Making sense of remote access
Allen V. Rouse MCSE, MCDBA, CCNA
Published: 10 Dec 2002 12:33 GMT
Setting up remote access servers and connections in Windows can be somewhat overwhelming and confusing if you don't understand the protocol configuration options involved. You have a number of remote access protocol options to choose from, and deciding which ones to use will depend on the functionality you need, your system configuration, and your hardware and communications capabilities. To help make sense of all these options, we'll take a look at the categories of protocols and the advantages and disadvantages of the various protocols within each one.
Categories and choices
First, you need to consider two distinct methods of remote access, each of which uses different protocols:
- Dial-up
- Virtual private networking (VPN)
- Connectivity
- Authentication
- Data encryption
Second, older systems and their associated protocols are less capable in terms of encryption than newer systems, so you need to be aware of when you may have to use the older protocols and what you're giving up when you do.
Let's take a look at the protocols for dial-up connectivity, authentication, and encryption. Then, we will do the same for VPN remote access.
Dialing up a connection
Dial-up involves one modem connecting with another over the Public Switched Telephone Network (PSTN), creating a temporary, dedicated WAN link. There are three possible protocols for making the initial connection: Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), and Asynchronous NetBEUI (AsyBEUI). Table A explains their differences.
Table A DIAL-UP CONNECTIVITY PROTOCOL WHEN USED NOTES Point-to-Point Protocol (PPP) PPP is almost always the protocol of choice for both server and client. It is required Supports TCP/IP as well as other LAN protocols such as IPX/SPX, AppleTalk, and DECnet. Serial Line Internet Protocol (SLIP) SLIP is used as a client in NT or Win2K only when necessary to connect to an older server that is not supporting PPP. Allows TCP/IP connections only and does not support WINS or DHCP. Asynchronous NetBEUI (AsyBEUI) This is a Microsoft proprietary remote access protocol used only for legacy systems such as early versions of Windows NT, Windows for Workgroups, or DOS. Supports only the NetBEUI LAN protocol.
if encryption is to be used in the dial-up session.
Authenticating the user
Part of the dial-up process involves authentication, usually by providing a password. Since that password can be intercepted and used to gain unauthorized access, it should be encrypted using the strongest possible method that is supported by both the server and the client. It's important to remember that PPP is the only dial-up protocol that supports encryption. If you must use SLIP or AsyBEUI, the only authentication protocol you can use is PAP. Table B outlines the differences between the available authentication protocols.
Table B DIAL-UP AUTHENTICATION PROTOCOL WHEN USED NOTES Password Authentication Protocol (PAP) Used only when the server requires a plaintext password. This protocol passes the password without encryption and so is not secure. Shiva Password Authentication Protocol (SPAP) Developed as an improvement to PAP for use with Shiva LAN Rover products. Uses a very weak encryption scheme. Challenge Handshake Authentication Protocol (CHAP) Probably the most commonly used dial-up protocol for authentication. Uses reversibly encrypted passwords for greater security. However, the passwords are stored on the RAS server in plaintext. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) Version 1 As a Microsoft proprietary protocol, MS-CHAP was developed for use with the Windows operating system. Similar to CHAP but allows storage of passwords on the server in encrypted format. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) Version 2 As a Microsoft proprietary protocol, MS-CHAP was developed for use with the Windows operating system. Similar to MS-CHAP Version 1 but requires mutual authentication and different encryption keys when sending and receiving, and so is more secure than MS-CHAP v. 1. Extensible Authentication Protocol (EAP) EAP was designed as an extension to PPP to be able to use newer authentication methods such as one-time passwords, smart cards, or biometric techniques. There are two different types of EAP, and both the server and client must be using the same type:
·
EAP-MD5 CHAP Used primarily for password-based security·
EAP-TLS Used primarily for certificate-based security.
Previous
Did you find this article useful?
71 out of 185 people found this useful
- Share this article:
Full Talkback thread
1 comment
