4.0 Network Security

icon picker
4.4 Compare and contrast remote access methods and security implications

Last edited 405 days ago by Makiel [Muh-Keel]

Remote Access Security Methods

Remote access is great for users who work from home or travel frequently, but clearly, to a stalking hacker, using an unsecured remote access connection is like stealing candy from a baby.

Site-to-Site VPN

Site-to-Site VPNs allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like Frame Relay. This is probably the best solution for connecting a remote office to a main company office because all traffic that goes between the offices will be encrypted with no effort on the part of the users.
image.png

Client-to-Site VPN

Client-to-Site VPNs or Remote Access VPNs allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to go from any device that has the VPN client correctly installed and configured on it.
It is typical that users can connect to the Internet but not to the office via their VPN client because they don't have the correct VPN address and password. This is the most common problem and one you should always check first. In this scenario only the traffic between the user and the office will go through the VPN tunnel
image.png

Clientless VPNs (SSL-VPNs) enables end users to securely access resources on the corporate network from anywhere using an SSL/TLS-enabled web browser. They need no remote access client to do this, only a browser that can perform SSL or the more secure TLS.
They are a subcategory of Client-to-Site VPNs.
SSL-VPNs create a virtual subnet to access company resources.
image.png
Split Tunnel vs. Full Tunnel When a client-to-site VPN is created it is possible to do so in two ways, split tunnel and full tunnel. The difference is whether the user use the VPN for connecting to the Internet as well as for connecting to the office.
Split Tunneling works by using two connections at the same time: the secure VPN connection and an open connection to the Internet. So in split tunneling, only traffic to the office goes through the VPN. Internet traffic does not. The security issue with this is that while the user is connected to the VPN, they are also connected to the most untrusted network, the Internet.
Full Tunneling all traffic goes through the VPN, which means the user is accessing the Internet through the connection of the office and so all traffic will be examined by the office security
image.png

VPN Protocols

Point-to-Point Tunneling

operates on TCP port 1723; Out of all the VPN protocols, PPTP is one of the most common, easiest to set up, and computationally fastest VPN protocol.
Useful for applications in which speed is paramount, like audio or video streaming, and on older, slower devices with more limited processors.
PPTP is also subject to serious security vulnerabilities
PPTP is now considered completely Obsolete.

IPsec/L2TP

are two VPN protocols often used in conjunction to provide strong encryption and authentication.
Used together, L2TP and IPsec are much more secure than PPTP (Point-to-Point Tunneling Protocol) but are still more suited for anonymization than for security.
L2TP (Layer-2 Tunneling Protocol) sometimes has problems with firewalls because of its use of UDP port 500, which some firewalls have been known to block.
L2TP was created as a direct upgrade to PPTP.
IPsec (Internet Protocol security) is a very flexible protocol for end-to-end security that authenticates and encrypts each individual IP packet in a given communication.
IPsec is used in a wide range of applications at the Internet Layer of the Internet Protocol suite.

Remote Desktop Connections

There are times when you need to make a remote connection to a machine to perform troubleshooting but you are miles away. Connectivity software is designed to allow you to make a connection to a machine, see the desktop, and perform any action you could perform if you were sitting in front of it
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft. It allows you to connect to another computer and run programs. RDP operates somewhat like Telnet, except instead of getting a command-line prompt as you do with Telnet, you get the actual graphical user interface (GUI) of the remote computer. Clients exist for most versions of Windows, and Macs now come with a preinstalled RDP client. RDP uses port tcp/3389.
RDP is an excellent tool for remote clients, allowing them to connect to their work computer from home, for example, and get their email or perform work on other applications without running or installing any of the software on their home computer.
RDP allows users to connect to a computer running Microsoft's Remote Desktop Services, but a remote computer must have the right kind of client software installed for this to happen.
RDP Gateway is a more secure version of RDP created by RouterHosting. Uses port tcp/3389 It is more secure than the public or MS version in the following ways:
You don't need to use a VPN. Using the SSL channel, RDP Gateway can tunnel directly to the remote server to increase the security of RDS.
No pass through a third-party website or service.
Native Windows Server service.
Can be combined with Network Access Protection.
Can be used along with Microsoft Internet Security and Acceleration (ISA), the Microsoft implementation of RADIUS.

Secure Shell is a remote connection network protocol that is designed as an alternative to command-based utilities such as Telnet that transmit requests and responses in clear text. It creates a secure channel between the devices and provides confidentiality and integrity of the data transmission.
Uses tcp/22

Virtual Network Computing (VNC) is a remote desktop sharing system that uses the Remote Frame Buffer (RFB) protocol. It is platform independent (open propriety) and provides an experience much like Remote Desktop Protocol (RDP). Used mostly on Macintosh computer.
VNC includes the following components:
VNC server: Software that runs on the machine sharing its screen
VNC client (or viewer): Software on the machine that is remotely receiving the shared screen
VNC protocol (RDP)

Virtual Desktop is when users connect to a pre-built desktop assembled in the Cloud. This allows for the user desktop to require less computing power, especially if the applications are also delivered virtually and those applications are running in a VM in the cloud rather than in the local desktop eating up local resources. Another benefit of using virtual desktops is the ability to maintain a consistent user environment (same desktop, applications, etc.), which can enhance user support.

Authentication and Authorization Considerations

Remote Access requires MORE security, not less. Accessing a device remotely can be a significant security concern. The most effective way to control both authentication of remote users and the application of their permissions is to provision an AAA server.
Once connected, access rights and privileges should be limited. Authorization is very Key here.

In-Band and Out-of-Band Management

Out-of-Band Management You’re going to have many different infrastructure devices at these remote sites and if you lose your primary internet connections to these remote sites, you’re going to need a way to still management those systems.
An example of this technology is Integrated Lights-Out, or iLO, a technology embedded into HP servers that allows for out-of-band management of the server. The physical connection is an Ethernet port that will be on the server and will be labeled ILO.
This will allow you to still manage the infrastructure device and get around any outages.
Console Routers/Communication Servers can be installed to connect to multiple infrastructure devices that are offline or not connected to the network. Allows you to connect to the Comm Server first and once connected, you’d connect to the serial interface on all infrastructure devices.


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.