Routing and Remote Access

Organizations typically provide remote connection options to staff at their own sites. Information technology (IT) staff set up dedicated telephone numbers for this purpose and attach modems (or similar hardware) to a server that is directly connected to the intranet. The server runs specialized software to handle connection details, and it also authenticates the dial-up user as being an authorized staff member.

Windows 2000 includes Routing and Remote Access, which allows you to provide dial-up facilities for your users. If you want to centralize your user authentication, authorization, and accounting services in Windows 2000, you can use Remote Access or VPN by setting up an Internet Authentication Service (IAS) server. Figure 17.3 illustrates one possible configuration of these servers.

Figure 17.3 Sample Routing and Remote Access Configuration

The Microsoft ® Windows ®  2000 Server Resource Kit Internetworking Guide contains information about how Routing and Remote Access works and what capabilities it provides. Windows 2000 Server Help describes how to install and use Routing and Remote Access.

When you are planning the deployment of Routing and Remote Access, consider the following security issues:

• Who will be given the phone numbers?

• Who will be given permission to use Routing and Remote Access?

• What kind of authentication methods will be used?

• How is data encryption to be used (Routing and Remote Access client to Routing and Remote Access server?
  If you need end-to-end encryption (remote access client all the way to the application server on the internal network), use Internet Protocol security (IPSec), which is discussed later in this chapter.

• What remote access policies will be used to control user access?

For more information about general deployment issues for Routing and Remote Access, see "Determining Network Connectivity Strategies" in this book.

Routing and Remote Access Security

Restricting the distribution of Routing and Remote Access phone numbers helps minimize the number of people who might try to dial into your network. However, any dial-up connection solution still poses a risk because anyone can potentially obtain the phone number. It is possible to set up an automatic process to dial phone numbers in sequence until you find a modem that answers. Therefore, Routing and Remote Access needs to be secured to ensure only authorized access. At a minimum, Routing and Remote Access requires that the user provide a valid computer account and password. However, this level of security is open to all the usual logon attacks, such as guessing passwords.

It is recommended that you use additional Routing and Remote Access security options. You can restrict the use of Routing and Remote Access to only those people with a confirmed business requirement to dial in. You can also require that Routing and Remote Access hang up the connection when it is first established and dial back to the user. This way, the user can only access the Routing and Remote Access facility from a predetermined phone number, or the phone number can be recorded. Where facilities allow, you can also use caller ID to record the phone number that originated the connection.

Consider that someone can intercept a user name and password while a user is attempting to log on to the Routing and Remote Access server using techniques similar to a wiretap. To prevent this, Routing and Remote Access can use a secure user authentication method, such as Extensible Authentication Protocol (EAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 and version 2, Challenge Handshake Authentication Protocol (CHAP), or Shiva Handshake Authentication Protocol (SPAP).

A related risk is a user who believes he or she is dialing in to the company network, but is actually dialing into another location that is now obtaining their identification information. To avoid this, you can use mutual authentication to ensure that the Routing and Remote Access server is authorized much like the user is authorized. This is possible with EAP-Transport Layer Security (EAP-TLS) or MS-CHAP version 2 authentication protocols.

Similar issues exist for the data that is transferred over the Routing and Remote Access connection. The EAP-TLS or MS-CHAP version 2 authentication protocols allow you to encrypt data as it is being transmitted, using Microsoft Point-to-Point Encryption (MPPE).

Remote access policies, whether implemented as local policies or as part of Group Policy, can enforce the use of the authentication and encryption techniques you choose to use.

For more information about networking, Routing and Remote Access authentication, and data encryption techniques, see Windows 2000 Server Help.