Studying Wan And Remote Access Technologies Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Welcome to the chapter 'WAN and Remote Access Technologies'. This chapter describes types of WAN networks and technologies. It also examines remote access technologies and its protocols.

In this chapter, you will learn to:

Describe types of WAN networks

Explain WAN technologies

Discuss remote access technologies

Explain various remote access protocols

11.1 Introduction

To enable transmission of data across geographical area a Wide Area Network (WAN) is essential. WAN enables passing of greater logical and physical environments. This is achieved by utilising Internet Service Providers (ISPs) services.

In the OSI model, only the physical layer, the data link layer and the network layer support WAN technology. The following interrelated devices are present in a WAN:

Routers

Switches

Modems

Wireless devices

Digital subscriber line (DSL) services

Frame relay devices

Access servers

Integrated Services Digital Network (ISDN)terminal adapters

Channel Service Unit/Digital Service Unit (CSU/DSU)

WAN switches

WAN routing is a method of forwarding the packets towards the destination depending on the IP address of the next hop. A next hop is the next router to which a packet is to be sent as it traverses a network on its journey to its final destination. In the event that the packet is at the final router in its journey, the next hop is the final destination.

In WAN routing, the IP addresses of source and destination devices are stored in the routing table. The shortest possible path for the packets is selected by the router on the basis of the IP addresses in the routing table. Table 11.1 describes the most common types of WAN networks.

Type of WAN

Description

Point-to-point connection

In point-to-point connection, communication happens through a leased line.

In this type of WAN, two remote locations can communicate through a carrier network with the help of a point to point link.

Circuit switching

In circuit switching, the role of carrier network is to establish, maintain and terminate communication session. The communication begins only when two remote networks communicate and confirm the connection.

It is similar to that of a telephone call that is if two users are connected and identified then data is transferred which means voice is transferred. And soon after data transfer is completed the call gets disconnected.

Packet switching

In packet switching, in order to transfer packets from source to destination device the point link is shared by the communication devices. Additionally, the common carrier resources are shared between the remote networks.

Table 11.1: Types of WAN Networks

11.1.1 WAN Technologies

WAN technologies operate at the lowest level of the OSI layer model. Table 11.2 describes the various WAN technologies and the network type that they support.

WAN Technology

Description

WAN Network Type

Asynchronous Transfer Mode (ATM)

ATM provides a high bandwidth and high speed WAN technology which functions at the speed of 155Mbps. It makes use of fixed sized packets for the purpose of data communication.

It is also popularly known as cell relay and supports several data types such as data, voice and video.

Packet switching

Dial UP

Dial up presents a very effective communication solution at minimal cost. The two types of dial up services are as follows:

Dial up demand: In a dial up demand, while transferring data a call is initiated dynamically by the router on a switched circuit.

Dial backup: In a dial backup, for other types of networks backup services are provided by a switched circuit.

Packet switching

X.25

X.25 is a communication protocol in the packet switching data network.

It is this communication protocol through which computers at remote locations can communicate with an aid of a centralised computer.

Packet switching

Frame Relay

Frame relay is a WAN protocol that provides very high speed and high performance.

In the OSI model at the physical and the data link layers, frame relay works. It is a kind of networking method that formulates data transfer among WAN and LAN.

Packet switching

Integrated Services Digital Network (ISDN)

ISDN is an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires.

It supports data transfer rates of 64 Kbps (64,000 bits per second). The two types of ISDNs are as follows:

Basic Rate Interface (BRI) - It consists of two 64-Kbps B-channels and one D-channel for transmitting control information.

Primary Rate Interface (PRI) - It consists of 23 B-channels and one D-channel or 30 B-channels and one D-channel.

The original version of ISDN employs baseband transmission. Another version, called B-ISDN, uses broadband transmission and is able to support transmission rates of 1.5 Mbps. B-ISDN requires fiber optic cables and is not widely available.

Circuit switching

Table 11.2: WAN Technologies

11.2 Remote Access Technologies

Almost every company offers remote access to its partners, employees and external technical support team. Through Remote Access Service (RAS) clients can remotely dial to the modem and connect to the network. This is similar to what they do locally in an office environment.

RAS is easy to configure and use. Connection to a RAS server can be made using a standard phone line, a modem, a network, or via an ISDN connection. The following are the client OS that RAS supports:

Windows 2000 Professionalbased clients

Windows XP Homebased clients

Windows XP Professionalbased clients

UNIX clients

Linux clients

Macintosh clients

RAS is a very helpful feature. However, one needs to be aware of hacking. Hackers use a common method called war dialling to break remote networks.

