Remote access allows users to securely connect to a work network from any location, while remote desktop services enable them to control network systems as if they were physically present. This article explores the key concepts, and protocols associated with remote access and remote desktop solutions.
What is Remote Access?
Remote access allows users to connect to a work network from an external location. This connection enables users to access resources and function as if they are physically present in the office.
The remote access server ensures security by authenticating users and managing network traffic. A common method for secure remote access is through a Virtual Private Network (VPN), which provides a secure connection over an insecure network, such as the internet.
What is Remote Desktop?
A remote desktop connection lets users access a network system from their workstation, allowing them to control the remote system as if they were physically at the computer.
This is particularly useful for performing administrative tasks and providing remote assistance. Notable remote desktop solutions include Microsoft Remote Desktop Services (formerly Terminal Services) and Citrix ICA, both of which support centralized computing.
Other popular remote desktop software options include:
- Symantec pcAnywhere®
- GoToMyPC®
- LogMeIn®
- WebEx PCNow®
These tools are primarily used for remote administration.
Remote Access vs. Remote Desktop
In remote access, the user's computer runs the software and processes, allowing access to the work network. In contrast, remote desktop involves the user's computer sending keyboard and mouse commands to the host computer, which runs all applications and processes. The host computer then sends back the video signal.
Remote Access Infrastructure
The infrastructure required for remote access includes hardware, software, networks, and facilities that support and deliver remote access. This is typically managed by Remote Access Services (RAS) servers, which provide remote access to the network. Modern remote access often utilizes VPN servers for secure connections.
Authentication, Authorization, and Accounting (AAA)
When connecting to a work network via remote access, two key concerns are:
- User authentication: Verifying user identity.
- Secure communication: Ensuring that data exchanged between the user and the network is encrypted and accessible only to authorized parties.
When users connect via remote access, it’s possible to have the RAS server authenticate them.
If the company already has a database that’s used for authentication (a directory) then it’s more convenient to connect the RAS server to the directory. An AAA server is used for that.
An AAA server can handle user authentication by connecting to an existing directory, providing centralized logging and tracking of all connections.
The two major AAA protocols are:
- Remote Access Dial-In User Service (RADIUS)
- Terminal Access Controller Access Control System (TACACS)
RADIUS Protocol
RADIUS (Remote Authentication Dial-In User Service) is a protocol that provides standardized, centralized authentication for remote users.
The RAS server acts as a RADIUS client, passing authentication requests to the RADIUS server.
RADIUS is widely supported by VPN servers, Ethernet switches, and wireless access points, and uses UDP ports 1812 (authentication) and 1813 (accounting).
Diameter Protocol
Diameter is an AAA framework that builds on RADIUS with advanced features for stronger security. While more robust, Diameter is less widely implemented than RADIUS.
TACACS Protocol
TACACS (Terminal Access Controller Access Control System) and TACACS+ are protocols offering centralized authentication and authorization services for remote users.
TACACS provides process-wide encryption for authentication and supports multiple protocols.
TACACS+, which is Cisco’s proprietary product, uses TCP port 49. It also supports multifactor authentication.
Remote Desktop Protocols
Microsoft Remote Desktop Protocol (RDP) is the backbone of Microsoft's remote desktop services, offering data encryption, remote audio, printing, local file access, and peripheral port redirection.
The server component, the remote desktop host, is available on most Windows operating systems, listening on TCP port 3389. A desktop client is available for most operating systems.
Citrix Independent Computing Architecture (ICA) enhances the functionality of Microsoft Terminal Services, supporting additional protocols and services.
Virtual Network Computing (VNC) is a platform-independent desktop sharing system. VNC client and server software is available for almost any operating system.
VNC is not an inherently secure system but does offer varying levels of password and content encryption, depending on the implementation.
X Window system - a protocol that uses a client-server relationship to provide a GUI and input device management functionality to applications. Current X Window systems are based on the X11 protocol and normally used on UNIX- and Linux-based systems to display local applications.
Because X is an open cross-platform protocol and relies on client-server relationships, remote connections are often easy to implement.
Remote Access Protocols
Remote access protocols enable connections via direct dial-in or through ISPs and the internet.
Telnet, one of the oldest application layer protocols and services in the TCP/IP suite, provides text-based terminal emulation over networks but lacks encryption.
Both the protocol itself and the client software that implements the protocol are commonly referred to as Telnet. Telnet servers listen for client requests on TCP port 23.
Secure Shell (SSH) offers secure remote login and other secure network services, with stronger authentication than Telnet. It supports transporting session data using encryption. SSH servers listen on TCP port 22.
Point-to-Point Protocol (PPP) - a remote networking protocol that works on the Data Link layer of the TCP/IP protocol suite.
PPP can dynamically configure and test remote network connections and is often used by clients to connect to networks and the Internet.
It also provides encryption for passwords. To log on to a remote session via PPP, you need to enable a remote authentication protocol.
The Point-to-Point Protocol over Ethernet (PPPoE) and Point-to-Point Protocol over ATM (PPPoA) are more recent PPP implementations used by many DSL broadband Internet connections.
Extensible Authentication Protocol (EAP) - an authentication framework that has many variations.
EAP variations are often used for remote access authentication and in 802.1x.
Password Authentication Protocol (PAP) is a remote-access authentication method that sends client IDs and passwords as plaintext.
Challenge Handshake Authentication Protocol (CHAP) - a RAS protocol that uses an encryption method to transmit authentication information.
VPN Protocols
VPNs are crucial for encrypted communication in various scenarios, including avoiding censorship.
Networks that employ censorship may block ports 1723 and 1701 to prevent users from using VPN to defy policy. Those users can use an SSL VPN and avoid the regulation. When data is tunneled through a common protocol like HTTPS or even DNS, it’s almost impossible to block.
VPNs are typically configured as site-to-site or remote-access.
Site-to-site VPNs establish secure tunnels between preconfigured VPN gateways, while remote-access VPNs dynamically create secure connections between clients and VPN servers. For example, a remote access SSL VPN is used when you check your banking information online.
Point-to-Point Tunneling Protocol (PPTP) is a Layer 2 Microsoft VPN protocol that increases the security of PPP by providing tunneling and data encryption for PPP packets.
PPTP is very easy to set up. However, it uses Microsoft Point to Point Encryption (MPPE) which is not very robust encryption. It should not be a preferred VPN solution. PPTP uses TCP port 1723.
Layer Two Tunneling Protocol (L2TP) combines the capabilities of PPTP and Layer 2 Forwarding (L2F) (an older Cisco VPN protocol that did not provide encryption) to enable the tunneling of PPP sessions across a variety of network protocols.
L2TP was specifically designed to provide tunneling and security interoperability for remote access and site-to-site VPNS.
L2TP does not provide any encryption on its own. L2TP packets appear as IP packets because, like IP packets, they also have a header, footer, and error correction. As a result, L2TP uses IPSec as the transport for authentication, integrity, and confidentiality.
For many years, L2TP/IPSec has been the standard for VPNs. LT2P uses UDP port 1701.
IPSec - a secure network protocol suite. It supports mutual authentication (where both sides verify the other’s identity). It’s one of the most secure encryption protocols available.
IPSec can be combined with other VPN protocols. In that case, it handles the encryption. Or, it can be used by itself as a VPN solution.
Secure Sockets Layer (SSL) was created to secure web pages. Since then, its encryption has been used to secure other protocols. SSL has flaws. Transport Layer Security (TLS) is a replacement for SSL. TLS is not backwards compatible with SSL.
SSL VPNs can use SSL or TLS for encryption.
The advantage of an SSL VPN is that it uses the same port as HTTPS; TCP port 443. This port is rarely if ever blocked by firewalls.
Microsoft has a proprietary version of SSL VPN called Secure Socket Tunneling Protocol (SSTP).
Internet Key Exchange Version 2 (IKEv2) - a VPN protocol developed by Microsoft and Cisco.
IKEv2 is one of the fastest VPN protocols. It also supports VPN reconnect. IKEv2 uses IPSec for encryption. It uses UDP port 500.