Remote Access: It Used to Be So Simple…
As the corporate access environment becomes less controlled, an entire set of new methods must be developed to protect mobile remote access portals.
Remote access. If you research it on the Internet, you will be surprised at what you’ll find. In addition to what most technical readers would expect to find, did you know that there is a company called Remote Access, LLC? Its tagline is Alaska Snowmobile Adventures!
Digging a little deeper, you find that remote access refers to the technology that allows you to connect geographically dispersed users. This occurs typically over a dial-up connection, although it can also include wide area network (WAN) connections. Sounds simple, doesn’t it?
In the "before-time" – that time before Internet ubiquity (was there ever such a time?) and burgeoning telecommuter requirements – remote access was that simple. You went to the local computer store, bought a modem, plugged in the telephone line and dialed your company’s server to gain access to the corporate applications and databases.
Companies implement remote access by using a remote access server. This server acts as a concentrator for the incoming telephone calls. Servers like this make good sense when individual users or small sites require temporary access to the central network. A bank of pooled modems listed under a single number connected to the remote access server also prevents busy signals: As usage increases or decreases, lines can be added or removed as needed without affecting the phone number users call for access.
In that before-time, the administrator did not have to worry about encryption either, generally because the modem lines were dedicated and private. All that was needed was login password security – although passwords were, and still are, the single weakest point in most security solutions.
Remote access is complicated by how fast technology is growing, which can allow the unscrupulous to eavesdrop and disrupt communication sessions. Some of the factors that influence remote access today include Internet Service Providers (ISPs), encryption, virtual private networks (VPNs), thin client and the virtual workplace.
Remote Access Drivers
On the broadest scale, the Internet lets individuals work together without regard for geographical boundaries. On a more parochial level, it opens office walls.
There are several types of "new" workers requiring remote access to the corporate systems. Telecommuters routinely work outside the conventional office setting: home offices, satellite office suites or semi-permanent customer premises. A day-extender has a desk at the main office, but has remote access requirements on trips, weekends or weekday evenings – a typical requirement for most of us workaholics. And a road warrior regularly works away from the main office, but has no typical or fixed location from where remote system access can be provided. By 2003, it is expected that over 130 million users worldwide will regularly engage in one of these forms of remote access.
Remote access implies that corporate access is no longer in a controlled environment – controlled, as in all access points to the corporate local area network (LAN) and systems residing securely in-house. Thus, an entire set of new methods must be developed to protect these mobile remote access portals that unlock the corporate treasures.
Remote Session Types
From an end user perspective, there are several different ways to enable a remote session. The first is logging on as an online remote node. The remote session is enabled when the user remotely logs into the network as if he or she was locally connected. Often, a user can work offline, creating e-mails (et al.), and then get online to transmit those e-mails and retrieve new e-mails.
The advantage is that all the capabilities of a LAN user are available, usually including standard e-mail access, sending and receiving documents or presentations, file server access, participation in discussion databases, LAN printing services, etc. Even when connected, the user can locally update his/her files and send them via e-mail or share them via a shared file server resource. Since the user can work offline to create e-mails, the user need only be connected online while doing true online work – sending and receiving e-mails, for example.
The disadvantage is that looking at any e-mail, e-mail attachment or discussion thread requires that the entire text body be transferred to the workstation. This can be time-consuming for large objects and is directly dependent on the requirements for expanded bandwidth.
Another method involves remote control. This is where the user, making use of client software on the user’s remote system, logs on to a main-office desktop, which is connected to the corporate LAN, and "takes control" of it. This means that the remote user is not directly connected to the corporate LAN. Rather, each key stroke and mouse movement or click on the remote system is sent to the main-office desktop and treated as if entered on that desktop.
The advantage is that very little remote-session bandwidth is required to view e-mails or participate in discussion databases. Part of the reason for the reduced bandwidth requirement is that compression technology is used to transmit the keyboard, mouse and screen information. Performance appears and is faster, especially when considering large objects, which are viewed only and do not have to be transferred to the remote location.
