Chapter 13 - Remote Network Access.pdf

Full Transcript

Chapter 13
Remote Network Access
THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE
COVERED IN THIS CHAPTER:
Domain 3.0 Network Operations
3.5 Compare and contrast network access and management methods.
Site-to-site VPN
Client-to-site VPN
Clientless
Split tunnel vs. full tunnel
Connection methods
SSH
Graphical user interface (GUI)
API
Console
Jump box/host
In-band vs. out-of-band management

Think of remote access as a telecommuting tool because companies use it to allow
remote employees to connect to the internal network and access resources in the office.
Remote access is great for users who work from home or travel frequently, but clearly, to
a stalking hacker, using an unsecured remote access connection is like stealing candy
from a baby.
Using remote access requires a server configured to accept incoming calls and also
requires remote access software to be installed on the client. Microsoft Windows
operating systems, since Windows 95, have had remote access client software built in,
and there are many third-party remote access clients available as well. Several different
methods exist to create remote access connections. In this chapter, we'll look at remote
access and the VPN types that make it secure.

To find Todd Lammle CompTIA videos and practice questions,
please see www.lammle.com.
Site-to-Site VPN
Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites to the
corporate backbone securely over an insecure public medium like the Internet instead of
requiring more expensive wide area network (WAN) connections like Frame Relay. This
is the best solution for connecting a remote office to a main company office because all
traffic between the offices will be encrypted with no effort on the part of the users.
In this scenario, all office traffic will go through the VPN tunnel. Figure 13.1 shows a
site-to-site VPN, along with a remote access called a client-to-site VPN covered in the
next section.
This solution requires a remote access client on the user device.

FIGURE 13.1 Site-to-site and client-to-site VPN

Client-to-Site VPN
Remote access VPNs or client-to-site VPNs (shown in Figure 13.1) allow remote users
like telecommuters to securely access the corporate network wherever and whenever
they need to. It is typical that users can connect to the Internet but not to the office via
their VPN client because they don't have the correct VPN address and password. This is
the most common problem and one you should always check first.
In this scenario, only the user and office traffic will go through the VPN tunnel. This
solution requires a remote access client on the user's device.

Clientless VPN
A clientless VPN enables end users to securely access resources on the corporate
network from anywhere using an SSL/TLS-enabled web browser. They need no remote
access client to do this, only a browser that can perform SSL or the more secure TLS.
Figure 13.2 shows a clientless VPN.

Split Tunnel vs. Full Tunnel
When a client-to-site VPN is created, it is possible to do so in two ways, split tunnel and
full tunnel. The difference is whether the user uses the VPN for connecting to the
Internet as well as for connecting to the office.

FIGURE 13.2 Clientless VPN
Split tunneling works by using two connections at the same time: the secure VPN
connection and an open connection to the Internet. So in split tunneling, only traffic to
the office goes through the VPN. Internet traffic does not. The security issue with this is
that while the user is connected to the VPN, they are also connected to the most
untrusted network, the Internet.
Figure 13.3 shows the split and full tunnels.
 FIGURE 13.3 Split and full tunnels
With a full tunnel, all traffic goes through the VPN, which means the user is accessing
the Internet through the connection of the office, and so all traffic will be examined by
the office security.

Remote Desktop Connection
There are times when you need to make a remote connection to a machine to perform
troubleshooting but you are miles away. Connectivity software is designed to allow you
to make a connection to a machine, see the desktop, and perform any action you could
perform if you were sitting in front of it.
Microsoft has made what it calls Remote Desktop software available for free with
Windows products since Windows NT. When this software is installed (installed by
default in later versions) on both source and destination computers, a remote desktop
connection can be made.
Microsoft allows one remote user connection or a local connection on desktop operating
systems via Remote Desktop Protocol (RDP), but not both. On server operating systems,
Microsoft allows two administrative connections that can be a combination of local or
remote access, but not to exceed two connections.
RDP can also be used to deliver applications to the end users via Microsoft RemoteApp
on terminal services. When RemoteApp is used, the server still requires a terminal
services license. However, just the application is delivered to the user host rather than
the entire desktop.
Commercial tools are also available that (of course) claim to have more functionality,
and they probably do have a few extra bells and whistles. These include LogMeIn.com,
GoToMyPC, and others.
The advantages of these connectivity tools are obvious. With these tools, you can do
anything you need to on the machine as long as you can connect. They also allow you to
see what a user is actually doing when they encounter a problem rather than having to
rely on what they tell you they are doing. You can even show a user what they are doing
wrong. Most of these tools allow for chat sessions and for either end of the connection to
take control of the machine. You can also transfer files to them if required (maybe a
dynamic-link library got deleted, for example).