War dialling is a method by which lists of numbers are dialled randomly till the modem picks it up. It then guesses login credentials such as username and password.

The techniques used by RAS systems to ensure security from war dialling are as follows:

RAS systems hangs up the phone received and calls back a predefined phone number. This is called the call back feature.

RAS systems configure the modem in such a way that before answering the call, it allows it to ring for 5 times or more. This is done as most of the war dialling tools move to the next number in couple of rings.

11.2.1 Plain Old Telephone Service/Public Switched Telephone Network (POTS/PSTN)

A phone line and a modem is still the most admired way to connect to the Internet or remote network.

Modems and a dialup ISP account are essential to connect to the Internet through a phone line.

Modems

Devices which convert the computer's digital signals into analog signals that can travel across a phone line are called modems. The two types of modems are as follows:

External modems: Installing and troubleshooting external modems is easy as no configuration to the host system is required.

Internal modems: Internal modems require configuring it to the communication (COM) port. Also it is important to check that the configured port does not conflict with other devices.

Dialup ISP account

A dial up ISP account is obtained from one of the local, regional, or national ISPs. Speed offered by ISPs is 56Kbps and the pricing plan depends on the online duration. In addition, they provide email accounts, access to newsgroup servers and small amounts of Web space.

Remember to research before selecting an ISP as there are many options available. Paid for services are better than the free services as one can hold them accountable and they offer better service.

In addition before signing up for a dialup account, check for the ratio of subscribers to lines as ISPs do not have the same number of lines as subscribers. They work on first-come, first-serve basis.

11.2.2 DSL Internet Access

DSL is an Internet access method which provides high-speed Internet access using a phone line. It is not as expensive as ISDN technology and is mostly used in small business and home environments. It supports different frequencies for digital and analog signals, which means it is possible to talk on the phone while uploading data.

DSL was introduced in late 1990s and since then many different types were introduced. Table 11.3 describes the DSL types with their upload and download speeds. Together, all these types are called as xDSL.

DSL Name

Description

Upload Speed

Download Speed

Asymmetric DSL (ADSL)

ADSL is the most common type of DSL. The different channels on the line used by ADSL that makes downloading and uploading faster are as follows:

First channel is used for POTS and is responsible for analog traffic.

Second channel is used to provide upload access.

Third channel is used for downloads.

1Mbps

8Mbps

Symmetric DSL (SDSL)

SDSL offers the same speed for uploading and downloading. Hence, it is suitable for business applications such as e-commerce, intranets and Web hosting.

However, in homes and small businesses this is not implemented widely as it does not support sharing a phone line.

1.5Mbps

1.5Mbps

ISDN DSL (IDSL)

ISDN DSL is used if SDSL and ADSL are not available. It is a symmetric type of DSL and analog phones are not supported by it.

144Kbps

144Kbps

Rate Adaptive DSL (RADSL)

RADSL has the capacity to modify the transmission speed depending upon the strength of the signal. It is a variation on ADSL and line sharing is supported by it.

1Mbps

7Mbps

Very High Bit Rate DSL (VHDSL)

VHDSL supports sharing of telephone line. It is an asymmetric version of DSL.

1.6Mbps

13Mbps

High Bit Rate DSL (HDSL)

HDSL supports equal rates of transmission in both the directions. It is a symmetric technology and does not allow sharing of line with analog phones.

768Kbps

768Kbps

Table 11.3: Types of DSL

Symmetric form of DSL is used in business environment that require high bandwidth. Home environments that generally have budget constraints use the option of sharing phone line such as ADSL system.

11.2.3 Cable Internet Access

Cable Internet access is possible only in places where digital cable television is present. It is an option that is reliable, not expensive and no restriction on the access thus is used in home offices and small business environments. The cost of Cable Internet access is similar to that of DSL subscription.

Cable Internet service is offered at free or minimal cost by many cable providers. Following are the devices required setting up Cable Internet access:

Cable modem: It connects the provider's outlet through its coaxial connection. This device is essential for the connectivity. It is supplied by the cable operator on monthly rental basis.

Unshielded Twisted Pair (UTP) connection: It is required to connect the cable directly to s switch or hub or a system.

Network Interface Card (NIC): It is to be installed in the system. A few cable providers offer a free NIC card.

