By Mike Mullins
Remote access service (RAS) allows remote computers to connect to an RAS device across a telephone connection and gain access to file and print services on your LAN. If you absolutely must allow remote users to access your internal network, you should follow three security principles.
The first principle involves the device's physical placement. The second principle involves how users are authenticated. The final principle involves the dial-up method used to establish user connection.
Location is everything
It's a big mistake to keep an RAS device behind your firewall unless you have a security device between it and your internal network. RAS devices are like Web servers; they're public devices, so you can't control who tries to access them.
War dialers are still popular tools among hackers and crackers. Unless you constantly monitor who is trying to connect to your RAS, this service is a blind entry into your network. You should move this device to your DMZ. That way, if your RAS connection gets hacked, your internal network is still secure.
The preferred methods for authenticating remote users are either through a Remote Authentication Dial-In User Service (RADIUS) or a Terminal Access Controller Access Control System Plus (TACACS+) server that sits on the trusted side of your network.
Both of these devices offer a fairly strong method of authentication using standard ports and protocols. This allows easy configuration of firewall and router rules to allow authentication traffic to pass from the external RAS device to the internal server that's authenticating the user logon information.
Some RAS devices can maintain user authentication accounts locally. However, this adds an additional account for each user and exposes those accounts to anyone that accidentally dials into your modem pool.
Specifying callback numbers is another common business practice. By setting your RAS to call back a user each month, you'll receive a summary of connection costs and the amount of time each authorized user spends dialed into your company network. Administrators can preset this option to a user's home telephone number, or the user can specify a callback number. Either method provides another physical layer of logging access to your network.
As a precaution, don't publish the numbers to your RAS server on your Web page or within any publications. These numbers are sensitive and should be treated as such.
If e-mail access is the only service your users require, then implement an Outlook Web Access solution. If your users require file and print services from remote locations, then RAS is a solution.
RAS service is inherently insecure, but by taking the proper precautions to secure the network location, authentication mode, and access methods, you can provide a reasonably secure means of allowing remote users to access your sensitive internal network.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.