Remote Desktop Protocol
Remote Desktop Protocol is a proprietary protocol developed by Microsoft. It allows you
to connect to another computer and run programs. RDP operates somewhat like Telnet,
except instead of getting a command-line prompt as you do with Telnet, you get the
actual graphical user interface (GUI) of the remote computer. Clients exist for most
versions of Windows, and macOS now comes with a preinstalled RDP client.
Microsoft currently calls its official RDP server software Remote Desktop Services; it
was called Terminal Services for awhile. Microsoft's official client software is currently
referred to as Remote Desktop Connection (RDC), which was called Terminal Services
Client in the past.
RDP is an excellent tool for remote clients, allowing them to connect to their work
computer from home, for example, and get their email or perform work on other
applications without running or installing any of the software on their home computer.
RDP allows users to connect to a computer running Microsoft's Remote Desktop
Services, but a remote computer must have the right kind of client software installed for
this to happen. Most Windows-based operating systems include an RDP client, and so
do most other major operating systems, like Linux and macOS. Microsoft began calling
all terminal services products Remote Desktop with Windows Server 2008 R2. RDP
uses the TCP protocol and port 3389.
After establishing a connection, the user sees a terminal window that's basically a
preconfigured window that looks like a Windows desktop or another operating system's
desktop. From there, the user on the client computer can access applications and files
available to them by using the remote desktop.
When logged in using RDP, clients are able to access local files and printers from the
remote desktop just as if they were logged into the network.

EXERCISE 13.1
Experimenting with RDP

This exercise is best if you have two stand-alone Windows computers on the same
network. In this exercise, you will experiment and explore the setting for Microsoft
Remote Desktop Protocol:
1. Select Start Settings System Remote Desktop to open the Windows
Settings for Remote Desktop.
2. Flip the Enable Remote Desktop switch to on.
3. Click Confirm on the Enable Remote Desktop? dialog box.
4. Click Advanced Settings to investigate the various settings for Remote Desktop.
If you have a second computer, continue with the following steps.
5. On the same computer, find the IP address by opening a command prompt and
typing ipconfig.
6. On a second computer, click the Start menu, begin typing the word Remote,
and select the Remote Desktop Connection result.
7. Click Show Options on the Remote Desktop App.
8. Explore the tabs and various options.
9. Click the General tab and enter the IP address from step 5.
10. Click Connect on the Remote Desktop App.
RDP Gateway
The Remote Desktop Protocol Gateway is a Microsoft server role that allows centralized
access to remote desktops, such as remote desktop workstations or remote desktop
servers. The gateway usually sits between the users and the remote desktops and
controls the access to the remote desktops. Although the term Remote Desktop Gateway
is a Microsoft Server role, every vendor for Remote Desktop Protocol Services has a
similar server or virtual appliance. The Remote Desktop Gateway is mainly responsible
for brokering clients to their respective remote desktops.
The Remote Desktop Gateway is typically installed on the edge of the network, where it
will border the external network it serves, such as the Internet. Because the gateway is
installed on the edge of the network, it is also responsible for the security or the remote
desktop sessions and users. The gateway provides TLS encryption via certificates,
authentication for clients via Active Directory, and the authorization to the internal
resources. The Remote Desktop Gateway operates on port 443 and protocol TCP.
During the setup of the Remote Desktop Gateway, two policies must be configured for
controlling authorization. The Connection Authorization Policy (CAP) specifies which
group of users can access the Remote Desktop Gateway. The Resource Authorization
Policy (RAP) then specifies which remote desktop or servers are allowed for each group
of users. Between the CAP and RAP authentication policies, the Remote Desktop
Gateway can be configured with granular security for both users and the remote hosts.
It is more secure than allowing RDP to be published directly to the public over the
Internet in the following ways:
No VPN needed. Using the SSL channel, the RDP Gateway can tunnel directly to the
remote server to increase the security of RDS.
No pass through a third-party website or service.
Native Windows Server service.
Can be combined with Network Access Protection (NAP).
Can be used along with Microsoft Internet Security and Acceleration (ISA), the
Microsoft implementation of RADIUS.

