NET 210 WAN TECHNOLOGY PROJECT
ANALYSIS ON HOW TO SECURE
REMOTE ACCESS FOR
ENTERPRISE NETWORK
SYSTEM
Submitted to: Jacky Chao Min
By: MARTHE M. NSABA 300682552

TABLE OF CONTENTS

INTRODUCTION | 3 - 6 | PROTECTION OF CPE DEVICES | 7 - 9 | SECURE REMOTE ACCESS THROUGH DIFFERENT AUTHENTICATION | 10 - 15 | SECURE REMOTE ACCESS FOR MOBILE UTILIZATION | 16 - 17 | BIBIOGRAPHY | 18 |

INTRODUCTION

In this developing environment, we note that varying business utilise different kinds of networks according to the business structures and policies, so managing access to all those networks can be complicated and security threatening. It is a key objective that for an enterprise to operate efficiently, its accessibility should be unlimited and this is when remote access is introduced. As the volume of enterprise information and data is increasing exponentially, it is an expectation that this data is easily accessed and shared among each other.
To enable this, smarter network access called Remote access was introduced to deliver various degrees of data efficiently through mobile devices, applications and machines in order to stimulate productivity.
There are three main types of remote access, namely Basic, Advances and Enterprise. In this paper, we will focus on Enterprise Remote access.

Some of the advantages of Enterprise Remote access are;
Increased high availability required for different and high volume application
Remote access maintains and controls the high usage of the network. It also consistently delivers and transfers large volumes of data across the enterprise organization. When multiple remote access servers are deployed in clusters, they provide scalability and also increase the capacity of bandwidth throughput amongst high number of users.
Load balancing is also deployed within the clusters therefore incase a cluster fails, the users can remotely access through a different server internally through virtual IP address connection therefore increasing availability.
Efficiently delivers high volumes of data in a cost effective manner
As a remote access has multi-site deployment, it allows multiple accesses from client locations therefore any remote client can access regardless of location therefore reducing cost and intra-net bandwidth through routing client traffic to remote access server closest to their location.
Effectively provide secure access for client devices
For example applying a strong-line clientele authentication such as One-time password instead of standard password authentication
Simplify network management
Remote access helps match network requirements to business needs. It can easily be managed by an entity tool called Remote Access Management console that can run on one of the remote servers. Also provides a simplified architecture by permitting network administration to apply remote access to only active directory sites.
In addition, shared settings can be deployed across servers on multi-entry point therefore enabling remote access network to be managed through any server within the cluster or remotely access through Remote Server Administration Tools. Another simple way is just to utilise the Remote Access Management Console tool to monitor the multi-site deployment.
Different roles and features are enlisted in an enterprise remote access network.
We will discuss the major roles.
First role is the Remote Access Server Role: this role comprises of RRAS (Routing and Remote Access Services) which are managed by the Remote Access Management Console. This role can easily be installed and uninstalled using the server Management tool. It was previously under the NPAS (Network Policy and Access Services) server role but now can be accessed through Remote Access Console.
It depends on two major features namely IIS feature (Internet Information Services) which handles configuration of the network location server and default web settings. And secondly is the Group Policy Management Console Feature that manages group cluster server policies and is mandatorily required to be installed for server role services.
Second role is the Remote Access Management Tools feature which is installed by default on the Access server as the Remote Access Server role is installed and it is deployed to support the Remote Management Console user interface.
It can optionally be installed sans the Remote Access Server Role and be used for remote access management on running CPE.
The Remote Access Management Tools consist of two main features; Graphical User Interface & Command Line and PowerShell module for respective operating system.

Minor features include; * Group Policy Management Console * RAS Connection Manager Administration Kit (CMAK) * Graphical Management Tools and Infrastructure

