Making sense of remote access
Allen V. Rouse MCSE, MCDBA, CCNA
Published: 10 Dec 2002 12:33 GMT
Security for your data
Although it's important that passwords be encrypted in the authentication process, it's also desirable to encrypt the data that is transmitted after authentication takes place. You can provide data encryption using link encryption or end-to-end encryption. With link encryption, the data is encrypted only on the link (i.e., only to the remote access server); with end-to-end encryption, the data is encrypted from the client application to the server hosting the resource being accessed. In a Windows network, when using PPP for a dial-up connection, only one protocol is available for data encryption, the Microsoft Point-to-Point Encryption Protocol (MPPE), as shown in Table C.
Table C
| |||||||||
VPN protocols
Virtual private networking protocols encapsulate PPP frames (the data units at the data link layer of the OSI model) into IP datagrams at the network layer. These datagrams are then sent across an internetwork, which can be either a private network or, more commonly, the Internet. This encapsulation creates a "tunnel" that acts like a dedicated WAN link, even though it usually uses the Internet -- thus, a "virtual" private network.
Because VPN is still using the PPP protocol, all of the authentication protocols associated with PPP, such as CHAP and EAP, still apply to VPN. However, we need to take a closer look at the protocols for connectivity and data encryption, shown in Tables D and E, respectively.
Table D VIRTUAL PRIVATE NETWORKING CONNECTIVITY PROTOCOL WHEN USED NOTES Point-to-Point Tunneling Protocol (PPTP) Will work only over an IP internetwork. Layer 2 Tunneling Protocol (L2TP) In addition to an IP internetwork, can also be used over Frame Relay PVCs and X.25 or ATM virtual circuits. This is a hybrid protocol designed to use the best features of both PPTP and a Cisco technology known as Layer 2 Forwarding. VIRTUAL PRIVATE NETWORKING DATA ENCRYPTION PROTOCOL WHEN USED NOTES Microsoft Point-to-Point Encryption (MPPE) May be used only with PPTP, not with L2TP. As with PPP, if MPPE is used, the authentication protocol must be either MS-CHAP or EAP-TLS. Provides only link encryption. Internet Protocol Security (IPSec) May be used only with L2TP. Its use with L2TP will also require computer certificates provided by the Public Key Infrastructure. Provides end-to-end encryption.
Table E
Bottom lineWhen planning and configuring a remote access environment, you need to know what protocols the clients and servers will be using. That will determine which protocols can be used for connectivity, authentication, and encryption. Given a choice of protocols, you almost always want to pick the combination that provides the greatest security. For dial-up, that may be a combination of PPP, MS-CHAP V2, and MPPE. For VPN, that may be a combination of L2TP, EAP-TLS, and IPSec. If you have client systems that do not support these protocols, you may have to either choose a different protocol that provides less security or not allow that client to connect to your remote access server.
Have your say instantly in the
Tech Update forum.
Find out what's where in the new Tech Update with our
Guided Tour.
Let the editors know what you think in the
Mailroom.
Previous
Did you find this article useful?
71 out of 185 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
1 comment