The disadvantages are several. Engaging in any online work requires that the user be connected to the main-office desktop since, for example, the e-mail is just being viewed remotely. This has the potential to increase communication connection time. Also, it is awkward to work offline, and the user must "be aware" of this. For example, if the user creates a document offline and wants to e-mail the document, it must first be transferred to the desktop using a Windows Explorer type of file transfer, and then attached to the e-mail, rather than just attaching it in an e-mail and having it sent automatically.
Remote Access via Thin Client
The number of network users is increasing and so is the number of mission-critical applications that must be run across the network. These mission-critical applications place a huge demand on the network, both LAN and WAN, as data required at the client’s workstation is shuttled across the network from the server.
Thin client offers an alternative to this heavy network load by eliminating the client/server database transfers. With a thin-client solution, the only network traffic that needs to occur is keystrokes, mouse clicks and display updates. The workstation acts purely as a display device – a thin client – that is attached to a thin-client server. The thin-client server holds the database where the required application is executed.
This advantage of thin client spills over to the remote access user who must access a client/server application across a dial-up line. Instead of transferring records and entire databases across the line – requiring high bandwidth – only display and keyboard/mouse information is transferred. This generally results in a significant performance improvement for the end user.
For example, Unisys uses thin client technology for providing PeopleSoft human resource application access to 1,700 of its managers. Aside from saving $2.5 million dollars in PC and other hardware upgrade and administration costs, the typical LAN-connected manager observed a 200 percent to 600 percent performance improvement over running the PeopleSoft application on the desktop. Because the thin-client implementation required no manual upgrade at the 1,700 desktop locations, the Unisys PeopleSoft project schedule was dramatically reduced in comparison to a typical client/server project.
Armed with a slow modem (28.8 Kb) and a connection to a thin-client server, the remote thin client user’s previous-generation desktop or laptop can achieve performance on the order of the latest and most powerful servers.
A thin-client solution requires an enterprise-class (fault-tolerant and scalable) NT server running Windows NT Server Terminal Server Edition software. Additional software from Citrix Systems, MetaFrame, is also typically required, and extends the reach of Terminal Server to non-Windows and non-TCP/IP environments. This includes Mac, UNIX, OS/2 and DOS. MetaFrame also improves system scalability and manageability, while providing performance analysis and tuning tools.
This combination of software allows multiple users to log on to the thin-client server and simultaneously execute Windows-based applications in separate protected sessions. All this requires minimal network bandwidth.
By taking advantage of the Internet and the myriad access points provided by the ISPs, the virtual workplace is enabled in a more cost-effective manner by eliminating the requirement for expensive private leased lines, long-distance charges or "800" numbers.
Today, most companies’ implementations of LANs do not require or use encryption. This is because the LAN cabling usually resides within a secured environment, namely, the company’s own premises. And when WANs are used to span multiple locations, encryption is not usually employed over the dedicated line.
When WANs are used to connect remote locations, a significant cost savings – up to thousands of dollars monthly – can be realized by replacing the expensive private dedicated lines with public Internet connections provided by ISPs. There are two major concerns associated with doing this.
The first concern is guaranteeing the same bandwidth in megabits-per-second as the dedicated line. By using the Internet, the transmitted information can be subject to unknown routes, transmission delays and even potential outages. This concern is addressed by subscribing with a single ISP, with redundant backbone paths, willing to step up to this guarantee.
The second concern is security. When the Internet is used to transmit corporate data, hackers are afforded an opportunity to gain access to that data as it is routed across the networks. This is where virtual private networks come in.
Virtual Private Networks
Virtual private network (VPN) technology and service revenues are expected to be around $4.5 billion in 1999, growing to almost $19 billion in 2004. VPNs can be used:
• As a secure, permanent replacement for dedicated-line WANs.
•For providing safe access to shared corporate sites by valued trading partners, customers and suppliers.
•For providing a secure remote-access client gateway into the company intranet.
A virtual private network uses encryption to provide security and privacy and to simulate the dedicated network. VPNs create a secure end-to-end "tunnel" allowing secure access and data transmission over public networks such as the Internet. Before transmitting the data, the information is encrypted. Upon receipt, it is decrypted. Previously, VPNs were provided by Frame Relay or X.25 packet-switched services. Today, VPN services can run using the TCP/IP protocol and the Internet as the infrastructure.