Cable modems offer a 10Mbps Ethernet connection for the home LAN. However the actual connection does not reach that speed it depends on the utilization of the shared cable in the area. Normally the actual speed is anywhere between 1.5Mbps to 3Mbps.

The greatest drawback is sharing of the bandwidth available with people around the area. Therefore, the cable link performance is low during the peak times such as evenings and weekends. In general, performance of Cable Internet access is good and it can be very fast during the low-usage times.

11.2.4 Satellite Internet Access

Satellite Internet access is for those who do not have access to other broadband services. It offers a speed from 512Kbps upload speeds to 2048Kbps download speeds, which is much faster than a 56k dial-up connection.

The most important drawback of Satellite Internet is its cost and at a higher cost it does not offer great speed as compared to DSL or Cable. However, it offers the unique feature of portability. It is highly portable that is it can be accessed from anywhere. Therefore, it is best suited for remote users and clients who can access Internet unlimited 24/7 as they travel.

Many Internet providers offer Satellite Internet access there packages vary greatly in terms of price, access speeds, and service.

Two different types of broadband Internet satellite services are deployed: one-way and two-way systems. Table 11.4 describes the type of Satellite Internet access.

Satellite Internet Access Type

Description

One-way satellite system

It requires a satellite card and a satellite dish installed at the end user's site.

This system works by sending outgoing requests on one link using a phone line with inbound traffic returning on the satellite link.

Two-way satellite system

It provides data paths for both upstream and downstream data.

Like a one-way system, a two-way system also uses a satellite card and a satellite dish installed at the end user's site. Bidirectional communication occurs directly between the end user's node and the satellite.

Home satellite systems

It is asymmetric that is download speeds are faster than upload speeds.

It uses a modem for the upline traffic with downloads coming over the satellite link.

Table 11.4: Types of Satellite Internet Access

Speed of Satellite Internet access depends on factors such as atmospheric conditions and propagation time that is time required by a signal to travel back and forth from the satellite.

11.2.5 Wireless Internet Access

Wireless Internet access is gaining popularity. It is provided by a Wireless Internet Service Provider (WISP). WISP provides hotspots that are public Wireless Internet access points, which can be accessed by mobile network devices such as cell phone, laptops and handheld computers. WISP providers list their hotspot sites online so that they are easily found.

Hotspots are created with one or many Wireless Access Points (WAP) near the hotspot location. For security and billing purpose, clients either have to install special application software or obtain a network name.

It is very easy to establish a connection to a wireless hotspot. Laptops that do not have built-in feature to support wireless connection they need an external wireless adapter card.

At times, when a WISP is not present a Wireless Internet access is provided with the help of a DSL or wireless router. The users connect to the router, which becomes the WAP and permits connecting to the Internet through a broadband connection. This technology is based on the 802.11 standards, typically 802.11b or 802.11g and client systems require only an internal or external wireless adapter.

11.2.6 Security Considerations

Irrespective of whether a POTS/PSTN, Cable Internet access, DSL, dialup, wireless or Satellite Internet access is used, there is always security threat while using Internet. Security attacks are normally on open TCP/UDP ports and email.

Following are a few rules for safeguarding the computer while accessing Internet:

Firewall protection: Firewall can be a hardware device or a software application provided by a third-party. It offer features such as packet filtering and Network Address Translation (NAT).

Up-to-date security and service pack updates: Operating System (OS) should always be updated in terms of service packs and security updates. Automatic update features are provided by the client's system to inform about new security updates.

11.3 Remote Access Protocols and Services

It is possible to establish RAS in many ways such as Virtual Private Networks (VPNs) or POTS/PSTN. Regardless of the technique used to establish RAS, first it is essential for certain technologies called protocols to be in place. Protocol allows accessing the server and it secures the data transmission process once the connection is established. It is equally important to ensure that only authorized user access the remote access features.

All the major OS include built-in support for remote access. They offer both the access methods and security protocols necessary to secure the connection and data transfers.

The underlying technologies that enable the RAS process are dial-up protocols such as Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP).

SLIP

SLIP was designed to allow data to be transmitted via Transmission Control Protocol/Internet Protocol (TCP/IP) over serial connections in a UNIX environment.

SLIP did an excellent job, but time proved to be its enemy. It was developed in an atmosphere in which security was not an overriding concern. Consequently, it does not support encryption or authentication. It transmits all the data used to establish a connection (username and password) in clear text, which is, of course, dangerous in today's insecure world.

