection is terminated This mechanism relies on a shared secret between the two entities so that the correct values can be calculated
cli-Microsoft has created two versions of CHAP, modified to increase their usability across their product line MSCHAPv1, defined in RFC 2433, has been deprecated and dropped in Windows Vista The current standard version 2, RFC 2759, was introduced with Windows 2000
Figure 9-5 TheCHAPchallenge/responsesequence
Trang 17PAP
PAP authentication involves a two-way handshake in which the username and
pass-word are sent across the link in clear text PAP authentication does not provide any
protection against playback and line sniffing PAP is now a deprecated standard
EAP
EAP is a universal authentication framework defined by RFC 3748 that is frequently
used in wireless networks and point-to-point connections Although EAP is not limited
to wireless and can be used for wired authentication, it is most often used in wireless
LANs EAP is discussed in Chapter 10
L2TP
L2TP is also an Internet standard and came from the Layer Two Forwarding (L2F)
pro-tocol, a Cisco initiative designed to address issues with PPTP Whereas PPTP is designed
around PPP and IP networks, L2F, and hence L2TP, is designed for use across all kinds
of networks including ATM and frame relay Additionally, where PPTP is designed to be
implemented in software at the client device, L2TP was conceived as a hardware
imple-mentation using a router or a special-purpose appliance L2TP can be configured in
software and is in Microsoft’s Routing and Remote Access Service (RRAS) servers, which
use L2TP to create a VPN
L2TP works in much the same way as PPTP, but it opens up several items for
expan-sion For instance, in L2TP, routers can be enabled to concentrate VPN traffic over
high-er bandwidth lines, creating hihigh-erarchical networks of VPN traffic that can be more
efficiently managed across an enterprise L2TP also has the ability to use IP Security
(IPsec) and Data Encryption Standard (DES) as encryption protocols, providing a
high-er level of data security L2TP is also designed to work with established AAA shigh-ervices
such as RADIUS and TACACS+ to aid in user authentication, authorization, and
ac-counting
L2TP is established via UDP port 1701, so this is an essential port to leave open
across firewalls supporting L2TP traffic This port is registered with the Internet
As-signed Numbers Authority (IANA), as is 1723 for PPTP (see Table 9-1 in the “Chapter
Review” section) Microsoft supports L2TP in Windows 2000 and above, but because of
the computing power required, most implementations will use specialized hardware
(such as a Cisco router)
NT LAN Manager
NT LAN Manager (NTLM) is an authentication protocol designed by Microsoft for use
with the Server Message Block (SMB) protocol SMB is an application-level network
protocol primarily used for sharing files and printers on Windows-based networks