The Remote Access Process And Authentication Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Remote access allows users to access a network or resources remotely. A user an initiate a remote connection by using a remote access means such as Internet, dial up or wireless. To establish the connection the remote access server authenticates the user and all the services used during the session. Authentication is a process of establishing the user's identity to enable granting of permissions.

Different methods are used to establish a network connection, which depends on the network type, hardware and software employed and the security requirements. Microsoft Windows executes Remote Access Service (RAS) on the system to facilitate the management of remote access connections through dial-up modems. Cisco provides networking devices and softwares that are used for remote access. UNIX systems also have built-in services to enable remote access.

9.2 Remote Access Process

The process of remote access involves the following two elements:

A temporary network connection

A series of protocols to negotiate privileges and commands

A temporary network connection can occur through dial-up, Internet or wireless access. After the connection is established, the authentication process starts, in which the user is identified and granted, appropriate privileges. This is performed by using a combination of protocols and the operating system on the host system.

The establishment of privileges includes three steps: authentication, authorisation and accounting (AAA). Authentication process involves matching of the user-supplied credentials, such as username and password with the credentials stored on the host system. After the user is authenticated, the authorisation process takes place. The authorisation process involves granting of specific permissions based on the privileges held by the account. Authorisation is determined based on a range of restrictions, for example time-of-day restriction, restrictions against multiple logins by the same user or physical location restrictions. The process of accounting involves tracking of consumption of network resources by users. This information is used for planning, billing, management and other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of resources. Batch accounting refers to accounting information that is stored and will be delivered at a later time. Typical information gathered in accounting is the identity of the user and nature of the executed services, when the service began and when it ended.



9

Chapter

Remote Access Process and Authentication

Concepts

V 1.0 © 2010 Aptech Limited

Remote access protocols securely authenticate and authorise a user by using encryption. The authorisation phase keeps unauthorised users out of the network. But after the authorisation phase is complete, it is very important to prevent unauthorised users from breaking in on an authorised session and hijacking an authorised user's credentials. This can be secured by encrypting the communication channel. Network connections depend on the Internet for connecting remote users.

9.2.1 Identification

Identification is the process of assigning a computer ID to a specific user, computer or a network device. The identification process is performed only once, when a user ID is issued to a particular user. User identification enables authentication and authorisation, which form the basis for the next phase, accounting. For accountability purposes, UserIDs should not be shared with anyone.

9.2.2 Authentication

Authentication is the process of binding the UserID to its user. Three categories are used to authenticate the identity of a user.

What users know (password)

What users have (token)

What users are (biometrics such as fingerprints or iris pattern)

The above three categories can be used in combination or individually. The authentication mechanism ensures that the appropriate permissions are given to valid users. The most common method of authentication is use of a password. For example, smart card token can be used to provide high security.

Another method of authentication is use of something that only valid users should possess. For example, lock and key. Only those individuals with the correct key will be able to open the lock and gain entry into a house, car or office.

The third method of authentication involves something that is unique about the user, such as fingerprints, iris scan, retinal scan or hand geometry. The field of authentication that uses something about user body part such as fingerprints or eye retina is known as biometrics. Security professionals are constantly devising new methods to provide authentication mechanisms for computer systems and networks.

Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

Kerberos

Kerberos is an authentication protocol. This protocol provides a secure communication over an unsecure network. It is published by Massachusetts Institute of Technology (MIT). This protocol is designed to provide mutual authentication between a server and a client or between two servers. Kerberos protocol messages are protected against replay attacks.

Note: A replay attack is a form of network attack in which data transmission is fraudulently delayed or repeated. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution.

Kerberos uses strong encryption for authentication. It is built on symmetric key cryptography that requires a trusted third party, termed a Key Distribution Centre (KDC). KDC consists of two logically separate parts, Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos communicates through tickets to prove the identity of users.

The Kerberos environment is called Kerberos realm. Kerberos server includes user IDs and passwords for all users who have authorisations to realm services. KDC contains a secret key database that provides an entity's identity on a network. Kerberos server shares its secret key with the other server to which it will grant access tickets.

Certificates

A certificate is an official document affirming some fact. Certificates are used for authenticating specific objects such as individual's public key. A digital certificate is an attachment to a message. It verifies whether the message has come from the entity that it claims. The digital certificate also contains a key that encrypts the communication.

Note: For more information on certificates, refer to chapter 5.

Tokens

A token is a physical device that is used to authorise a user before providing permissions for accessing the computer services. Security tokens are used to prove one's identity electronically. For example, a user is trying to access the bank account and a token is used in place of a password. Here, this token acts as an electronic key to access data.

Hardware tokens are small in size and the user can carry these tokens in their pocket. Hardware tokens store information such as the user's cryptographic key or biometric data. Some hardware tokens are designed to provide tamper resistant packaging or a small keypad to allow the user to enter the PIN or a simple button to generate a new key number. The generated key number can

Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

then be transferred to a client system by using a Bluetooth wireless interface or a USB connector (Refer to Figure 9.1).

Figure 9.1: Security USB Connectors with eToken

Note: Tamper resistance is denying access to the user to tamper a product, package or a system by gaining physical access.