PROTECTION OF CPE DEVICES

CPE devices are telecommunicating equipment that is located at either home or business area of employees and customers. CPE devices may include telephone handsets, routers, digital subscriber line, or any other customized devices.
Customer Premise Equipment originally generally used to be owned by service providers but recently leasing or purchasing arrangements are used so therefore heightens reason to secure CPE devices.
As remote access opens up the enterprise’s network to threats & problems due to many employees and workers who remotely access the network, securing the enterprise network is a difficult task.
Therefore it is key attribute to make sure that this excess is highly secure and protected from hackers or other threats.
Most enterprises employ experts or use expert services to get a compilation of tips on how to secure remote network access according to their businesses.
The general guideline followed in securing Customer Processing Equipment is for the network manager to define an encryption policy such as remote access VPN policy that includes a configuration of a triple A server (Authentication, Authorization & Accounting). The policy is then applied to the CPE devices through deployment of Remote Access Policy configuration.
One important step to note is before deploying any policy configuration, it is a necessity to populate with the target and applicable CPE devices in the network by connecting designated initial configuration and organization structure and location that defines each CPE device.
CPE devices are located at each end of the VPN tunnel and they are created by assigning each target device to a specific site. Most important is that in every network, at least one public and one private interface must be defined on every CPE device.
Making sure employees who are set up and working from home can remotely access network with maximum security. In this paper, we will use IPsec VPN solutions methodology as a case study. They provide a complex and pricey deployment which is designed to offer site-site network access and keep up with the demands of today’s enterprise remote access. As internet is the major means of communication and access, more web-based and enabled devices are being used therefore more limitations in security.
One feature used is a FirePass Controller that comprises of various and many tools that enable a secure web-based access to intranet and extranet and web-based applications. This feature is also efficient as it works with any current operating system.
With its web-application tool, FirePass Controller device provides access to intranet resources and restrict access as well. It also manages CPE cookies and strategically maps internal to external links so that the sensitive an internal configuration is secured. It does so by integrating single login to control the remote browser. In cases of email web-based applications, the FirePass Controller enables access to SMTP (Simple Mail Transfer Protocol) and other email servers to receive, send attach files along with providing strong secure remote access to internal network from any site.
Another challenge in protecting CPE devices is regarding IP configuration without limiting remote device support. This can be enabled by installing client software that secures transactions and corporate resources so that they can only be accessed by a limited number of systems. However this limits access to public resources and also through mobile devices and also increases implementation costs due to the reason that every employee requires a thoroughly maintained CPE device for travel.
Another example of a commonly used security is 802.1 x authentications where by layer 2 and layer 3 securities are provided for CPE devices. Each CPE device is classified as either trusted or non-trusted based on Standard 802.1x authentication status. So when a CPE device is deployed the router initiates an 802.1x exchange and user credentials are asked for and then passed on to the router which is used to get authentication from respectful server. Once the authentication is received, then the access device is considered as a trusted device and provided access. However if the CPE device fails authentication, it is then considered as a non-trusted CPE device and given less or no privileges and access to only the internet.
So we see the more we protect the remote access network, the more we limit user access and also the more the number of remote users increase. So most enterprise networks apply extranet & extranet deployment as well as web-based and email applications to improve on proficiency and productivity of the organization. And to maximize these applications, they should be made easily accessible to remote users and also restricted and secure access to be ensured to only authorized users only to protect CPE devices.

SECURE REMOTE ACCESS THROUGH DIFFERENT AUTHENTICATION

Authentication is a fundamental step required in order to secure remote access. Its schematic is to provide security and protection against client & server impersonation as well as replay attacks.
Client impersonation
This is when an intruder waits for a connection to be authenticated and then disconnects the user and takes over the authenticated connection
Server impersonation
This is when the intruder uses his computer to appear as the remote access server and receives the remote access client credentials for verification therefore acquiring all sensitive information and traffic.
Replay attack
This is when an intruder captures packets of a successful connection and resends so as to obtain an authentication.

Generally there are a variety of different authentication options regarding remote access to corporate intranet. Here we will earn to secure internet with remote access VPN as well as secure options without VPN.
The first challenge faced is to reduce the amount of network entry points for malicious activity and its VPN solution is to consolidate access into a singular, granular scalable security gateway.
The next main challenge is to gain high levels of efficiency and consistency within remote access management and this is solved by proper definition of access policies for utilization from the central platform.
Another challenge is supporting remote access from managed and non-managed devices such as clientless access from laptops, PCs and mobile apps for smart phones and tablets. We discuss this in the other subtopics.
Limited remote access and accountability of shared sensitive information is a challenge faced as well but VPN solves it by providing network level connectivity with end-to end security.
Final challenge faced is to allocate resources to remote access needs of employers, partners, guests and customers and this is solved by fully partitioning virtual portals for multi-client environment.

First authentication we will discuss is PPP (Point to Point Protocol) which supports two authentications namely PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). During PPP negotiation, LCP (Link Control Protocol) negotiation, Authentication and NCP (Network Control Protocol) negotiation is involved. It states that if both sides disagree on parameters then a disconnection occurs. But if there is a link establishment, the authentication protocol is utilised during LCP negotiation and this has to be successful before NCP negotiation occurs.
In PAP authentication, a two-way handshake takes place whereby the username and password are sent across in clear text therefore PAP isn’t ideal in protection.
The preferred authentication will then be PPP CHAP whereby it periodically verifies the remote connection through a three-way handshake. After PPP link establishment, the host node sends out a ‘CHAL’ (challenge message) to the remote node which in turn responds with one-way hash-function calculated value. On receipt, the host then verifies with its own expected hash value calculation and there is a match then the authentication is acknowledged otherwise there is a disconnection.
Therefore both sides authenticate each other interdependently but in cases whereby the routers are of different types such a connection between a cisco & non-cisco router, the ‘ppp authentication chap callin command’ must be used as the access server will only perform authentication if the remote node device called for it so here, authentication is done only if incoming calls are initiated.
One important fact to remember is when performing a connection to a device of a different ISP (Internet Service Provider) or administration then it is mandatory to configure an authentication username different from the hostname. In this event, the hostname isn’t available as well as the password and username credentials assigned by the ISP so the ‘ppp chap hostname’ command is issued to specify the alternate username used for authentication.
This is very useful for cases when there are multiple devices dialing into a central site and all sharing the same secret password and username causing difficulty in managing it: so if the remote devices use a different hostname this can be avoided.
One example of PPP CHAP authentication is the MS-CHAP which is the most secure encryption algorithm by Windows NT. MS-CHAP works along with the RAS server encryption setting and will negotiate a PPP connection using an encryption algorithm.
DES is an example of an encryption algorithm used by RAS server and is also supported by Windows NT. MD5 CHAP is one of the major used encryption methods which is very efficient for small user-environment. The MD5 key account information is created and stored in the RAS server registry and is enables the MD5-CHAP authentication. Therefore MD5-CHAP requires MD5 key in order for any negotiation to occur.