In addition to its inadequate security, SLIP also does not provide error checking or packet addressing, so it can be used only in serial communications. It supports only TCP/IP and log in is accomplished through a terminal window.

Many operating systems still provide at least minimal SLIP support for backward capability to older environments, but SLIP has been replaced by a newer and more secure alternative PPP. SLIP is still used by some government agencies and large corporations in UNIX remote access applications.

Point-to-Point Protocol (PPP)

PPP is a protocol from the TCP/IP suite. It is the most commonly used RAS protocol, which functions at the OSI model's network layer. It is also used in WAN for router-to-router connection.

Earlier for UNIX environment a dial up protocol called Serial Line Internet Protocol (SLIP) was developed, which was supported by some ISPs. PPP is the descendent of SLIP. It has the compression, authentication and multilink capabilities advantage over SLIP. The authentication protocols supported by PPP are as follows:

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Extensible Authentication Protocol (EAP)

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

Drawback of PPP is that after validating the remote client the encryption of data transmitted does not happen. Hence, the connection becomes slightly insecure. To overcome this disadvantage various encryption protocols for data transmissions are used.

11.3.1 Virtual Private Network (VPN)

Over a public connection like Internet, it is possible to create a corporate network called VPN. Using a VPN in place of point-to-point connection such as leased lines, ISDN and dial up saves a lot of organizations money.

VPN are of two types namely site-to-site or LAN-to-LAN VPN and remote access VPN.

Site-to-Site VPN

It establishes connection between two networks. This type is mostly used to create an extranet for business partners or to connect branches of an organisation.

To establish a VPN, over the Internet between two firewalls or routers of the two LANs a tunnel, which is a private virtual point-to-point connection is established. (Refer to Figure 11.1; the virtual connection is depicted by a straight line). Remember, clients and servers on both sides of the networks are not informed about the VPN.

 

Figure 11.1: Site-to-Site VPN

Remote Access VPN

Remote and mobile users also need access to the corporate network. Hence, a remote access VPN is created.

To access remote access VPN, an Internet connection and a software that is installed on the client's OS called VPN client is required. After a local ISP is established, VPN client creates a tunnel to the corporate network (Refer to Figure 11.2, the router can be either a VPN hardware appliance or a firewall).

Figure 11.2: Remote Access VPN

The client's remote access connection to the Internet can be anything a dial up or a cable connection. However, it is mandatory that it should support PPP.

11.3.2 Remote Desktop Protocol (RDP)

In a Windows environment, Terminal Services provides a way for a client system to connect to a server, such as Windows server 2000/2003 and by using the RDP run programs on the server as if they were local client applications. Such a configuration is known as thin client computing, whereby client systems use the resources of the server instead of their local processing power.

Earlier, Terminal Services were available in remote administration mode or application server mode. In Windows Server 2003, it has been replaced with the Remote Desktop feature.

Windows Server 2003 and XP Professional have built-in support for Remote Desktop Connections. The underlying protocol used to manage the connection is RDP.

RDP is a low bandwidth protocol used to send mouse movements, keystrokes and bitmap images of the screen to the server from the client computer. It does not actually send data over the connection only screenshots and client keystrokes are sent.

11.3.3 Security Protocols

Security is a very crucial aspect in remote networks. As remote access opens a network to remote users and many unauthorised users are likely to establish remote access. Therefore data encryption is very essential security aspect.

Encryption is the process of encoding data using a mathematical algorithm so that it can be securely sent over remote connections. Encryption makes it difficult for the unauthorised users to intercept the data.

Algorithm used for encryption is actually a mathematical value known as a key. The key is required in order to read the encrypted data. Encryption techniques use public and private keys. Public keys can be shared, private keys cannot be shared. The data and the login credentials such as usernames and passwords are generally encrypted.

Point to Point Tunneling Protocol (PPTP)

Microsoft has formed the protocol PPTP, which is an extended version of PPP. Over a public network, it transfers encapsulated PPP packets through a channel.

The protocol used for encapsulation can be IP, IPX, AppleTalk or any other protocol supported by PPP. Following points explain the PPTP:

It provides data encryption with the help of PPP authentication protocols namely MS-CHAP and Microsoft Point-to-Point Encryption (MPPE) protocol using a 40-bits or 128-bits RC4 cipher.

It works in the OSI model at the data link layer and uses TCP port 1723.

