WHAT IS REMOTE ACCESS?
Remote access is the ability for an authorized person to access a computer or a network from a geographical distance through an internet connection. It enables your users to connect to the systems they need when they are physically far away.
Now a days it is very common for remote employees/users who are traveling or telecommuting, to connect to your corporate network and access resources such as internal applications, intranet, mail services, and file sharing.
Technical support guys also use remote access to connect to users' computers from remote locations to help them resolve technical issues with systems/software.
Recent outbreak of Covid-19, has made a Tectonic shift in the work-cultures worldwide, leading to the new norm of Work-From-Home. The whole armies of employees who are currently working from home, are thankful to the benevolent 'Remote Access' technologies.
Remote access is usually accomplished with a combination of software, hardware and network connectivity.
-
VPNS ARE INDISPENSABLE
The most preferred method of providing remote access to users is via a remote access VPN connection. A VPN creates a safe and encrypted connection over a less secure network, such as the internet.
VPN technology was developed as a way to enable remote users and branch offices to securely log into corporate applications and other resources.
Normally, a user has no expectation of privacy on a public network such as internet or corporate intranet, as their network traffic is viewable by other users, system administrators and ISPs, etc. A VPN solves this problem effectively!
A VPN creates a TUNNEL that passes your traffic privately between the remote network and you. This tunnel protects your traffic and keeps it safe from being intercepted or tampered with.
When a user is connected to your network via a VPN client, the software(at client) encrypts the traffic before it delivers it over the internet. The VPN server (or gateway) is located at the edge of your network and it decrypts the data and sends it to the appropriate host inside your corporate network.
-
WHAT ARE REMOTE ACCESS PROTOCOLS?
Common remote access and VPN protocols include the following:
1. Point-to-Point Protocol (PPP)
It enables hosts to set up a direct connection between two endpoints.
2. Point-to-Point Tunneling (PPTP)
It is one of the oldest protocols for implementing virtual private networks. However, over the years, it has proven to be vulnerable to many types of attack. Although PPTP is not very secure, it still persists in some cases...
3. IPsec (Internet Protocol Security)
It is a set of security protocols used to enable authentication and encryption services to secure the transfer of IP packets over the internet. I had shared a very good post on this topic, you can read that also.
4. Layer Two Tunneling Protocol (L2TP)
It is a VPN protocol that does not offer encryption or cryptographic authentication for the traffic that passes through the connection. As a result, it is usually paired with IPsec, which provides those services.
5. Remote Authentication Dial-In User Service (RADIUS)
It is a protocol developed in 1991 and published as an Internet Standard track specification in 2000 to enable remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.
6. Terminal Access Controller Access Control System (TACACS)
It is a remote authentication protocol that was originally common to Unix networks that enables a remote access server to forward a user's password to an authentication server to determine whether access to a given system should be allowed.
TACACS+ is a separate protocol that was designed to handle authentication and authorization, and to account for administrator access to network devices, such as routers and switches.
I guess, most CCNA guys will be familiar with these protocols already.
IMPORTANT NOTE:
L2TPv3, PPTP and IPSEC all establish and operate over the top of IP connections (Network Layer). PPTP uses TCP and GRE, while L2TP and IPSEC Aggressive-mode rely on UDP (all Transport Layer protocols).
SSL VPN (which isn't really standardised) relies on HTTPS/TLS depending on the implementation, so you can say it operates at the Application Layer. In the hindsight, layers 4-7 comes in to the operation for SSL VPNs.
-
What is the difference between IPSec & SSL VPNs?
One of the most important choices when you are considering a VPN is, whether to opt for an SSL VPN or an IPsec VPN. Both protocols are used for implementing VPNs and both are very popular...
But the main difference between them is the LAYER of network traffic they secure. IPsec operates at the network layer (Layer-3 of OSI) and can be used to encrypt data being sent between any systems that can be identified by 'IP addresses'. SSL/TLS operates at transport layer (Layer-4) and does not depend upon IP addresses of devices, and configured using only the 'PORT numbers.'
Another important difference is that IPsec does not explicitly specify 'encryption' of connections, while encryption of network traffic is DEFAULT in case of SSL/TLS VPNs.
Most IPsec VPN solutions require the installation of both special hardware and 'client' software for a user to gain access to the network. The main benefit of this setup is the extra layers of security. When the network is protected not only by software but also by hardware, it is more difficult for cyber criminals to infiltrate the network and steal critical data. In contrast, an SSL VPN connection can be accessed through a web browser. However, due to the growing complexity of running code in a web browser and the diversity of browser platforms, many SSL VPN products now use client software as well.
SSL VPNs may also provide remote access through a proxy server. You may call this proxy-server a 'SSL VPN Gateway' if you want. When your traffic reaches to this gateway, this gateway or server makes decision about whether to allow you access to the resources you are attempting to. But sometimes the SSL VPN causes the compatibility issues with applications that you have used to initiate the VPN connection. Because there is not specifically designed 'client' here, your users may use, only God knows what, application they will use to connect with the proxy server.
Sometimes, you may need a secure channel to access any device in the network on a temporary basis. In such situations, you can create a sort of 'ad hoc VPN' using SSH. An example is when a network admin or engineer need to make some config-change to say, router, then he would be using SSH to finish this temporary task.
No discussion of VPNs would be complete without mentioning SSH, which can be used to enable secure tunnels between clients and servers. SSH implements its own encryption and authentication protocols to enable secure circuits between a client and server. It is sometimes used as a sort of ad hoc VPN, such as when remote users log in to their work system to access services and systems within the enterprise network.
-
A note for Network Admins
Regardless of what approach you use for granting network access to your remote users, you must build fine-tuned 'Security Policies' in your NGFW. It would help you to CONTROL the remote access properly.
If you are one of those enterprises who have already started to use cloud-based applications a great deal, then I would recommend you to immediately deploy the CASB solution.
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
You can also share with all of us if the information shared here helps you in some manner.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM