Remote Access through a dial-up network

Remote access through a standard dial-up network has the potential to increase productivity. However, it must be made secure against unauthorised access

Providing remote access to branch offices or telecommuters requires balancing the cost and flexibility of the solution with the needs of users. With recent improvements in its technology, dial-up remote access is emerging as one of the most cost effective and flexible solutions available today. Dial-up remote access requires only plain old telephone service (POTS) or ISDN lines, and allows users to make connections to many resources, from corporate headquarters, to bulletin board services, to the Internet/Intranet. Dial-up remote access also allows travelling or telecommuting remote users to connect to their network as if they were located on-site.

When considering a remote access network, the network manager has several choices that offer trade-offs in cost, flexibility and data throughput. Dial-up remote access is a good option when flexibility and low cost are more important than speed. One alternative to dial-up remote access is using leased line services for LAN-to-LAN connections. Leased line services cost more and are less flexible but typically offer very fast speeds.A big contributor to the cost of both of these remote access methods is the hardware necessary to do remote access networking. Branch office routers for use with T1/E1 or other leased line services can cost upwards of £3,000, while a remote access server, which also offers routing, can cost less than £600. Additionally, leased line circuits can be several multiples of the cost of a regular telephone line. These leased services are characterised by flat rate, point-to-point pricing with 24-hour-a-day availability.While POTS is still the predominate method of remote access today, ISDN is growing in popularity due to its efficiency and high rates of data throughput. ISDN basic rate service offers two 64Kbit/s channels, called B channels, for data throughput. These channels can be combined for a total of 128Kbit/s of total throughput, or can be divided and shared among different users or applications. ISDN, in some ways, offers the best of both dial-up and leased line remote access; in a similar way to dial-up, you pay only when you use the service, but like leased line services you get high throughput.Today, ISDN is ideal for the small office or power user home office environment where the incremental cost of an ISDN line can be justified against the increased speed of the connection. While ISDN is attractive, it still doesn't offer the flexibility of POTS dial-up access. Specifically, today there are few public locations where the commuter or business traveler can find an ISDN hookup ( though this is expected to change very quickly during the next couple of years.The technology that has allowed dial-up remote access to compete in functionality with other remote access schemes has been the ability to route data over dial-up POTS lines. With the adoption of industry standards like the Point-to-Point Protocol (PPP) and Serial Line Internet Protocol (SLIP), users can now choose products that best fit their business needs. Data throughput also has been dramatically boosted with improved modem speeds and gains in data compression algorithms. There are several remote access applications that are well-suited for dial-up remote access products: LAN-to-LAN connectivity, Internet/intranet access, remote user access and modem pooling. A dial-up connection between two networks is termed as an LAN-to-LAN connection. In most cases, remote office locations will connect to a main corporate network at a central location. In other cases, one small office may connect to another small office or to a site where services such as Internet access or information services are provided. When a connection is made to another network, routing is the key to this type of functionality ( when a user on the network requests connection to a resource available only on another network, the remote access device recognises the need to dial another network and then automatically dials up the appropriate remote site according to a stored profile. Once the connection has been established, the remote access device will monitor the connection according to the parameters established by the network manager.An important consideration in purchasing a remote access product is the flexibility the network manager has to select these control parameters. Basic functions that should be available include control over the length of time the connection is inactive before automatically disconnecting, and the time of day that connections are allowed to particular locations. More advanced functions include an automatic time-out for connections if the packets being transmitted are not data (i.e., they are keep alive signals generated by the NOS), policy-based filtering of packets from particular nodes or particular protocol types and bandwidth on demand in which the remote access server brings up an additional connection to a remote network to increase available bandwidth to that site. With bandwidth-on-demand, the network manager specifies the desired throughput threshold for the extra line to be added or to be taken down and this feature is enabled when the threshold is reached and a second line is available. In LAN-to-LAN application, the two primary ingredients for a good remote access product are the ability to make automatic connections when necessary (routing capability) and the ability to allow the network manager to control the network connections via parameter selection (link management). For the busy network manager, operation of these dial-up connections will require little or no involvement other than the initial configuration; for the user, they will gain what appears to be a transparent connection to the required remote resources.A secondary consideration, but still an important one, is the connectivity requirement of the remote site. If the remote site needs only occasional or limited connection time to the corporate site, then a low-cost single-port remote access router can be a cost-effective solution. On the other hand, if simultaneous LAN-to-LAN and remote node activity is a requirement, then a multi-port device may be required. Although PPP-based solutions are generally interoperable, it makes sense to choose a vendor that offers different product configurations for remote access to make for easy management (shared configuration files, less need for training).With the increased demand for connection to the World Wide Web, Internet Service Providers (ISPs) have sprung up to offer previously unconnected users access to the "Information Superhighway". The Internet access application is similar to the LAN-to-LAN application with all of the same issues and need for features such as time-of-day controls and inactivity time-outs. These features are particularly important to maintain cost controls when the telephone bills are based on connect time. A remote access server that can function as a router can be useful as an intermediate point between a network and an ISP to act as a firewall, particularly if that device can support multiple filtering options. By applying various filters to packets arriving on a dial-up line, a network manager can ensure that no unsolicited or unregulated packet traffic can enter