Multiple technologies are usually combined to tailor a VPN to an organization’s specific needs. For example, digital certificates can be sent over a VPN to identify and authenticate branches to the corporate headquarters.
VPNs are getting much more popular, as they allow a remote user to communicate over the Internet with his/her corporate intranet host systems. In fact, Unisys has implemented VPNs for its remote, telecommuting and traveling workers.
Prior to implementing VPNs, Unisys employees would dial an "800" or long-distance number that provided access to the corporate network. The change allows a remote user’s client system to connect to an ISP-provided Internet connection by dialing a local telephone number.
VPN software on the client system communicates with the host and establishes the encrypted session. This creates a secure tunnel with the host – an encrypted session – for conducting the necessary business on the company’s intranet – e-mail, benefits, etc. Unisys has seen significant cost savings with this approach.
Unfortunately, there is an overabundance of VPN tunneling protocols. There have been a number of proposals to the Internet Engineering Task Force (IETF) for the protocols to become a, or the, standard. Among the leading ones are Microsoft’s PPTP (point-to-point tunneling protocol) and Cisco’s L2F (layer two forwarding). These differ in the point at which the encryption occurs, with PPTP actions occurring in layer three of the open systems interconnect (OSI) model and L2F actions occurring, as the name implies, in layer two.
Security software that runs "above" layer 2 and 3 is considered channel security and generally not transparent to software. Examples are secure sockets layer (SSL) and sockets (SOCKS).
PPTP is specifically designed to encapsulate traffic between remote access clients and the corporate intranet. L2F is designed to enable ISPs to offer dial-up remote access to private networks. Microsoft and Cisco merged these two protocols into L2TP (layer two tunneling protocol). L2TP extends VPNs to dial-up users and to providing a routed IP connection to a network-based server.
The IETF is working on a set of IP security (IPSec) standards for networks that covers encryption, authentication and key management. IPSec is based on RFCs 1828 and 1829, defining two authentication and seven data encryption algorithms. The IPSec-compliant encryption specifies the use of 128-bit encryption keys.
Building a VPN
VPNs can be built in one of two ways, both being transparent to the end user. In one way, you sign up with an ISP that provides VPN capability as an outsourced, value-added service – a transparent VPN. Your information is encrypted and decrypted at the ISP’s points-of-presence (POPs). In the other way, you purchase and install VPN encryption devices at each of your facilities – a client-initiated VPN.
There are two methods of sending encrypted data across the Internet, depending on what is encrypted; these are specified by IPSec. First, by way of background, a TCP/IP datagram, consisting of a header and payload, is the packet of information that is sent across the Internet. The header contains the source and destination IP addresses and the payload is the data being transferred.
In the first method, called an "unencapsulated" datagram (also known as "transport mode"), the header remains unencrypted, and the payload is encrypted. In the second method, the entire TCP/IP datagram can be encapsulated in another datagram. The original datagram becomes the payload of a new datagram. This "encapsulated" format is also known as "tunnel mode." This type of VPN requires VPN-capable encryption devices at the source and destination.
If your internal LANs are not IP-based, but use Novell IPX or IBM SNA (systems network architecture) protocols, for example, you can use encapsulated encryption to hide that fact.
VPN Pros and Cons
Regarding VPN pros, there is clearly a perception of cost savings by leveraging the ubiquity of the Internet. VPNs, once installed on the client system, are generally transparent to the end user once the user makes the connection. This means greater transparency, virtually eliminating source code modifications as well as integration issues to support required client applications. It also removes any user obligation for encrypting files before transmitting them across the transport. And a single VPN technology can usually provide privacy for multiple applications.
On the con side, a VPN requires the installation of client software – a minimal yet required activity. This is a primary inhibitor to VPN growth. Complaints have also been lodged that for the non-technical personnel, VPN technology and installation is not simple enough.
VPNs are an immature technology, with multiple and evolving standards and vendors. And VPN technologies developed against the same standard do not always interoperate. A single-vendor solution is the only practical approach today.
The lack of sufficiently high data-transfer rates remains a remote access inhibitor. This, in turn, will drive the development of higher-speed technologies. Some of these technologies include higher-speed analog modems, integrated services digital network (ISDN), many varieties of digital subscriber lines (xDSL), cable modems, wireless and satellite systems. Everyone agrees on the need for speed, but analog modems will remain the dominant technology for remote access connections over the next five years.
As with all security projects, the more devices you have protecting your network, the more secure your network will be. So, although some of today’s firewalls can provide VPN capability in addition to its normal firewall duties, a more costly but ultimately more secure solution might be to keep the VPN and firewall functions separate. Keeping them separate may also improve performance, scalability and ease of use, avoiding having the security product become the choke point of the network. Furthermore, if high throughput is required of the VPN, a high-speed hardware alternative to a firewall should be considered.
The Future of VPNs
In the future, VPNs will be put to even more remote access uses: for example, securely transmitting clinical images. The Oklahoma Telemedicine Network allows doctors in rural hospitals to send x-rays to radiologists in major centers for joint consultation. This reduces travel time for patients while providing expert diagnoses. One day, Telemedicine will allow healthcare specialists to pay electronic house calls, remotely "visiting" patients and even hospital operating rooms, which will also require the security of VPNs.
Another example area requiring VPNs includes secure audio conferencing over the Internet. This will be particularly attractive for multi-national companies requiring communication across international boundaries spanning many time zones.
When planning a remote access project, many factors must be considered. From the outset, security must be taken into account, keeping in mind that for any crime, there are three factors: means, motivation and opportunity. For remote access users, means and opportunity disappear as limiting factors. For a rundown of the less obvious requirements, see the "Shopping List" sidebar below.
Remote Access ROI
Generally, return on investment for remote access is difficult to quantify and must be clearly linked to the business need driving remote access, be it telecommuting or some other requirement. Sometimes ROI is easy to measure, though, as in the case of Unisys replacing remote access "800" and long distance numbers with VPN connections provided by ISPs, these costs tend to be highly variable.
But in the Telemedicine example, unconventional areas may need to be considered, such as improved patient care and satisfaction, doctor productivity, patient convenience, facilities overhead costs, improved access to critical information and employee productivity.
In general, VPNs are a rapidly maturing, though not yet mature, market. Thus, implementing VPNs will not be a simple project. Look to spend more than the usual amount of time developing the solution and managing relationships with the vendors who provide the pieces of the solution.
About the Author: Charlie Young is the Director of U.S. Network Enable Solutions in the Global Customer Services (GCS) organization. He can be reached at firstname.lastname@example.org.
Aside from pure vendor selection and gleaning many requirements from the text of this article, many of the less obvious ones, especially security related, are provided here:
• Security policy enhancements to include remote access – short, succinct, enforceable
• User involvement (kept to a minimum) in configuring the security parameters of their platform and in responding to breaches
• Special security requirements for laptop computers: anti-theft, password protection, backup, disk encryption, authentication, privacy, boot protection, antivirus, etc.
• User remote access authentication requirements
• End user training requirements
• Audit log requirements
• Session time-out, logoff and re-authentication
• Administrator access (remote, local, specific terminal, etc.) and notification considerations (alarms, phone, beeper, etc.)
• Administrator aids (wizards for infrequent operations, help screens, etc.)
• Interoperability with existing systems and existing access control mechanisms
• Access to the existing security database
• Anti-hacker measures
• Resource misuse and abuse considerations
• Password controls and expiration requirements
• Password storage encryption, configuration and auditing
• Specialized servers for accounting and security
• Network management considerations
• Monitoring and troubleshooting capabilities
• Consideration for restricting extremely sensitive corporate information to be accessed only via a thin client, thereby limiting its storage exclusively on the corporate server
• Establishing rewards for finding and reporting security weaknesses, and watching for reward abuse
• Being aware that use of home PCs for work creates a support nightmare due to non- standard configurations and a security risk potential for matter-of-fact non-employee (family) PC access and use
– Charlie Young