It is prone to attacks from hijackers and eavesdrops as authentication data is sent in clear text.

It does not provide any real security as the encapsulated packets are not encrypted, it just tunnels them.

Layer Two Tunnelling Protocol (L2TP)

L2TP is a combined result of Microsoft's PPTP and Cisco's Layer 2 Forwarding (L2F) tunneling protocol technologies. It is an Internet Engineering Task Force (IETF) standard which is developed to replace PPTP. Following points describe the L2TP:

It provides tunnelling support to different point-to-point networks such as X.25, ATM and frame relay. Additionally it supports IP networks.

It operates in the OSI model at the data link layer and uses UDP port 1701.

It transfers data as IP packets.

It uses encapsulated protocol such as AppleTalk, IPX, IP and other PPP supported protocols.

It does not encrypt data and neither individual message is authenticated. Just like PPTP.

In order to overcome the data encryption hurdle, IPSec is used along with it. The benefit is that at the network layer an additional verification happens that is along with IPSec packets L2TP packets are encapsulated.

Internet Protocol Security (IPSec)

At the network layer of the OSI model, IPSec offers a complete security. For IP networks it is absolute encryption framework. It uses various protocols and encryption methods to increase data confidentiality, data integrity and data origin authentication. The following networks use IPSec:

LAN: In LANs, it is used for establishing client/server connections and router-to-router connections.

WAN: In WANs, it is used as it is safe for RAS connections.

VPN: In VPNs, it offers higher security as it is used along with the tunneling protocols.

The major benefit of IPSec is that all network devices and OS support it thus it is easy to implement. Additionally it is transparent to the user.

It is possible to establish IPSec connection between various devices such as clients, servers, firewalls and routers. Simultaneously, a single device may be connected to many other devices.

After establishing the IPSec connection to negotiate with protocols, encryption algorithms, key size, modes and other communication settings the handshake process is used by the two devices.

For each direction, separate Security Association (SA) is used to store these settings. Therefore, two SAs are present for every communication. Once the device receives the IPSec packet, it checks for the SA settings in the header as SA settings are required for interpreting the packet.

Secure Sockets Layer (SSL)

SSL is a security protocol that is used on the Internet, which was originally developed by Netscape for use with its Navigator browser. It uses public key encryption to establish secure connections over the Internet.

The three key services provided by SSL are as follows:

Server authentication: It allows a user to confirm a server's identity. For example, while purchasing something online with a credit card it is essential to first verify the server's identity.

Client authentication: It allows a server to confirm a user's identity. This functionality is often used when a server is sending sensitive information such as banking information or sensitive documents to a client system and wants to verify the client's identity.

Encrypted connections: It is possible to configure SSL to require all information sent between a client and a server to be encrypted. This establishes private and secure communication between two devices. In addition, SSL has a mechanism to determine whether the data sent has been tampered with or altered in transit.

To establish a secured connection the browser needs built-in security features. It is possible to see SSL security on the Web while accessing a secure universal resource locator (URL). Secure websites begin with https:// instead of the http://.

WEP

Introduced in the year 1997, WEP is an IEEE standard designed for securing 802.11 networks. It encrypted data from sending and receiving devices.

Originally, the data packet was combined with a secret 40-bit number key as it passed through an encryption algorithm known as RC4. The packet was then scrambled and sent across the airwaves.

On the receiving end, the data packet passed through the RC4 backward and the host received data as it was intended. Later a 128-bit encryption was used to make WEP more robust.

However, in a short period of time it was discovered that WEP encryption was not nearly as secure as hoped. Part of the problem was that when the 802.11 standards were being written, security was not the major concern as it is today. As a result, WEP security was easy to crack with freely available hacking tools.

Wi-Fi Protected Access (WPA)

It was very important to safeguard wireless networking thus WPA was created. It is designed to overcome the weakness associated with WEP and is also compatible backwards with the older devices that use WEP standard. Following are the two security concerns addresses by WPA:

Enhanced data encryption: It uses a Temporal Key Integrity Protocol (TKIP), which scrambles encryption keys using a hashing algorithm. Then the keys are issued an integrity check to verify that they have not been modified or tampered with during transit.

Authentication: It uses the Extensible Authentication Protocol (EAP). EAP is built on a more secure public-key encryption system to ensure that only authorized network users can access the network.