Virtual Network Computing
Virtual Network Computing (VNC) is a remote control tool for sharing desktops. The
VNC client normally operates on TCP port 5900. VNC is similar to Microsoft RDP, with
the exception that VNC is an open-source protocol and allows only one console session
on a Microsoft operating system. It supports encryption via plug-ins but is not encrypted
by default.
VNC operates in a client and server model. The server install for the host enables remote
control of the host, and the client install allows for means to connect to the VNC server.
It is normally configured with a simple shared password, but it can also be configured
with Windows groups. Several clients can be used such as RealVNC, TightVNC, and
many others, but all of the clients perform in a similar way.
VNC includes the following components:
VNC server: Software that runs on the machine sharing its screen
VNC client (or viewer): Software on the machine that is remotely receiving the
shared screen
VNC protocol: The protocol

One big difference between VNC and RDP is that VNC sends raw pixel data (which does
make it work on any desktop type), while RDP uses graphic primitives or higher-level
commands for the screen transfer process.

Virtual Desktop
Using operating system images for desktop computers is not a new concept. Nor is
delivering these desktop images to users from a virtual environment when they start
their computer. This allows for the user desktop to require less computing power,
especially if the applications are also delivered virtually and those applications are
running in a virtual machine (VM) in the cloud rather than in the local desktop eating
up local resources. Another benefit of using virtual desktops is the ability to maintain a
consistent user environment (same desktop, applications, etc.), which can enhance user
support.

Connection Methods
This section will cover various connection methods for accessing hosts, servers, and
network devices. We already covered RDP in this chapter, so let's talk about the
following:
Secure Shell (SSH)
Graphical user interface (GUI)
Application programming interface (API)
Console

Secure Shell
Secure Shell is a network protocol that is designed as a secure alternative to command-
based utilities such as Telnet that transmit requests and responses in clear text. It
creates a secure channel between the devices and provides confidentiality and integrity
of the data transmission. The SSH protocol uses the TCP protocol and port 22.
It uses public-key cryptography to authenticate the remote computer and allow the
remote computer to authenticate the user, if necessary. This public key is placed on any
computer that must allow access to the owner of a matching private key (the owner
keeps the private key in secret). The private key is never transferred through the
network during authentication.
Don't use Telnet! Telnet is insecure because it sends all data in crystal-clear text—
including your name and password. And I'm pretty sure you know that's a terrible thing
these days. If Microsoft doesn't even enable it on its latest OSs, then you know it really
must be insecure.
Figure 13.4 shows how an encrypted session might look between a host and a network
device.

FIGURE 13.4 Clientless VPN
Some configuration is usually necessary if you want things to work as they really should,
and yes, sometimes it's a little painful to get everything running smoothly, but it's all
worth it in the long run. Personally, I disable Telnet on all my routers and use SSH
exclusively. No lie—I never use Telnet anymore if I can help it. Even so, you should still
understand Telnet and get some practice with it in case you do ever need it.

Graphical User Interface
As mentioned earlier, Remote Desktop Services is a great GUI to connect to remote
devices, get a GUI window, and then use it to administer the device, server, and/or
network devices on the connected zone. Very useful. You'll learn about a jump host in
the next section, which can be used similarly.

Application Programming Interface
An application programming interface allows you to quickly access an application
resource without mapping out the application and manually reverse engineering your
functionality.
For example, if you wanted to create an application that suggests restaurants near a
user, you would need access to map information to know what restaurants are nearby.
To get map information on your own, you would have to either get your own map data
or develop your own way of accessing Google Maps through your own interface. Neither
one of these is a practical option. Fortunately, Google offers many APIs that, like you,
consume their map information in your application.
One of the most common ways of accessing APIs is through Representational State
Transfer (REST). REST is a resource-based API, which means that URIs should be:
Things, not actions
Nouns, not verbs

If we break the words in Representational State Transfer apart, we have the following:
Representational A resource state is transferred between a client and server.
State Transfer Each request has all the information it needs to complete the
operation.
Lastly, REST has six constraints it needs to follow to be considered a RESTful API.
Client-server: Connections are always initiated by a client requesting something
from a server.
Stateless: The server doesn't store any information from previous requests.
Cacheable: The server response includes a version number so the client can decide
if it can use the cached information or if it needs a new request.
Uniform interface: This defines the interface between the client and the server.
This is divided into four subsections.
Resource identification: Each resource must have its own unique URI.
Resource representation: This is how the resource will return data to the
client; this is usually JSON or XML.
Self-descriptive messages: Each message sent must have enough information
in it to determine how to process the message.
Hypermedia as the engine of application state (HATEOAS): This is a bit
of a mouthful but basically means you should be able to easily discover other
functionalities of the API. For example, suppose you are looking at a Cisco router
API to view an interface. In that case, you should be able to view other items
without too much documentation.
Layered system: You can add layers between the API and the server data, such as
a firewall or a load balancer, without impacting operations.
Code on demand: This optional constraint allows REST to send executable code
responses back to the client.

