CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.1  Devices

3.1.5  Modems 1 3.1.7  Telecom / PBX (Private Branch Exchange)

RAS, an acronym for “Remote Access System” or “Remote Access Services”, authenticates users connecting to a network and then allows them access to the network. In most corporate networks, it refers to the RAS function available in Windows, though it can also apply to any technology allowing remote access to a system. Other possibilities include PPP dial-in servers on Linux and UNIX machines, remote access packages like PC Anywhere, and network services that allow remote access to a computer’s desktop from across the Internet, such as WebEx²⁷⁶ or GoToMyPC²⁷⁷.

How does RAS work on Windows? One or more Windows computers (or boxes implementing the same protocols) can be set up as “RAS servers” which accept modem connections via incoming telephone lines.

Any user with a modem and the correct authentication information can access your RAS network, so you might want to consider additional levels of security such as utilizing the callback feature (in your modem, or in RAS itself), as mentioned in section 3.1.5. Typical RAS servers allow controlling access by user ID, time of day, and other factors. You can also set parameters such as the maximum number of incorrect logins per day per user ID (after which, that user will be locked out until the administrator resets their account). RAS can use a variety of communication protocols, some of which offer encryption. If you are using the most recent versions of Windows (Windows 2000 SP2 or higher), you can configure your RAS server to require that connections use strong 128-bit encryptio²⁷⁸n in order to minimize the chances of data sniffing or man-in-the-middle attacks.

Since RAS gives users’ access to the corporate LAN as if they were another local user, you might worry that your entire network is wide open to any RAS users, but this is not entirely true. One interesting feature of RAS is that you can block certain protocol families from use over RAS. For example, if there are certain applications you want to be run ONLY by users who are physically in the office, you might design them to run under a protocol that you don’t pass through RAS, such as IPX.

RAS can use a variety of authentication techniques during user login, including Password Authentication Protocol (PAP), Shiva PAP (SPAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP).

Of these, CHAP and MS-CHAP are more secure than PAP and SPAP, because the challenge approach does not require an encrypted (SPAP) or unencrypted (PAP) password to be sent over the wire from client to server. The benefits of the challenge approach are covered in more detail in the section on CHAP. Also, Windows 2000 and later versions support EAP, the Extensible Authentication Protocol, which is an extension to PPP that enables the use of third-party modules to authenticate RAS users. For instance, smart cards, Kerberos or S/Key mechanisms can authenticate users, if the appropriate module is installed and configured.

A handy feature of most RAS servers is that they can be configured to log incoming connections, giving you a record of when your network was accessed and by whom. If suddenly someone who never accesses the network via RAS hits it four times in the middle of the night, you might want to verify with that user that they did indeed call in, to make sure that an outsider didn’t just guess their password and log in with false credentials.

3.1.5  Modems 1 3.1.7  Telecom / PBX (Private Branch Exchange)