Multi-factor

Multi-factor authentication is the combination of two or more types of authentications. Two-factor authentication combines any two of the following categories before granting access to the user:

Single Sign-on

Single sign-on (SSO) is a property of access control that allows user the user to logon once and then gain access to all system resources without prompting to logging on again. In this case, if the user credentials are available to any other person, they can be misused. Hence, user credentials are required to be protected by using combining strong authentication methods such as one-time password tokens and smart cards.

SSO failure can occur due to a network failure and results in denying access to all system resources. This affects the systems to which access has to be guaranteed at all times such as plant-floor systems or security systems.

Mutual Authentication

Mutual authentication method is also called two-way authentication method. In this method, client and server authenticate each other to prove their identities. In case of online authentication processes, mutual authentication is referred to as site-to-user authentication or Website-to-user authentication. Mutual authentication is performed between a server and a client without user interaction.

Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

9.2.3 Authorisation

Applying permissions on a specific system resource is a part of the operating system. Whereas, permitting or denying remote access to a specific resource is part of the authorisation process.

Each process or task, from identification to authentication and authorisation, has many advantages. Each process can be performed by using multiple methods on a single system or multiple systems.

9.3 IEEE 802.1x

Institute of Electrical and Electronics Engineers (IEEE) 802.1x is an authentication standard which helps in communication between an authorisation device such as a border router and a user. This standard is supported by all types of networks such as token ring, Ethernet and wireless. This standard is used to authenticate a user before granting access to an authorised server such as a Remote Authentication Dial-In User Service (RADIUS) server. The 802.1x uses an intermediate device such as a border switch that enables ports and carries data after proper authentication. This prevents unauthorised access on publicly available switch ports in a LAN. Until a client is authenticated by the switch, Extensible Authentication Protocol over LAN (EAPOL) is carried by the switch. EAPOL is an encapsulated protocol that supports multiple authentication methods such as Kerberos, SSO, and tokens. After the client gets authenticated by using the 802.1x device, the switch forwards data or signal through ports. At this stage, client communicates with the system's AAA method such as RADIUS server, and authenticates itself to the network.

9.3.1 RADIUS

RADIUS is a networking protocol that supports centralised AAA management of systems to access a network service. RADIUS was developed by Livingston Enterprises, Inc., in 1991, as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards.

RADIUS is often used by enterprises and ISPs to manage access to the Internet or internal networks, wireless networks and e-mail services. These networks incorporate VPN, access points, web servers, modems, Digital Subscriber Line (DSL), network ports and so on.

RADIUS runs in the application layer by using User Datagram Protocol (UDP) as transport. Remote Access Server (RAS), VPN server, network switch and Network Access Server (NAS) acts as gateways that control access to the network and all have RADIUS clients that communicate with the RADIUS server. RADIUS server is usually a background service running on a Windows NT or a UNIX machine.

Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

RADIUS performs the following functions:

Authentication and Authorisation

Accounting

Authentication and Authorisation

The client sends a request to a NAS to access a network resource by using credentials such as username and password. These credentials are given to the NAS through the link-layer protocol such as Point-to-Point Protocol (PPP).

In response to the request, NAS sends a RADIUS Access Request message to the RADIUS server for authorisation. This request contains user credentials or security certificate provided by the user. Additionally, the request may include other information such as user's network address or telephone number.

The RADIUS server then verifies the information that is stored in file database by using the RADIUS authentication protocol such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP) or Extensible Authentication Protocol (EAP).

Note: Modern RADIUS servers can verify the user's credentials or take help from external sources such as Structured Query Language (SQL), Kerberos, Lightweight Directory Access Protocol (LDAP) or Active Directory servers.

The RADIUS server then responds to NAS through one of the following three messages:

Access Reject

Access Challenge

Access Accept

Access Reject

Due to failure to provide proof of identification or inactive user account or an unknown user account, the user is not allowed to access all requested network resources.

Access Challenge

RADIUS server requests for additional information from the user such as a PIN, secondary password or token. Access Challenge is also used in more complex authentication methods where a secure tunnel is established between the RADIUS server and the client machine in a way that the credentials are hidden from the NAS.

Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

Access Accept

The access is granted to the user. After user authentication, RADIUS server will again check that whether the user is able to access the network service requested. For example, a user may be allowed to use a company's wireless network, but not allowed to access VPN service. This information may be stored on the RADIUS server or in an external source such as LDAP or Active Directory.

Figure 9.2 shows access management in an organisation by using the RADIUS protocol.

Figure 9.2: Access Management in an Organisation Using RADIUS

Accounting

The RADIUS accounting is performed independently of authentication and authorisation. The main function of RADIUS accounting is to support ISPs for accounting functions such as security logging and time billing. The RADIUS accounting functions allow data to be transmitted at the beginning and end of the session. It also indicates resource utilization such as time and bandwidth.

When RADIUS was designed in the mid 1990s, the role of ISP NAS was relatively simple. The main concern was to allow and deny access to a network as well as timing usage. Today, the Internet and its access methods have changed dramatically and so have the AAA requirements. As individual firms extended their RADIUS to meet these needs, interoperability became an issue and new AAA protocol known as DIAMETER was designed to address these issues in a comprehensive fashion.