Another Authentication framework we will discuss is AAA which is broke into three major security functions.
Firstly Authentication, whereby user credentials such as password, username, acknowledgments and encryption are identified. This identifies a user before being accepted into the network on all interfaces by default.
Second A stands for Authorization which is the method followed in access control procedure i.e. one-time authorization, account authorization and IP support. It functions by listing attributes that describes what the user can access to, resources and limitations. These methods must be defined through AAA and can be configured by deploying in different interfaces.

The last A defines Accounting which handles collection of sensitive information such as user accounts, configuration and number of packets & bytes. Accounting monitors user access and their consumed resources and provides network access server & user activity reports.
AAA is beneficial in four main ways: Scalability, Flexibility, Standardisation and Multiple backup systems. AAA in summary that defines the type of authentication in forms of method lists and applies them to specific interfaces.
Method lists are sequential lists that are used to authenticate a user and can be designated to enable more than one security protocol in cases of failure. So multiple method lists are configured so if the first doesn’t work, then the next method list is selected until successful application therefore reducing chances of authentication failure.
You must have AAA in your system before you are able to use it. You can do so by entering the command ‘aaa new-model’ in the global configuration mode. And if you decide that AAA is not required, you can disable it by entering ‘no aaa new-model’ in global configuration mode.

AAA authentication can be used in different login methods such as enable password, using Kerberos, line passwords, local passwords, and group radius & name.
PPP authentication can be configured using AAA which the optimal solution whereby AAA facilitates various authentication methods on different serial interfaces that run on point to point protocol.
The method lists created will authenticate via PPP and can be applied in the PPP authentication line configuration command.

SECURE REMOTE ACCESS FOR MOBILE UTILIZATION

In the enterprise mobile devices are becoming more and more essential business tools and therefore ensuring security in their utilization has become a key factor in corporate industry.
As we see with all the exposure to threats in mobility network, secure remote access is required to be enforced in order to prevent chances of malicious activity.
Mobile users utilize clientless browser-based connectivity on mobile applications from smart phones and tablets. So anti-virus software should be installed and configured within the OS (Operating Systems) application so as the mobile users remotely access networks: this scans the device for malware as well.
The OS frequently updates and provides Identification of each user according to authentication and authorises access to network resources. So once the connection is verified then all traffic between clients and enterprise network is secured and audited over SSL (Secure Socket Layer).
Different solutions are used when it comes to securing remotes access for mobile users, an example is the CheckPoint RAS ( Remote Access Solutions) which utilizes the most secure & comprehensive solution to connect two end points so that information is shared securely with ease of management. It also integrates point to point security software with the Remote Connectivity Mobile Access Software Blade which provides a central managed, simple and secure VPN connectivity for mobile devices.

It offers customization with either IPsec or SSL VPN and connects to both web-based and non-web based application.
The FirePass controller discussed in earlier section also provides mobile device support through permitting secure access from mobile cell phones to applications such as email and also formats email servers such as SMTP to fit the mobile screen and also view attachments such as Word/ Excel documents.

REFERENCES

Fleizach, C. (2002). Remote Access Solutions. Checkpoint.com. Retrieved November 15, 2013 from http://www.checkpoint.com/solutions/remote-access/

Beaver, K. (March, 2012). How to secure remote network access. Searchsecurity.com. Retrieved November 06, 2013 from http://searchsecurity.techtarget.com/tutorial/Managing-remote-employees-How-to-secure-remote-network-access

Information Technology. (2008). Mobile services. Pitt.educ. Retrieved November 21, 2013, from http://technology.pitt.edu/mobile-services.html

Garderhagen, B. (November, 2005). Remote Access Solutions. Arraynetworks.com. Retrieved November 06, 2013, from http://www.arraynetworks.com/solutions-remote-access.html

Microsoft. (February 29, 2012). Deploying Remote Access Server. Technet.com. Retrieved November 06, 2013 from http://technet.microsoft.com/en-us/library/hh831520.aspx

Cisco. (2003). Remote Access VPN Services. Cisco.com. Retrieved November 13, 2013 from http://www.cisco.com/en/US/docs/net_mgmt/ip_solution_center/3.2_security_management_suite/security/user/guide/ipsec2.html