the network via those lines.In addition to accessing information from other companies or sites on the Web, a growing number of companies are starting to use the Internet as an extension of their private networks, thereby creating what has been called an intranet. By leveraging this technology in this manner, companies are able to provide solutions to their users with easy to use web browser applications (e.g., Netscape Navigator, MS Explorer and others) over a well established and cost effective conduit. Thus, the users only have to call a local number (i.e. nearest ISP access number), thereby saving money on toll charges and the main corporate site does not have to purchase and support large central site remote access server devices.Remote node network access allows remote users to connect to a network using a modem. Remote node users are typically mobile or telecommuter users who run a remote client software package on their PC or workstation giving them network access through a dial-up server. Remote node access to the network has become easier because of the TCP/IP or IPX support that's been built into Windows95 and other operating systems. Most of the current demand for such services involves either IP (Unix) or IPX (Novell NetWare) protocols.Remote node works best in applications where the remote device either runs brief queries from a host or processes data uploaded from the main network. Examples of this include reading email or uploading text files or spreadsheet information.Using a remote access server to support remote node connections to a network frees up PCs and other host systems that may have been dedicated to the support of remote users in the past. Additionally, a good remote access server supporting remote node will be standards-based (PPP, SLIP or CSLIP), which allows it to service users running any software package supporting those standards.A related application to remote node is remote control. Remote control is achieved when the remote user dials into the network and takes control of a PC residing on the network. The remote user's keyboard then becomes the equivalent of the slave PC's keyboard, allowing the remote user to act as if they were physically working on the slave PC. Remote control is useful when a user needs a lot of processing power or number crunching capability, because only the serial information sent to the keyboard, mouse and display need pass over the dial-up link. The drawback of this approach is that the user can only view the information and cannot transfer files or obtain data to be processed on their remote system. Remote control is more frequently used with the IPX (NetWare) protocol; IP users can use terminal servers to achieve the same result when a multi-user host is available.While most of the applications described above are almost completely transparent to the user, there are some applications where the user requires some control over the proceedings. Using a modem to dial out to an electronic bulletin board or on-line service is still a necesary function for many users. For the network manager, modem pooling provides the added conveniences of easy maintenance because all modems are in one location, and easy management as remote access servers typically have more robust network management than modems. Protocols such as IP and IPX support the sharing of modem resources through software tools available under a host or network operating system ( the remote access device that supports these applications provides ever greater value. INT14 support under IPX and redirection of serial port output to a communications port using IP and IPX protocols are essential features that this type of software should support. No matter what remote access strategy you plan to implement, one key attribute that requires the greatest attention, is that of providing controlled access to your important/proprietary data. When a strategy for networking involves dial-up technology, issues of network security become very important. Each modem is a potential gateway for uninvited users, either by chance or malicious intent, to gain access to the attached network. Although the requirements of each network will be different from a security standpoint, it is necessary that remote access products offer as many capabilities as possible to allow for customisation. Protection should be flexible and it should be capable of being "layered" so that areas of vital concern can be very secure and other areas of lesser importance can be suitably protected. One site may require CHAP passwords, protocol filters, Radius authentication and Novell Bindery passwords. Another site may only demand a dial back authentication string. The ability of a server to support many different schemes makes these choices possible. Passwords are one means of security that is almost universally supported on remote access servers. Passwords are routinely found at the level of the server itself (login passwords) and at the level of the host/protocal being used (IP-Unix/TFTP or IPX-NetWare Bindery). Additionally, PPP itself specifies two forms of password protection called Password Authentication Protocal (PAP) and Challenge Handshake Authentication Protocol (CHAP).With PAP, a password is specified for both devices on a remote connection and both must be confirmed before a remote session can begin. With CHAP, that password can be repeated throughout the remote session if desired.There are also a number of other external password and encryption schemes, including Security Dynamics SecurID, Kerberos and Radius that provide a more sophisticated method of protection. These authentication schemes use encrypted passwords to avoid having them detected via a network analyser or they change the actual passwords themselves on a random basis. Authentication schemes such as these require a dedicated host running a software package supporting the security scheme, but the cost of these packages is small compared to the extra security they can provide to the network. It is imperative that the network manager verify compatibility of a remote access server with the scheme they intend to run. Lack of compatibility will render the authentication investment worthless if support for the scheme cannot be accommodated.Another important security feature for regular users is dial back. With this feature, the dial-up router receiving a call will check the user's identification and then dial that user back at a pre-set telephone number to ensure that an intruder isn't using an existing user's address to log into the system. Dial back is one method that can be inexpensively used to enhance security when it is supported by a remote access product.Routers allow the network manager to filter packets. This capability can be used to ensure that particular types of packets are not allowed from remote access server ports to the main network. These firewalls can be used to increase the security of a network by not allowing traffic other than that between known users on the dial-up lines to reach the network. Devices that support the downloading of standardised configuration files also assist the network manager by allowing for easy modification of tested templates. For many networks, dial-up remote access provides a high-performance, flexible way to meet remote connectivity needs. Compiled by Ajith Ram( Lantronix 1997

W.RMA.WP4-T1.210799.DOC I.S. Department 19/08/99 12:13