If you plan on taking the Security+ exam you should have a good understanding of remote access protocols used within TCP/IP . This blog covers many, including those used with VPNs:
Remote Access Protocols
Some common remote access and virtual private network (VPN) tunneling protocols include:
- PPP. Point-to-Point Protocol is used to create dial-up connections between a dial-up client and a remote access server, or between a dial-up client and an Internet Service Provider (ISP).
- IPsec. Internet Protocol security (IPsec) can be used as a remote access tunneling protocol to encrypt traffic going over the Internet. It uses the Internet Key Exchange (IKE) over port 500 to create a security association for the VPN.
- PPTP. Point-to-Point Tunneling Protocol is a tunneling protocol used with VPNs that has some known vulnerabilities. PPTP uses TCP port 1723.
- L2TP. Layer 2 Tunneling Protocol combines the strengths of Layer 2 Forwarding (L2F) and PPTP. L2TP is commonly used with IPsec for VPNs. Since NAT is not compatible with IPsec, L2TP/IPsec can’t go through a device running NAT. L2TP uses UDP port 1701.
- RADIUS. Remote Authentication Dial-In User Service provides central authentication to remote access clients. When an organization uses more than one remote access server, each remote access server can forward authentication requests to the central RADIUS server. RADIUS only encrypts passwords.
- TACACS/XTACACS. Terminal Access Controller Access-Control System and Extended TACACS are older network authentication protocols. TACACS is generic, and XTACACS is proprietary to Cisco. TACACS uses UDP port 49.
- TACACS+. TACACS+ is used as an alternative over RADIUS. Cisco VPN concentrators use TACACS+ and it encrypts the entire authentication process. It uses multiple challenge responses for authentication, authorization, and audit (AAA). TACACS+ has wider uses including as an authentication service for network devices. TACACS+ uses TCP port 49.
Remember this
IPsec uses port 500 for IPsec VPN connections. RADIUS only encrypts the password in the authentication process. TACACS+ encrypts the entire authentication process. TACACS+ uses multiple challenge responses for authentication, authorization, and audit. TACACS+ is also used as an authentication service for network devices. TACACS uses UDP and TACACS+ uses TCP.
Remote Access Authentication
Remote Access Services (RAS) are used to provide access to an internal network from an outside source. The previous section covered some of the protocols used for remote access connections, but this section covers different authentication mechanisms that can be used with RAS.
Clients access a RAS server via either dial-up or a virtual private network (VPN). A VPN allows a client to access a private network over a public network (such as the Internet).
Remote access methods are useful for personnel that need access to the private network from remote locations. However, no matter what method of remote access you use, you still need to ensure that only authorized clients can access your network remotely. Authorization begins with authentication, and there are multiple methods of authentication used with remote access.
The different authentication mechanisms that may be used with remote access services are:
- PAP. Password Authentication Protocol. Passwords are sent in clear text so PAP is rarely used today.
- CHAP. Challenge Handshake Authentication Protocol. CHAP uses a handshake process where the server challenges the client. The client then responds with appropriate authentication information.
- MS-CHAP. Microsoft’s implementation of CHAP, which is used only by Microsoft clients.
- MS-CHAPv2. An improvement over MS-CHAP. A significant improvement of MS-CHAPv2 over MS-CHAP is the ability to perform mutual authentication.
- RADIUS. Remote Authentication Dial-In User Service. Radius provides a centralized method of authentication for multiple remote access services servers. RADIUS encrypts the password packets, but not the entire authentication process.
- TACACS and XTACACS. Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that was commonly used in UNIX networks. Extended TACACS (XTACACS) is an improvement over TACACS developed by Cisco Systems and is proprietary to Cisco systems. Neither of these are commonly used today with most organizations using either RADIUS or TACACS+.
- TACACS+. Terminal Access Controller Access-Control System+ (TACACS) is an alternative to RADIUS and is proprietary to Cisco systems. A benefit of TACACS+ is that it can interact with Kerberos allowing it to work with a broader range of environments including Microsoft. Additionally, TACACS+ encrypts the entire authentication process (RADIUS encrypts only the password).