Building a remote access server

Providing access to corporate systems has become a necessity with remote workers, either at home or travelling. There are several different solutions to the problem, with their own advantages and disadvantages. Building a Remote Access Server (RAS) can be done very simply, and there are some basic security precautions that can be extremely effective and easier to manage than a live Internet connection.

The functions of a RAS

A RAS is there to provide connectivity into a private network for remote modem users. Usually this means running the TCP/IP network protocol encapsulated inside the Point to Point Protocol (PPP) so that the remote machine has access to the network as though it were directly plugged into it.

The RAS server is responsible for authenticating that the user is who they are, and granting access. A RAS server, for example, could be configured to only allow access during certain time periods for a particular group of users.

If you are using an analog modem to provide connectivity into your network, the maximum speed is 33.6kbps rather than 56kbps. This is because 56kbps connectivity can only be achieved from a digital modem to an analog modem, and not between two analog modems. Digital modems require a digital connection from the local telephone company (E1 or T1 usually) and so can be very costly.

Security

Making sure your network is secure is a headache for most companies, and is a wider topic than this document is able to cover. However, there are a few simple techniques that you can employ that can be very effective.

Whilst a live Internet connection is open to all kinds of threats, a RAS server can also be attacked. Crackers attempting to break into your network specifically, or just cruising to break into any network they come across, may hunt for modem signals by dialling every number in a range of telephone numbers. If they find your RAS server, there are techniques they can use to try and break in - guessing common usernames and passwords for example. Therefore it is important to have passwords that are a combination of letters, numbers and other characters and not just words. This is particularly important with 'Administrator' or 'root' that are well known usernames and have total access to your network.

Perhaps the most simple and effective method of securing your RAS is 'dial back' or 'call back'. This only works if your users dial up from a specific number. In this case, when a particular dials in, they log in as normal with username and password, and then the server hangs up. It immediately calls them back on a pre-programmed number for them, connects, and they have access. This makes it very difficult to break into, as even if you guess the username/password, the callback will go only to an authorised user.

If your users are not at a single location, for example sales people out on the road, then it becomes a lot harder. In order to provide high levels of security, it is advisable to implement a token based system or similar. For example the securID* solution from RSA Security is extremely popular and effective. In order for users to log in, they must have a pin number and also a 'token'. The token is either a piece of hardware or software that generates a sequence of digits. Only the token and the server know what the sequence is, and it changes every minute.

Security needs to be taken very seriously, in proportion to the value of the data and systems being protected, and across every entry point, including the RAS system.

Logging

It is an established fact amongst information security experts that the main threat to company data and systems usually comes from an employee or ex-employee. This makes it very important to keep user access files up to date, and also to log all access. Keeping logs of all access events may be helpful in tracing information theft, or in deterring it.

Building a basic RAS system using Microsoft Windows*

It is important to use a server-grade operating system, as they will provide the security, management, authentication features needed for a RAS system. Since Microsoft Windows NT* 4.0 Server there has been a good RAS service as part of the operating system. We recommend using Windows 2000* Server or Windows Advanced Server 2003* for maximum security and flexibility.

Once your users dial in, they will need an IP address assigned, which can be done by the RAS server, or by a DHCP server on the network.

It is possible to build a basic RAS system using 'workgroup' security, but this is difficult to administer and provides only a basic set of options. If security is at all important it is a good idea to use 'domain' type security at a minimum. The domain controller(s) will then have a list of users, and you can configure dialup for each one. In the user account manager (this varies depending on version) you can for each account check the tick box to give dial-in privileges and set a call-back number. If you have a larger network, it may be worth moving to a RADIUS-based security system that can be used with Windows Server 2003*.

The details of configuring RAS policies and security options can be found in the instruction guides on Microsoft TechNet*

Building a basic RAS system using Linux*

There are a variety of methods to build a RAS server using Linux. The method that will suit depends on the clients you are connecting, the security you require, and the Linux distribution you are using.

The pppd daemon provides the protocol connectivity, and the program mgetty can be used to answer incoming calls. You will also need to be aware of the authentication protocol in use, which is likely to be PAP or CHAP, but depends on the client. A starting point for building your RAS system is from the PPP section from the Linux Administrators guide. This and more can be found at The Linux Documentation Project website.

The Mainpine RockForce products

The RockForce range of multi-port boards provide 2, 4 or 8 server-grade V.92 modems on a single PCI board. Universal PCI 3.0 and Short Board compliant, the RockForce boards will fit into any PCI or PCI-X compatible server.