IT Baseline Protection Manual S 2.185 Selection of a suitable RAS system architecture
S 2.185 Selection of a suitable RAS system architecture
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
Depending on the planned operational scenarios, different RAS system architectures can be used to implement remote access to a LAN. The various system architectures inevitably have different characteristics and therefore differ as to which particular operational purposes they are suitable for. Theoretically every combination is possible, but the wrong choice could entail additional expense (e.g. the need to purchase additional hardware or more time spent on administrative tasks).
The RAS scenarios described below and to which in each case one typical system architecture can be assigned are commonly encountered in practice.
Connection of individual computers to a LAN
In this case an architecture known as "direct dial-in" is necessary. The RAS software is installed on the remote user's computer. The computer has a connection to a telecommunications network. For example, the connection can be over an analogue modem, an ISDN card or even over a mobile phone. To establish a connection, the RAS client software dials the telephone number through which the RAS server software can be accessed. The RAS server is also connected with the telecommunications network via a modem or an ISDN card. Depending on the RAS server product (also known as the access server), one server can establish several communications links (e.g. via "modem pools") so that several RAS clients can dial in simultaneously.
The advantage here is that through this method a given computer can be connected to the LAN from any location. This is especially useful for users who do not work from a fixed location. Although direct dial-in to the RAS server of the destination LAN only switches the connection over the telecommunications network of the telecommunications providers used, nevertheless, it is recommended that mechanisms are used to protect communications here as well, e.g. encryption, digital signatures, authentication.
One drawback with this approach is that the telephone charges incurred, which generally have to be paid by the remote user (unless special provisions are taken), will vary according to the distance to the destination LAN. This variant is not suitable where several users who are all located in the same remote location need to access the LAN, as a dedicated connection between client and server needs to be established in every case. Every client must therefore be equipped with its own modem and it is not possible for several client computers to share a common connection simultaneously.
Connection of several computers to one LAN
In this case an architecture known as "direct LAN-to-LAN dial-in" is often used. Here, the computers of the remote users constitute a separate LAN. The RAS client software is generally not installed on one of the user's computers, but instead the RAS functionality is made available through dedicated hardware in the form of a router. When data packets need to be transmitted from one LAN to the other, the RAS client contained in the router automatically establishes a connection with the destination LAN when it dials in to the RAS server on that LAN. In this configuration generally a symmetric architecture is chosen for both LANs, so that the RAS server into which the RAS client dials is also contained in a router and a point-to-point connection is established. Alternatively, several remote LANs can be connected over one access server (a RAS server which permits several simultaneous connections).
The advantage of this is that thanks to the functional separation of RAS client and the remote user's computer it is possible for several remote IT systems to be connected to the destination LAN over a single connection. The router which contains the RAS client makes the established connection available to all the computers connected to the remote LAN simultaneously. But the downside is that the connection capacity is divided among the remote IT systems accessing the destination LAN and cannot be used exclusively.
Another obvious disadvantage is that the clients are no longer mobile.
Connection of a computer or a LAN through a service provider
A more elaborate version of the two above scenarios is for a computer or LAN to also be connected through a special access phone number of a service provider. In this case the RAS client contacts a special telephone number which is frequently a local phone number or a number that is toll-free. Calls to these special numbers are forwarded by the service provider to the RAS server of the destination LAN within the communications network. This variant is a useful way of allowing staff on business trips to establish a connection without incurring high telephone charges.
Connection of a computer or a LAN over the Internet
This case differs from the scenarios described above in that initially the client connects to an Internet Service Provider (ISP). Only then is the client connected to the destination LAN, over the existing Internet connection. This approach requires that the remote user's access rights permit him to access the ISP concerned and that the destination LAN has an Internet connection. In this case, communication with the destination LAN is effected using Internet protocols. It is not necessary for the destination LAN to have its own RAS server (for direct connections over a telecommunications network).
This variant is generally used in order to keep down the telephone charges incurred by the remote user (e.g. so that local call charges apply) but it can prove quite complicated to configure. As the Internet access of a LAN is generally protected via a firewall, the possibility of Internet-based access by remote users must be considered when the firewall architecture is being planned (see also module 7.3 Firewalls).
Setting up a Virtual Private Network (VPN)
In addition to the possibility of accessing data on the internal network with the aid of Internet-based protocols and programs (e.g. telnet, ftp, POP3), tunnel protocols can also be used. These allow a direct connection between the RAS client and the RAS server of the destination LAN to be simulated, using the Internet as transport medium. The actual RAS communication occurs over this apparently direct connection (see also S 5.76 Use of suitable tunnel protocols for RAS communication). This procedure requires that the RAS server of the destination LAN can be accessed over the Internet. Often firewall products offer RAS support so that RAS access can be configured with the aid of the firewall administration tools provided by the products.
The advantage of such a solution is that Internet access is very widespread nowadays so that it is a relatively simple matter to build on an existing connection network. However the disadvantage is that, due to its open structure, the Internet was not designed as a secure network. For this reason it is particularly important to protect communications. With tunnelling, this is achieved through the use of cryptographic procedures, resulting in the creation of a Virtual Private Network (VPN).
Once a connection has been successfully established, a connection exists over the Internet between the remote computer and LAN, normally bypassing the firewall. However, from the point of view of IT security this is problematic as an aggressor could under certain circumstances have extensive opportunity to access the destination LAN if he succeeds in penetrating a client computer. It is therefore imperative for the security of the entire system that all clients are adequately protected. In addition, due to the impossibility of guaranteeing a particular throughput for communication over the Internet, it must be assumed that the quality of service will generally be lower than with direct and dedicated connections to the LAN over the telephone network. With this architecture, the effects on IT security and performance should therefore be carefully looked into.
The scenarios and system architectures presented above are variants that are commonly employed for the implementation of RAS access; however, they should be viewed only as examples. The actual choice of system architecture depends very much on the operational scenarios that are planned. Often there is also a requirement to accommodate several scenarios at the same time (e.g. telecommuters and mobile users). In particular, mobile users should be offered as much freedom as possible in the choice of access technology so as to ensure that they can access the local network from as many locations and work environments as possible.
However, from the point of view of IT security it should be borne in mind that the use of different access technologies generally also requires different access points in the destination LAN. Generally a LAN which has several external access points is exposed to a greater number of threats than a LAN which can only be accessed over a single external access. On the other hand, the fact that there are different access points enhances the availability of the RAS system.