Console/Rolled Serial Cable
Although rolled cable isn't used to connect any Ethernet connections together, you can
use a rolled Ethernet cable to connect a host EIA-TIA 232 interface to a router console
serial communication (COM) port.
If you have a Cisco router or switch, you would use this cable to connect your PC, your
Mac, or a device like an iPad to the Cisco hardware. Eight wires are used in this cable to
connect serial devices, although not all eight are used to send information, just as in
Ethernet networking. Figure 13.5 shows the eight wires used in a rolled cable.

FIGURE 13.5 Rolled Ethernet cable
These are probably the easiest cables to make because you just cut the end off on one
side of a straight-through cable, turn it over, and put it back on—with a new connector,
of course!
Once you have the correct cable connected from your PC to the Cisco router or switch
console port, you can start your emulation program such as PuTTY or SecureCRT to
create a console connection and configure the device. Set the configuration as shown in
Figure 13.6.
Notice that Baud Rate is set to 9600, Data Bits to 8, Parity to None, and no Flow Control
options are set. At this point, you can click Connect and press the Enter key, and you
should be connected to your Cisco device console port.
Figure 13.7 shows a nice Cisco switch with two console ports.
Notice there are two console connections on this new switch—a typical original RJ45
connection and the newer mini type-B USB console.
FIGURE 13.6 Configuring your console emulation program
 FIGURE 13.7 A Cisco 2960 console connections
Remember that the new USB port supersedes the RJ45 port if you happen to plug into
both at the same time, and the USB port can have speeds up to 115,200 Kbps, which is
awesome if you have to use Xmodem to update an IOS. I've even seen some cables that
work on iPhones and iPads, allowing them to connect to these mini-USB ports!

Jump Box/Host
Referred to as a jump server, jump host, or jump box, this can be a very useful device. A
jump box is defined as a system on a private network that will allow you to remotely
access and manage devices in a separate security zone. This host is a very hardened
device that connects two or more security zones, allowing authenticated and controlled
access between chosen zones.
Created in the early 1990s to provide secure access to remote networks and multiple
security zones, this was initially used with proxy services, which were all the rage by the
mid-1990s, and then provided a connection from a local desktop. However, once SSH
became popular and replaced Telnet, SSH became the standard access method instead
of proxies for the jump box. Alternatively, I am using a jump box in my data center. I
have set it up so I can RDP into the GUI interface and get to all my network devices in
the DC I use daily.
Similarly, and created around this same time, a bastion host was created. Named
bastion because it means or is defined as “Military Fortification” and considered a
critical strong point of network security, it was typically designed and configured to stop
multiple attacks by only running the needed application, and all other ports are
disabled. Another reason to use a bastion is the network interfaces were designed to look
for and stop high-bandwidth attacks. Pretty amazing.
Jumping back to the jump box (see what I did there?), it's vital that you set up a VPN
termination point in the location where the host is located. In my DC, I use a Cisco ASA
—it's old but sturdy—and can handle all my terminations with an easy-to-use CLI.

Where Should You Implement a Jump Box/Host?
Jump servers are often placed between a secure zone and a screened subnet (also known
as DMZ) to provide easy management of devices in the screened subnet once a
management session has been set up and configured.
Figure 13.8 shows where a typical jump host could be placed in a network. Notice my
firewall termination point for my VPN.
This allows for an administrator to log into the jump server to gain access to the
screened subnet, servers, and other assets, and all access and configuration can be
logged for audit.

FIGURE 13.8 Where a jump box is implemented

In-Band vs. Out-of-Band Management
Out-of-band management is any method of managing a server or network device that
does not use or go through the network. You'd use a console cable to attach directly to
the device to do this.
However, many newer network devices have separate Ethernet ports that are configured
with a different subnet than the management IP of the local zone and is considered out-
of-band because it is not connecting through the production network.
In-band refers to managing a network, server, or network device through the network
using tools like RDP or SSH, for example.

Summary