One of the biggest challenges faced by organizations today is that of allowing remote access to corporate networks. The distinction between "Local Area Network" and "Wide Area Network" is being blurred. New and expanding needs of information technology are driving the industry towards open standards and more universal access as "telecommuting" and its associated benefits have become a realistic option for many types of workers. With new technology, sales forces can trust in the availability of instantly available and up-to-date information; corporate decision-makers can access information conveniently, and all users can respond to E-mail from any location. Remote access solutions allow clients to access a company. s network using telecommunications devices, such as modems and other WAN adapters, instead of a network cable.

Why is remote access such an important issue today? Apart from the pressures of various industries to move towards truly "distributed computing", many more travelling employees are depending on laptop machines. "Worldwide corporations" are becoming more commonplace and growing pains are becoming the norm as business needs push the limits of information technology. A greater dependence is placed on computing resources as companies compete in a marketplace where real power lies in information . and it. s accessibility. The Internet has provided a ready-to-use worldwide network, waiting to connect remote sites together. Internet Service Providers (ISP. s) are readily available to carry data quickly, and securely, to where it is needed in almost any part of the world.

Despite the benefits it can promise, many companies have been reluctant to allow widespread remote access to their corporate LAN. s. Security is, perhaps, the greatest of their concerns. Following closely is the cost and administrative burden of creating modem pools, assigning login permissions and configuring client machines. Fear of trying to keep pace with ever-changing WAN technologies creates potential problems for the future. In the past proprietary hardware-based solutions have often been used in this capacity; however, they often do not address all of the above issues.

This paper will discuss the benefits of implementing Windows NT 4.0 Remote Access Server (RAS) as a potential solution for a corporation. s "dial-in" options. With RAS, remote users can share files and printers, access mainframe hosts, interact with databases and synchronize E-Mail and scheduling information. Installing and configuring the server will be discussed first. This will include dial-in options of RAS and the basic assignment of permissions for users who will use these services. Client configuration options will be presented next, including steps involved in installing the necessary software for remote LAN access. Following the configuration information will be a discussion of security issues and information on how Windows NT RAS addresses these potential problems. Finally, exciting new developments in RAS . namely Multi-Link for bandwidth aggregation and Virtual Private Networking via Point-to-Point Tunneling Protocol . will be evaluated.

Virtual Private Networking (VPN) technology can be defined as the usage of an inherently insecure public network for the purpose of securely transferring sensitive information. With the tremendous popularity and ubiquity of the Internet, more and more corporations are finding ways in which to leverage this technology to reduce their data transport costs and ease the implementation of remote access solutions.

One of the biggest challenges organizations face today is that of allowing remote access to corporate networks. The distinction between "Local Area Network" and "Wide Area Network" is being blurred. New and expanding needs of information technology are driving the industry towards open standards and more universal access as "telecommuting" and its associated benefits have become a realistic option for many types of workers. Faster, cheaper and more reliable WAN connection methods continue to evolve. With new technology, sales forces can trust in the empowerment of instantly available and up-to-date information; corporate decision-makers can access information conveniently, and all users can respond to E-mail from any location. Remote access solutions allow clients to access a company. s network using telecommunications devices, such as modems and other WAN adapters, instead of a network cable.

Why is remote access such an important issue today? Apart from the pressures of various industries to move towards truly "distributed computing", many more traveling employees are depending on laptops and other portable devices. "Worldwide corporations" are becoming more commonplace and growing pains are becoming the norm as business needs push the limits of information technology. A greater dependence is placed on computing resources as companies compete in a marketplace where real power lies not only in information, but also in its accessibility. The Internet has provided a ready-to-use worldwide network, waiting to connect remote sites together. Internet Service Providers (ISP. s) are readily available to carry data quickly, and securely, to where it is needed in almost any part of the world. This technology is ready to be leveraged to improve business practices and decrease costs today. Users have not only realized the potential of the Internet, but have come to expect location-independent access to their data.

Despite the benefits it can promise, many companies have been reluctant to allow widespread remote access to their corporate LAN. s. Security is, perhaps, the greatest of their concerns. Following closely is the cost and administrative burden of creating modem pools, assigning login permissions and configuring client machines. Fear of trying to keep pace with ever-changing WAN technologies creates potential problems for the future. In the past, proprietary hardware-based solutions have often been used in this capacity; however, they often do not address all of the above issues, and can sometimes present additional problems of their own.

"Remote Access" refers to the use of leased or public lines for the connection of remote users to a Local Area Network (LAN). For the purpose of this paper, "traditional" remote access will be defined as the use of modem pools and on-demand, leased point-to-point connections between users (such as analog phone lines or ISDN lines). Traditional remote access is characterized by the use of "modem banks" on the server side and the use of leased lines that incur charges based on transport traffic as well as time- and distance-based charges. This configuration, though very common for the vast majority of companies, leaves a lot to be desired.

