Wednesday, July 21, 2010

Security | Remote Access | VPN

There are two essential security issues with remote access: authentication of the user, and the user’s authorization to use particular services. One old and proven way of authorizing dial-in is call-back. In a call-back authorization, the caller dials into a remote access server and enters a log-in name and password. The remote access server then hangs up the modem connection and searches its database to authenticate the user. If the user is authenticated, the access server calls the user back at a predefined number. This method can work for a telecommuter who always works at home, but naturally fails if the worker travels.

Although call-back could be improved (for example, the access server could be reprogrammed to dial a specific hotel telephone based on a preapproved travel itinerary), the industry has agreed on a much more versatile security application: The Remote Authentication Dial-In User Service (RADIUS). RADIUS is an important application by itself; the following example describes how it works:


  • 1. Using a modem, the user’s PC dials in to a modem that is connected to a remote access server.


  • 2. Once this connection is completed, the user is prompted for the log-in name and password.


  • 3. The access server encrypts log-in and password information and sends it to a centralized RADIUS server, which decrypts the data and passes it on to the appropriate security system module. (The encryption and decryption steps are omitted in some networks.)


  • 4. The security system module authenticates (or rejects) the caller; if the caller is authenticated, the RADIUS server checks its database to find out which services the caller is authorized to use. [This includes specific protocols supported by the user’s PC, such as Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP),  If the authentication process fails, the caller is denied access to the network. Otherwise, the authorization and specifics of the applicable services are sent to the access server. The RADIUS server may also send policing information (such as the data rate for carrying user data) to the access server, as well as filtering information, which limits the caller’s access to the enterprise network resources (for example, the caller may be allowed to access e-mail, but not to change or even copy the contents of files). To ensure that requests are not responded to by unauthorized sources, the RADIUS server sends an authentication key identifying itself to the RAS.

Some networks may require multiple levels of passwords for resource access, in which case RADIUS may be involved in authorizing relevant access.

In the preceding description, the seemingly unnecessary references to the security system module (why would RADIUS itself not do that?) are actually essential to understanding of the service: Support of any specific security mechanism is not a function of RADIUS per se; instead, RADIUS interworks with security mechanisms.

No comments:

Post a Comment