9 Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

DIAMETER

DIAMETER is an AAA protocol, designed by the IETF. It is a successor to the RADIUS protocol. DIAMETER functions in the same way as RADIUS. It is a Transmission Control Protocol (TCP)-based service. It controls communication between the authenticator such as Secure Ticket Authority (STA) and any network entity requesting authentication.

DIAMETER has an improved encryption method over RADIUS as it encrypts the messages that are exchanged to prohibit replay and man-in-middle attacks. Its enhanced functionality and security, is an improvement on the proven design of the RADIUS standard.

TACACS+

Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol and is used to communicate with an authentication server commonly used in UNIX networks. It allows a remote access server to communicate with an authentication server to determine if the user has access to the network.

TACACS+ is the current generation of the TACACS family. It is a Cisco proprietary protocol that provides access control for network access servers, routers and other networking devices through centralised servers. Original TACACS system was provided combined authentication, authorisation and accounting services. The current generation, TACACS+, has extended attribute control and accounting services. TACACS+ uses TCP while RADIUS uses UDP. It is recommended to use TACACS+ because it uses TCP, which is a reliable protocol.

PPP

PPP is a data link protocol that is used to establish a communication between two or more than two networking devices. PPP was originally created as an encapsulated protocol to carry Internet Protocol (IP) traffic over a point-to-point link. PPP has been enhanced and is now capable of holding heavy network traffic. It is used to establish the desired connections over the network by using Link Control Protocol (LCP) and Network Control Protocol (NCP).

CHAP

CHAP provides authentication across a point-to-point link by using PPP. CHAP is designed to provide authentication periodically by using a challenge/response system also known as a three-way handshake (Refer to Figure 9.2).

Figure 9.2: CHAP Challenge/Response Sequence

10 Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

A randomly generated number is sent to the client. The client then determines the response by using one-way hashing function and responds back. The server then matches the client response with the calculated response. If they match, then communication continues. If the responses do not match, then the connection is terminated. This complete process relies on a shared secret between the server and the client so that the correct values can be calculated.

PAP

PAP authentication involves a two-way handshake. In this authentication, client sends the username and password to a server across the PPP link. If the username and password match with the server, then communication continues otherwise it terminates.

TELNET

TELNET is a network protocol that is used to provide a bidirectional eight-bit byte oriented communications facility on the Internet or local area networks. TELNET allows users to log in and access resources remotely. TELNET sends account names and passwords in clear text over the TCP/IP connection. It offers low security and because of the number of security issues with its use, it is recommended to use Secure hell (SSH) is favoured over TELNET.

VPN

VPN is used to provide a secure remote access by using a public telecommunication infrastructure such as the Internet. It encapsulates data transfers between two or more networking devices. VPN aims to avoid an expensive leased line that can only be used by one organisation.

11 Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

9.4 Chapter Review Questions

Which protocol does VPN use to secure communication?

(A)

UDP

(C)

NetBIOS

(B)

TCP

(D)

Proprietary

Which protocol does the RADIUS server to secure communication?

(A)

UDP

(C)

NetBIOS

(B)

TCP

(D)

Proprietary

Which protocol does TACACS+ use to secure communication?

(A)

UDP

(C)

NetBIOS

(B)

TCP

(D)

Proprietary

Which amongst the following protocols is used to carry the AAA information between a network access server and a shared access server?

(A)

RADIUS

(C)

SSH

(B)

IPsec

(D)

VPN

In the process of RADIUS authentication and authorisation, which of the followings responses can be send to NAS?

(A)

Access Reject

(C)

Access Accept

(B)

Access Challenge

(D)

None of these

1. 2. 3. 4. 5.1Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

Which protocol is used by DIAMETER for communication?

(A)

UDP

(C)

NetBIOS

(B)

TCP

(D)

Proprietary

What does AAA stands for?

(A)

Authorisation, Authentication and Accounting

(C)

Authentication, Authorisation and Accounting

(B)

Accounting, Authorisation and Authentication

(D)

Accounting, Authentication and Authorisation

The process of assigning a computer ID to the user is called ________.

(A)

Identification

(C)

Authorisation

(B)

Authentication

(D)

None of these

Which of the following devices included in security perimeter?

(A)

Identification

(C)

Authorisation

(B)

Authentication

(D)

None of these

Which of the following networks are supported by IEEE 802.1x?

(A)

Token ring

(C)

Wireless

(B)

Ethernet

(D)

All of these

6. 7. 8. 9. 10.1 Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

9.4.1 Answers

1.

B

6.

B

2.

A

7.

C

3.

B

8.

A

4.

A

9.

B

5.

A, B and C

10.

D

1Concepts Chapter 9 Remote Access Process and Authentication V 1.0 © 2010 Aptech Limited

Summary

In this chapter, Remote Access Process and Authentication, you learnt about:The remote access process.Different authentication methods.Authenticating, authorisation and accounting protocols. 

Summary

"

"

Education's purpose is to replace an empty mind with an open one

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.