3.1.6 RAS (Remote Access Server)
RAS, an acronym for Remote Access System or Remote Access Services, authenticates users connecting to a network and then allows them access to the network. In most corporate networks, it refers to the RAS function available in Windows, though it can also apply to any technology allowing remote access to a system. Other possibilities include PPP dial-in servers on Linux and UNIX machines, remote access packages like PC Anywhere, and network services that allow remote access to a computers desktop from across the Internet, such as WebEx276 or GoToMyPC277.
How does RAS work on Windows? One or more Windows computers (or boxes implementing the same protocols) can be set up as RAS servers which accept modem connections via incoming telephone lines.
Any user with a modem and the correct authentication information can access your RAS network, so you might want to consider additional levels of security such as utilizing the callback feature (in your modem, or in RAS itself), as mentioned in section 3.1.5. Typical RAS servers allow controlling access by user ID, time of day, and other factors. You can also set parameters such as the maximum number of incorrect logins per day per user ID (after which, that user will be locked out until the administrator resets their account). RAS can use a variety of communication protocols, some of which offer encryption. If you are using the most recent versions of Windows (Windows 2000 SP2 or higher), you can configure your RAS server to require that connections use strong 128-bit encryptio278n in order to minimize the chances of data sniffing or man-in-the-middle attacks.
Since RAS gives users access to the corporate LAN as if they were another local user, you might worry that your entire network is wide open to any RAS users, but this is not entirely true. One interesting feature of RAS is that you can block certain protocol families from use over RAS. For example, if there are certain applications you want to be run ONLY by users who are physically in the office, you might design them to run under a protocol that you dont pass through RAS, such as IPX.
RAS can use a variety of authentication techniques during user login, including Password Authentication Protocol (PAP), Shiva PAP (SPAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP).
Of these, CHAP and MS-CHAP are more secure than PAP and SPAP, because the challenge approach does not require an encrypted (SPAP) or unencrypted (PAP) password to be sent over the wire from client to server. The benefits of the challenge approach are covered in more detail in the section on CHAP. Also, Windows 2000 and later versions support EAP, the Extensible Authentication Protocol, which is an extension to PPP that enables the use of third-party modules to authenticate RAS users. For instance, smart cards, Kerberos or S/Key mechanisms can authenticate users, if the appropriate module is installed and configured.
A handy feature of most RAS servers is that they can be configured to log incoming connections, giving you a record of when your network was accessed and by whom. If suddenly someone who never accesses the network via RAS hits it four times in the middle of the night, you might want to verify with that user that they did indeed call in, to make sure that an outsider didnt just guess their password and log in with false credentials.
278. Worsham, Michael, Beef up RAS security, http://searchsystemsmanagement.techtarget.com/tip/1,289483,sid20_gci788334,00.html, Dec 21, 2001.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.