802.1x

802.1x is an IEEE standard specifying port-based network access control. It offers valid access for both wired and wireless networks. It makes use of the physical characteristics of a switched Local Area Network (LAN) infrastructure to authenticate devices that are attached to a LAN port. It prevents access to that port when the authentication process fails.

During a port-based network access control interaction, a LAN port adopts one of the two roles. The two roles are as follows:

Authenticator: In the role of authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed through that port.

Supplicant: In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port.

An authentication server, which is a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.

The authenticator's port-based network access control defines the following two logical access points to the LAN through one physical LAN port:

Uncontrolled port: It is the first logical access point, which allows data exchange between the authenticator and other computers on the LAN, regardless of the computer's authorization state.

Controlled port: It is the second logical access point, which allows data exchange between an authenticated LAN user and the authenticator.

11.3.4 Authentication Protocols

Two primary technologies are required for securing data transmissions: encryption and authentication. Encryption was discussed earlier. Now authentication protocols are examined.

When designing a remote connection strategy, it is critical to consider how remote users will be authenticated. Authentication defines the way in which a remote client and server will negotiate on a user's credentials when the user is trying to gain access to the network.

Depending on the operating system used and the type of remote access involved, several different protocols are used to authenticate a user. Table 11.5 describes the authentication protocols used with various technologies including PPP.

Authentication Protocol

Description

Challenge Handshake Authentication Protocol (CHAP)

CHAP is an authentication system that uses the MD5 encryption scheme to secure authentication responses.

It is a commonly used protocol, and as the name suggests, anyone trying to connect is challenged for authentication information. When the correct information is supplied, the systems shake hands and the connection is established.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

MS-CHAP, based on CHAP, was developed to authenticate remote Windows based workstations.

There are two versions of MS-CHAP; the main difference between the two is that MS-CHAP version 2 offers mutual authentication. This means that both the client and the server must prove their identities in the authentication process. Doing so ensures that the client is connecting to the expected server.

Password Authentication Protocol (PAP)

PAP is the least secure of the authentication methods because it uses unencrypted passwords.

It is often not the first choice of protocols used; rather, it is used when more sophisticated types of authentication fail between a server and a workstation.

Extensible Authentication Protocol (EAP)

EAP is an extension made to standard PPP. It has additional support for a variety of authentication schemes including smart cards.

It is often used with VPNs to add security against brute-force or dictionary attacks.

Shiva Password Authentication Protocol (SPAP)

SPAP is an encrypting authentication protocol used by Shiva remote access servers.

It offers a higher level of security than other authentication protocols such as PAP, but it is not as secure as CHAP.

Table 11.5: Authentication Protocols

Remote Authentication Dial-In User Service (RADIUS)

To connect to RAS, clients use SLIP or PPP dial up connection and use verified protocol such as PAP, CHAP or EAP.

RADIUS has a centralised server that authenticates the client information passed by the Network Access Server (NAS) such as wireless access point (WAP), router or remote access server. The authentication process (Refer to Figure 11.3) is as follows:

User dials in to a remote access server.

Remote access server behaving as a RADIUS client sends the access request is sent to the RADIUS server.

RADIUS server operating on a Windows or UNIX server verifies the login information of the client. This is done by referring to its local user database or contacting another server such as a Windows domain controller.

RADIUS server accepts the client's connection by responding to the RADIUS client which is NAS, if successful verification of the client happens.

Figure 11.3: RADIUS Authentication Process

Apart from centralised authentication the other features provided by RADIUS are as follows:

User management: It refers to managing access permissions.

Accounting: It refers to tracking resources used by the clients.

These features of user management, accounting and authentication are very useful during the auditing process. The following UDP ports aid in swapping information between the RADIUS server and NAS:

UDP port 1812: It is used for RADIUS authentication protocol.

UDP port 1813: It is used for RADIUS accounting protocol.

Drawback of this protocol is that before transmitting user's password to remote access server and RADIUS server only the password is encrypted. However, access request packet transmits other details such as username and authorization details in clear text. Use RADIUS along with L2TP or IPSec to overcome this drawback.

Kerberos

Kerberos network authentication protocol is designed is such a way that the data transmitted over the network is always secured from external attacks. It was designed for providing solution to network security issues at Massachusetts Institute of Technology.

In Kerberos, the client and the server both need to prove their identity to each other. It offers a secured method of verifying the identity of a computer system over an insecure network connection.

Kerberos assign a unique key called a ticket, to each client that successfully authenticates to a server. This ticket is encrypted and includes the user's password as well. The user's password is required for verifying the identity of the user while a network service is requested.

