In Remote Access, we mean accessing any centralized office from any remote location. Remote to site VPN is most widely used for accessing a central site remotely and two most widely used encryption protocols for remote access are IPSec and SSL VPNs.
VPN: VPN, short for Virtual Private Network, is a private network formed using public Internet. It is formed between two hosts using tunneling protocols such as PPTP, L2TP, OpenVPN, etc. Using VPN, you can connect two LANs in geographically distant locations together, as if they were located in the same building. The cost of connecting these LANs together is small since public Internet is used for providing the WAN link. A VPN provides a mechanism to access corporate networks safely using Internet. VPN uses encryption to ensure only authorized user can access the corporate resources. A secure tunnel is created through the public network through which the packets are transported between the remote computer and the corporate network.
Point-to-Point Tunneling Protocol (PPTP): PPTP short for Point to Point Tunneling Protocol is Microsoft proprietary VPN protocol. It uses GRE, PPP, MS-CHAP v2, and MS Point to Point Encryption (MPPE). It disables support on the network adapter card for any incoming traffic other than PPTP traffic. On a Multi-homed (more than 2 network cards) Windows Server computer which is also acting as a RAS Server with two network adapter cards, you can configure the card that connects to the Internet for PPTP. The second card (without PPTP), connects to the local network. This arrangement enables local clients to dial out to the Internet.
Remote users, who dial-in to use the network resources must be PPTP- enabled clients.
PPTP is used for establishing a secure connection over the Internet using Virtual Private Network (VPN). In a point-to-point (P-to-P) wireless configuration, the communication link travels from one node directly to one other node.
PPTP is Microsoft ProprietaryProtocol is used to establish a VPN connection between two devices.
L2TP stands for Layer 2 Tunneling Protocol : Tunneling can be based on either a Layer 2 or Layer 3 of OSI Reference model. Layer 2 protocols correspond to the Data Link layer. PPTP and L2TP are examples of Layer 2 tunneling protocols; both encapsulate the payload in a Point-to-Point Protocol (PPP) frame before sending to destination across the network. In layer 2, the unit of transmission is known as frame.
The Layer 2 Tunnel Protocol (L2TP) is a standard that combines the best features of Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP does not provide information confidentiality by itself. L2TP/IPSec, encapsulates L2TP packets in IPSec to provide confidentiality, authentication and integrity. It is now the recommended replacement for PPTP on Microsoft platforms where data encryption is required.
IPSec is normally used in combination with L2Tp for providing confidentiality of communication.
IPSEC: IPSEC stands for IP SECurity, is the protocol developed by IETF and supports secure exchange of packets at IP layer. When using IPSEC, the sending and receiving devices share a public key. IPSEC is the most widely used protocol in Virtual Private Networks (VPNs). IPsec provides Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. It supports secure exchange of packets at IP layer.
Internet Protocol Security (Ipsec): is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPSec is an example of Layer 3 tunneling protocol. IPSEC encapsulates IP packets in an additional IP header before sending them across an IP network.
ISAKMP : ISAKMP, Short for Internet Security Association and Key Management Protocol defines payloads for exchanging key generation and authentication data. IPSec uses ISAKMP for implementation.
SSL: Secure Socket Layer is primarily used to authenticate Internet users to secure Web sites.
Kerboros is an authentication system used to authenticate users that log on to the network. An SSL VPN is a form of VPN that can be used with a standard Web browser. In contrast to the traditional Internet Protocol Security (IPsec) VPN, an SSL VPN does not require the installation of specialized client software on the end user's computer (client computer).
RAS is the signalling protocol used between gateways and gatekeepers.
OpenVPN is an open source technology that uses the OpenSSL library and SSLv3/TLSv1 protocols. Very popular however not based on standards (RFC). Uses a custom security protocol and SSL/TLS for key exchange. Provides full confidentiality, authentication and integrity.
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that allows the encapsulation of a wide variety of network layer protocols inside point-to-point links. A GRE tunnel is used when packets need to be sent from one network to another over the Internet or an insecure network. With GRE, a virtual tunnel is created between the two endpoints (Cisco routers) and packets are sent through the GRE tunnel. Similar to VPNs, GRE tunnels can be used to transfer data between remote locations. If you are looking to provide a secure method of connecting remote users to resources stored within a central location, you should probably implement a VPN. However, if you need to pass traffic over an otherwise incompatible network, a GRE tunnel may be the preferred solution.
Microsoft Challenge-Handshake Authentication Protocol (MSCHAP): MS-CHAP is a Microsoft-enhanced version of CHAP, offering a collection of additional features, including two-way authentication. CHAP is an authentication protocol.
Two protocols that provide mutual authentication are
1. EAP-TLS and
2. MS-CHAP.
When using mutual authentication, both server and client authenticate each other. CHAP provides client authentication only PAP uses 2-way handshaking. Passwords are sent in clear text across the link. Therefore, PAP is to be used only when it is not possible to use CHAP.
CHAP uses 3-way handshaking. CHAP uses Challenge/ Response method which provides protection against the password capture while authenticating the user. One should use CHAP whenever it is possible.
Any system that supports the appropriate dial-in protocols, such as PPP, can connect to a RAS server. Most commonly, the clients are Windows systems that use dialup networking features, but any operating system that supports dialup client software will work. Connection to a RAS server can be made over a standard phone line, using a modem, over a network, or via an ISDN connection.
Remote and Site-to- Site VPN Features:
Out Of Band Management (OOBM): Usually, remote sites are enabled with out of band access to troubleshoot the router in the event of failure of primary connection. In the diagram shown, above PSTN has been made available for out of band access.
OOBM provides access and control of IT assets outside of the production network. In most cases, this production network is based on Ethernet, but it could also include devices using InfiniBand and fibre channel. The primary use of OOBM is access and control of IT infrastructure when the production network is unavailable, such as cases involving unplanned downtime. The type of assets that require OOBM can include the mission critical routers, switches, KVMs, servers, storage, and appliances that serve as the backbone of the IT. infrastructure.
The figure above shows a schematic of out of band management using backup channel. As shown in the example, if the main VPN connection fails, central office can still access the branch office using PSTN backup link.
VNC (Virtual Network Computing): VNC is a technology for remote desktop sharing, a form of remote access on computer networks. VNC enables the visual desktop display of one computer to be remotely viewed and controlled over a network connection. Remote desktop technology like VNC is useful on home computer networks, allowing someone to access their desktops from another part of the house or while traveling. It is also useful for network administrators in business environments, such as Information Technology (IT) departments who need to remotely troubleshoot employees' systems.
Remote Equipment: Communication need not be limited between users or between "users and servers". There can also be communication between remote equipment of almost any sort imaginable pumping stations, robotic machines, and so on. The operating systems associated with remote equipment are SCADA (Supervisory Control And Data Acquisition) and ICS (Industrial Control System).
SSL/TLS(Secure Sockets layer/Transport Layer Security):An encryption layer of HTTP that uses public key cryptography to establish a secure connection.
DTLS(Datagram Transport Layer Security): Provides security for datagram-based applications by allowing them to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
Ipsec: A secure implementation of VPN with encryption. It is a secure means of creating VPN that adds IPsec bundled security features to VPN network packets.
