Are you getting more and more requests for remote access to your network? As I’m sure you’re aware, granting these requests means a greater risk that unwelcome visitors will access your network. In this Daily Drill Down, I’ll bring a host of ideas to the table for discussion that should serve as a starting point for implementing remote access.
There’s no single solution for protecting your network and the valuable data it contains. You’ll need to look at all of the options I present here and decide where they’ll fit into your overall scheme. The only bad decision you can make is to not make any decision at all.
Choosing the right type of remote access
With recent changes in technology, you have several options to choose from. In addition to using a POTS (Plain Old Telephone Service) line to connect to your network, you have such options as xDSL (Digital Subscriber Line), cable modem, PCS (Personal Communications Service), and even satellite.
Depending on the phone company in your area, you may hear terms like SDSL, HDSL, or ADSL. Don’t be confused—this is a way of identifying the specific type of DSL service and how far away you can be from the CO (central office) that provides the service. The main requirements for DSL are:
- You must be less than 18,000 feet away from the CO.
- The CO and your location must obtain the service via copper wire.
The closer you are to a CO, the higher the speed of service. If you’re receiving your service via a fiber-optic connection, you won’t be able to get DSL.
Cable modem Internet service isn’t as prevalent in certain parts of the country because of the infrastructure requirements placed on cable companies to provide the service. The advantage to this option is that it can be faster than its DSL counterpart and just as economical. With both DSL and cable modem, you’re dealing with a connection that’s always on and ready to go. This means that your users will spend less time dialing up and dealing with modem-related problems. The disadvantage to both options is that the services are good only to a fixed location (for example, your house) and can’t be moved easily.
Another option is to use a PCS phone, although that may not be a good long-term solution. You have to add a small cable that connects to the base of the phone and then to the serial port on your computer. You then add some software, and you can use an already encrypted digital connection to get a link to your network from just about anywhere that the PCS provider’s network is available. The current speed runs between 14.4 and 19.2, depending on how close you are to a tower.
Satellite connectivity was once thought to be very expensive and difficult to set up. With services such as DirecPC and others (DISH Network has announced that it will offer two-way satellite Internet service this fall), you can now consider using satellite when options such as DSL and cable modem aren’t available. For example, the way DirecPC works is that you dial up a conventional ISP (Internet service provider), and then, using software provided with the DirecPC dish, you send the command you want to execute (for instance, connecting to a particular Web site). The results can be 10 to 20 times faster than you’d experience using only a dial-up connection. The only thing that can disrupt the satellite service is a snowstorm or heavy rain. Unless you live in an area with heavy or frequent storms, satellite connectivity is an option worth considering.
Don’t publish the number
If you’re using a dial-in connection, the number you use for remote access should be kept a fairly close secret. You should give this number only to those who have to dial into the network directly—and then probably only with a manager’s approval. Depending on the frequency of staff turnover, you may need to change this number occasionally to help discourage ex-employees from causing problems on your network.
Depending on the type of PBX you have, you may want to consider using DID (Direct Inward Dial) numbers for controlling remote access. This way, you can easily busy out a phone number when a remote user doesn’t need it any longer. In addition, you can track usage for department billing purposes. With DID, you don’t have to worry about a bunch of individual phone lines for all your remote users. Instead, have the incoming DID trunk terminate directly into a digital modem pool.
Using a dial-back connection system
Years ago, IBM implemented a system called Guardian that was designed for users needing remote access to corporate information. With Guardian, the user dials in to a predetermined number. After properly authenticating to the system that answered the phone, the user hangs up and waits for a return call. When the call comes, the software answers the call from Guardian, provides an additional layer of authentication, and then allows the session to continue.
The problem with dial-back systems is that they require the user to be at a predetermined number unless the system is configured to allow the user to specify the number. That in itself somewhat defeats the purpose of a dial-back system by allowing the call to be redirected. With call forwarding fairly common, users may not be where you think they are.
The advantage of a dial-back system is that you can avoid extra long-distance charges when calling from a hotel or using an inbound 800 number.
Letting the ISP be the modem pool
The biggest hassle of offering remote access to your network is managing what could become a fairly substantial modem pool. This could be an especially expensive proposition if you implement a digital modem pool that channelizes a T1 into multiple logical modems. Most large ISPs have modem pools in more than one city and, in many cases, on a national or even international level. This means that you are no longer tied to one or more banks of modems. Therefore, you can concentrate on having enough T1 or T3 capacity to handle the number of remote users needing to access the network.
The only problem with using an ISP as a modem pool is that you now have an additional layer of management—a user account for each user that will be remotely connecting to your network. By using RADIUS (Remote Authentication Dial-In User Service), you remove that layer of management and allow remote access to your network to be controlled from one point (your network) instead of both your and your ISP’s networks. When connecting to the ISP’s modem pool for authentication, users can enter something as simple as their e-mail addresses.
Consider VPN for secure communications
There are varying levels of encryption. With each step up the encryption ladder, you gain more security while delaying access to information. Keep in mind that regardless of any VPN (virtual private network) solution you choose to implement, the communications can be unencrypted, given enough time and resources. You must determine what type of barrier can prevent hackers from gaining access to your corporate data.
