Tech Tip: Improve RAS connection security

By Mike Mullins

Once you've decided to implement remote access service (RAS) to provide file and print services to your users, you'll place this asset within your firewall's DMZ to proxy and record all of the data connections coming into your network. However, before you become an Internet Service Provider (ISP) to your users, you should consider a few security recommendations.

When you allow a dial-up connection into your network, you create a temporary, dedicated WAN link over the public switched telephone network (PSTN). The emphasis is on "public." You can't control how the telephone company routes the signal between the user and your network. The only thing that prevents someone from hijacking your users' RAS connections is the phone company's network security. Instead of relying on someone else to secure your data, use the right protocols and authentication methods.

Dial-up protocols

The two most prevalent dial-up protocols are Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP).

SLIP is a client protocol that's primarily used to connect to older UNIX systems. These connections aren't encrypted, support only TCP/IP, and don't support WINS or DHCP.

PPP is the most widely used client protocol. It allows data encryption and supports multiple LAN protocols, including TCP/IP, IPX/SPX, and AppleTalk.

Since SLIP doesn't offer encryption, that makes PPP an easy choice for your client dial-up connection.

Authentication methods

Although several RAS vendors have their own authentication protocols, the three most commonly supported vendor neutral authentication methods are Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP).

PAP sends the user password to the server unencrypted. CHAP uses reversible encryption for passwords, and passwords are stored in plaintext on the RAS server.

There are two types of EAP authentication: EAP-MD5 CHAP uses the MD5 algorithm to secure password transfer. EAP-TLS allows the use of certificates, smart cards, and biometric devices for login authentication.

You'll want to use CHAP or EAP if your RAS solution supports it. EAP should be your method of choice since it offers superior encryption and use of newer authentication technology.

If you require CHAP or EAP over a PPP connection, then you've done a good job of building a secure login. But don't forget the data.

Data encryption

One of the most forgotten options of RAS is the option to encrypt the data. Go the extra mile and specify data encryption on your clients and your RAS. Remember, this temporary WAN link is being carried over a public network; you never know who might be listening to the connection between a remote user and one of your sensitive file servers.

Final thoughts

You've implemented an RAS solution so remote users can access file and print services on the company network, not to give them Internet access via the company network. Block or limit which Internet sites users can access via an RAS connection. This last step will reduce the possibility of virus infections and enforce work related content on the company network.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.


Editor's Picks