Kerberos is distributed freely allowing anyone interested to view the source code directly. It is also available from many different vendors that provide additional support for its use.

11.4 Chapter Review Questions

Which of the following type of WAN network use a leased lined?

Point to point connection

Circuit switching

Packet switching

None of these

Which of the following WAN technology is also known as cell relay?

Dial up

ATM

X.25

Frame relay

Which of the following WAN optimising technique allows efficient presentation of data patterns?

Duplication

Caching

Traffic shaping

Compression

Hackers use a common method called war dialling to break remote networks. Is this statement true or false?

True

False

Which of the following features are provided by RADIUS?

Authentication

User Management

Accounting

Packet Encryption

Which of the following protocol encrypts the complete access request packet?

RADIUS

TACACS+

PPP

PPTP

IP on the public Internet is an example of ______ protocol.

Carrier

Tunneling

Encapsulated

None of these

Which of the following type of configuration provides confidentiality to the payload of an IP packet?

AH in Transport Mode

ESP in Tunnel Mode

AH in Tunnel Mode

ESP in Transport Mode

OAKLEY protocol defines the procedures associated with peer authentication, SA handshake process, algorithms and key sizes. Is this statement true or false?

True

False

Which of the following are the components of the 802.1x authentication process?

Supplicant

Authentication server

SSH

Authenticator

11.4.1 Answers

1

A

6

B

2

B

7

A

3

D

8

D

4

A

9

B

5

A, B and C

10

A, B and D

Summary

To enable transmission of data across geographical area a Wide Area Network (WAN) is essential. WAN technology is supported only by the physical layer, the data link layer and the network layer support of the OSI model.

The most common types of WAN networks are point-to-point connection, circuit switching and packet switching. WAN technologies operate at the lowest level of the OSI layer model.

WAN optimization helps eliminate the data transfer flaws. It helps to overcome the difficulties such as costly bandwidth it also reduces the user's experience time.

RAS is a very useful feature that allows clients to remotely dial to the modem and connect to the network. Hackers use a war dialling method to break remote networks.

Remote access protocols are PPP, which has the compression, authentication and multilink capabilities advantage over SLIP, RADIUS that has a centralised server that authenticates the client information passed by the NAS and TACACS+, which offers a secured alternative to RADIUS.

Over a public connection like Internet, it is possible to create a corporate network called VPN. Using a VPN in place of point-to-point connection such as leased lines, ISDN and dial up saves a lot of organizations money.

Encapsulation of packet into another packet is called as tunneling. PPTP, L2TP and IPSec are the commonly used tunneling protocols. IPSec offers a complete security in the OSI model at the network layer. The major benefit of IPSec is that all network devices and OS support it thus it is easy to implement.

An additional protocol called the IKE protocol is used to manually configure or dynamically generate and exchange the symmetric key. IKE protocols are of two types namely ISAKMP and OAKLEY.

Instead of remote connectivity protocols such as FTP, Telnet, rlogin and rsh, SSH is a secured alternative.

To present valid access to wired and wireless 802.11 networks IEEE 802.x protocol is required. In the OSI model's, data link layer uses this protocol. It grants port based access control to clients connected to WAP and switches. EAP is used by 802.1x for authentication process. EAP is a flexible authentication framework as it allows different authentication protocols and methods such as smartcards and certificates besides username and password credentials.

Glossary

A

Asynchronous Transfer Mode (ATM): It is a type of WAN technology that provides a high bandwidth and high speed WAN technology which functions at the speed of 155Mbps.

Accounting: It refers to tracking resources used by the clients.

Authentication Header (AH): It is a type of IPSec protocol that offers integrity and data origin authentication to IP packets.

Authentication server: It is a component of the 802.1x authentication process, which normally is a RADIUS server.

Authenticator: It is a component of the 802.1x authentication process, which is the switch or WAP to which the supplicant connects and exchanges authentication information.

AH in Transport Mode: It is a configuration type that offers data origin authentication and integrity to IP packet payload.

AH in Tunnel Mode: It is a configuration type that offers data origin authentication and integrity to entire packet along with the header.

C

Caching: It is a WAN optimising technique that reduces bandwidth up to 30% as a single bundle includes many requests.

Call back feature: It is a feature provided by RAS systems in which RAS systems hangs up the phone received and calls back a predefined phone number. This feature is used to ensure security from war dialling.