You can divide the VPN solutions into two camps—hardware- and software-based. Hardware solutions such as Cisco’s Secure PIX firewall can carry a huge amount of VPN-based communications. However, a software-based solution won’t be able to carry as much because you’re multitasking an existing network operating system (NetWare, in this case). An advantage of software-based solutions, such as Novell’s BorderManager, is that it integrates with your existing network infrastructure and minimizes multiple points of administration. If you need additional levels of authentication (sometimes known as strong authentication), you can require that tokens be used that constantly generate a series of numbers. The numbers change at periodic intervals based on a mathematical formula.
When designing a secure network solution such as a VPN, you want to avoid having a single point of failure. Depending on the number of remote users you’ll support, having more than one VPN access device running is a good idea. (For example, if you’re using BorderManager as your VPN solution, you may want to have more than one BorderManager server running the VPN service.) This approach ensures that, if one device fails, you won’t lose all of your remote access. While existing firewall products can also provide VPN service, you may choose to run the service on another system so that if the firewall is down, your remote VPN users can still gain access to your network.
Using a personal firewall
While VPNs give you an encrypted link from a remote user into your network, the possibility still exists that hackers can work their way into a remote PC connected to your network. They can then jump onto the encrypted link and go right into your network with little or no challenge. Firewalls were once only used to protect access in and out of corporate networks. You can now find a host of products, such as Norton Internet Security and BlackICE, that can provide firewalls on your personal workstation or home network.
As with any solution of this nature, you’ll want to have some type of subscription service to help keep the product current. As hackers find new tools to gain access to your network, you must, in turn, upgrade the tools you’re using to protect access. You may want to consider learning how hackers access networks and doing the same things in a test lab so that you can continue to evaluate new tools as they become available.
As you’re testing both the prospective solutions and connectivity options, don’t immediately assume any potential “threats” that are identified are actually threats. For example, remote users using the @Home Internet cable service to access the corporate network will probably see periodic port probes looking for the NNTP service running on the computer they’ve attached to the cable modem. This is a method used by the @home NOC (Network Operation Center) to ensure no one is running a Usenet server. Running a Usenet server is a violation of the user agreement for the @home network.
Mandate antivirus protection for all remote users
It has been said that any solution is only as good as the weakest link in the chain. So far, I’ve discussed using a VPN link for an encrypted connection to your corporate network and a personal firewall to protect the remote PC. You still have one point of vulnerability: computer viruses from an e-mail attachment or a file download. There are several good solutions—McAfee, Symantec, and CAI, to mention just a few candidates. At least one vendor, Symantec, has realized that you may want a solution that involves both a personal firewall and an antivirus software program. Symantec offers a bundled solution in Norton Internet Security. The advantage of a bundled solution is that if there’s a problem, you have one less company to talk to for technical support.
More and more corporate networks are running some type of antivirus solution at network entry points. Nevertheless, running an antivirus package on the remote PC introduces yet one more safeguard for your network—and one more hurdle that a potential virus must clear. Just as with the personal firewall option I discussed earlier, you’ll want to have some type of subscription service available. In addition, make sure your remote users understand that they need to periodically check for updated virus signatures (or you can configure their workstation to perform that step for them). Running with outdated signatures is almost as bad as not using any antivirus solution at all.
Using Citrix or Windows Terminal Server
If you’re concerned about rolling out remote access options to “computer-challenged” users, you may want to consider using either Citrix WinFrame or Microsoft’s Windows Terminal Server. You can think of these products as the equivalent of a computer running PC/Anywhere on steroids. With this type of solution, however, you’re getting access to a session on the computer running either WinFrame or Terminal Server and not controlling the whole system. An added advantage is that if a user has a problem logging on or running a particular application, you can “shadow” the session in question and walk the user through the problem.
Depending on your configuration, you may be able to use a fairly inexpensive computer (even an XT, in some cases) to access your network remotely without having to beef up the hardware in the field. That way, neither the application nor the data that’s being accessed actually leaves your network—only screens and keystrokes are passing back and forth. You may also be able to get away with using a regular dial-up connection without making the additional investment in cable modem, DSL, or ISDN access.
The disadvantage is that you potentially will have a single box with two or more processors with more than 256 MB of RAM in your computer room to support the incoming user sessions. Consider having a second box that users can access to get to your network. (Citrix offers a server farm option that allows multiple servers to be disguised as a single logical server. Users never know they’re using a different server each time they authenticate to the network.)
You’ll need to continually evaluate your network to ensure that you have the level of protection you need. Don’t ever be content that you have done everything that can be done to protect your network and the access to it. Just take things one step at a time, and don’t try to implement the whole solution at once.
Ronald Nutter is a senior systems engineer in Lexington, KY. He’s an MCSE, Novell Master CNE, and Compaq ASE. Ron has worked with networks ranging in size from single servers to multiserver/multi-OS setups, including NetWare, Windows NT, AS/400, 3090, and UNIX. He’s also the help desk editor for Network World. If you’d like to contact Ron, send him an e-mail. (Because of the large volume of e-mail that he receives, it’s impossible for him to respond to every message. However, he does read them all.)
The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.