Circuit switching: It is a type of WAN network in which communication begins only when two remote networks communicate and confirm the connection.

Compression: It is a WAN optimising technique that allows efficient presentation of data patterns.

Connection limits: It is a WAN optimising technique that prevents the accessing the grid locks in access points and routers because of the lack of service or peer-to-peer connection.

D

Dial up: It is a type of WAN technology that presents a very effective communication solution at minimal cost.

Duplication: It is a WAN optimising technique that sends only actual data reference thus preventing data redundancy.

E

Encapsulating Security Payload (ESP): It is a type of IPSec protocol that offers integrity, data origin authentication and confidentiality to IP packets.

Equalising: It is a WAN optimization technique that happens when data is transmitted as per data usage priority.

ESP in Transport Mode: It is a configuration type that offers data origin confidentiality to IP packet payload.

ESP in Tunnel Mode: It is a configuration type that offers data origin confidentiality to entire packet along with the header.

Extensible Authentication Protocol (EAP): It was initially developed for dial up and remote access connection and is used by 802.1x for authentication process.

F

Frame relay: It is a WAN protocol that provides very high speed and high performance.

I

Integrated Services Digital Network (ISDN) lines: It is a type of WAN communication method, which is preferred over the regular telephone lines.

Internet Protocol Security (IPSec): It is tunneling protocol that uses various protocols and encryption methods to increase data confidentiality, data integrity and data origin authentication.

Internet Key Exchange (IKE): It is a protocol used to manually configure or dynamically generate and exchange the symmetric key.

Internet Security Association and Key Management Protocol (ISAKMP): It is an IKE protocol that defines the procedures associated with peer authentication, SA handshake process, algorithms and key sizes.

IEEE 802.1x: It is protocol used by 802.11wired and wireless networks to present valid access.

L

Layer Two Tunnelling Protocol (L2TP): It is tunnelling protocol that provides tunnelling support to different point-to-point networks.

O

OAKLEY: It is an IKE protocol that performs the actual key negotiation with the help of another protocol namely the Diffie-Hellman protocol.

P

Packet switching: It is a type of WAN network in which the communication devices share a point link for transferring the packets.

Point-to-Point connection: It is a type of WAN network in which two remote locations can communicate through a carrier network with the help of a point to point link.

Point-to-Point Protocol (PPP): It is the most commonly used RAS protocol used in WAN for router-to-router connection.

Point to Point Tunneling Protocol (PPTP): It is a type of tunneling protocol that transfers encapsulated packets through a channel over a public network.

Protocol spoofing:

Public Key Infrastructure (PKI): It is a key used to authenticate a user along with certification authorities and digital certificates or Kerberos authentication.

R

RADIUS protocol: It is RAS protocol that offers centralised authentication, user management and accounting.

Remote Access Service (RAS): It on Microsoft's Windows NT allows clients to remotely dial to the modem and connect to the network.

Remote access VPN: It is type of VPN that is created for remote and mobile users.

Routing: It is a method of forwarding the packets towards the destination depending on the IP address.

Routing table: It stores source and destination devices IP addresses, which are required during the routing process.

S

SLIP: It is an earlier dial up protocol developed for UNIX environment that was supported by some ISPs.

Simple rate: It is a WAN optimising technique that restricts the users from getting more than fixed data for use.

Site-to-Site VPN: It is type of VPN that establishes connection between two networks.

Secure Shell (SSH): It is a secured alternative to remote connectivity protocols. It transmits all traffic, authentication information in an encrypted format between a client and a server.

Supplicant: It is a component of 802.1x authentication process, which is a client that asks for access to the network.

Symmetric key:

T

Traffic shaping: It is a WAN optimising technique that monitors, manages and handles data traffic.

Tunneling: Encapsulation of packet into another packet is called as tunneling.

Terminal Access Controller Access Control System+ (TACACS+): It is RAS protocol designed by CISCO that offers a secured alternative to RADIUS.

U

User experience: A user's response time with an application is termed as user experience.

User management: It refers to managing access permissions.

V

Virtual Private Network (VPN): It is corporate network created over a public connection like Internet.

W

War dialling: It is a method by which lists of numbers are dialled randomly till the modem picks it up. It then guesses login credentials such as username and password.

WAN Optimization: It enhances the overall working of a WAN.

WEP:

Wide Area Network (WAN): It is a network that enables data transmission across geographical area.

X

X.25: It is a communication protocol in the packet switching data network.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.