Firstly, implementing a "modem bank" often involves choosing an expensive, proprietary solution from a single vendor. This vendor. s device will support a specified number of "ports" (equal to the number of maximum concurrent connections possible). As business needs grow, the customer must obtain additional hardware from this same vendor. Administration of the modems requires personnel who are familiar with the proprietary standards and operations of a specific device. In some cases, it is necessary for accounts to be created and maintained on the modem bank. More significantly, the usage of each "port" incurs a monthly service charge for leasing the line and a connection charge for long-distance communications. Recently, many remote access administrators have realized the costs associated with upgrading server-side hardware. A prime example is the confusion over 56Kbps analog line modem standards which forced customers to choose between competing and incompatible technologies. As end-users demanded the additional speed, IT departments were forced to replace old modems with more costly new ones on the server side. A similar problem occurs when an employee is provided an ISDN connection . the company must buy hardware at both "ends" of the connection and provision a line for this user. A major technical limitation is seen in the fact that the bandwidth for each traditional point-to-point connection is fixed. That is, if a user dials in at 28.8Kbps, she will be fully occupying that port . whether she is transferring data or not, no other user will be able to utilize the unused bandwidth. This problem can be overlooked for a small number of users, but when many users are concurrently connected, the waste of time and money in connection charges can be tremendous. Overall, the costs, administrative requirements and reliance on proprietary hardware have made "traditional" remote access a difficult technology to implement and maintain.

VPN. s use the Internet (or any other public network) for the transport of data. Client computers (such as laptops or other remote clients) still continue to use modems due to their relatively low cost. Servers, however, use a dedicated Internet WAN link instead of a bank of modems. All data that is transferred between the clients and the server is encrypted. Furthermore, VPN. s are protocol-independent; that is, any type of network protocol can be transferred securely. A PPTP packet can encapsulate any type of data. There are two ways to implement a VPN . via hardware or through software. Additionally, a company may choose to implement a VPN "in-house", or may choose to have this outsource to an Internet Service Provider. All methods will be described in detail later.

The popularity of the Internet, combined with the availability of Virtual Private Networking technology, has brought with it a solution for many of the problems faced with traditional remote access. First and foremost, by leveraging the availability of a free, global, public network, long-distance and other data transport charges can be virtually eliminated. Instead of placing a long-distance call from New York to Los Angeles, an end-user can connect to a local Internet Service Provider (ISP) for a low, fixed monthly rate and connect to any server in the world for which she has an account at no additional cost. This method will pay for itself quickly, even if she does not connect for a long time. The benefits increase dramatically for frequent and international travelers. On the server side, there is no need to maintain expensive, proprietary modem banks. Instead, a single Internet connection (for example, a fractional T1 line) can support many users. This effect is amplified because remote users only use bandwidth while they are transferring data and not while they are idle. It also avoids the need to coordinate with telephone companies to provision the necessary number of analog lines. Although it may incur a slight performance cost on the server and client side, the encryption of all data being transferred over the connections provides additional security. To greatly simplify administration of VPN connectivity, corporations may choose to purchase this service from an ISP who can perform these services transparently. In these ways, VPN technology eliminates many of the problems experienced with traditional remote access.

Among the many advantages of this alternative are:

• Lower data transfer costs: Instead of depending on expensive (800) number dial-ups or long-distance telephone charges, remote users can dial-up to any local Internet Service Provider (ISP) and connect to any LAN world-wide without incurring any additional charges.

• Lower hardware costs: PPTP does not require the purchase of additional modem-pooling hardware or ISDN adapters on the server side. The burden of configuring, supporting and upgrading remote client dial-up devices can be reduced. As many users are familiar with configuring their systems to use an ISP, they will be able to install the software themselves.

• Increased performance: By utilizing the full bandwidth of a company. s Internet connection, much greater data throughput can be achieved (versus traditional analog connections). The given throughput for clients will not be locked at a specified rate on connection and will be limited only by the throughput of the clients WAN device. Therefore, the maximum available bandwidth will always be allocated over the active connections and bandwidth will only be used when data is actually being transferred. Flow control prevents the client from sending data to a congested server and thereby decreases dropped packets. When the server is able to process more data, it sends a "resume transfer" command back to the client.

• Decreased administration: With PPTP, network administrators centrally manage and secure their remote access networks at the RAS server. They must manage only user accounts instead of supporting complex hardware configurations.

• Enhanced security: PPTP connections over the Internet are encrypted and secure. Restricting access to a specified pool of IP addresses can provide additional security. Packet filtering can be enabled to disallow access to other areas of a network from remote locations.

• Number of connections limited only by bandwidth: Instead of relying on telephone companies to lease "Hunt Groups" of multiple phone lines (i.e., several phone lines with a single phone number) and paying monthly fees for lines that are rarely all in use, a fixed bandwidth can be divided based on usage.

• Ease of implementation: As PPTP can either use operating system software or ISP hardware, all clients may use the protocol, even if they are running unsupported software. Additionally, existing network addressing schemes do not need to be reconfigured. This is especially useful in situations where a network uses non-registered IP addresses internally.

Although VPN technology may seem far superior to the usage of traditional remote access, there are several business considerations to evaluate before implementing such a solution. The major consideration in this area will concern whether or not there is a need for VPN Technology. Certainly, in cases where remote access is used very rarely (for example, when executives make quarterly trips), or where the majority of remote access is done locally (for a company that has many local offices), several of the advantages of VPN implementation will not be present. Questions to ask include:

There are however, several reasons for implementing a VPN in-house. If only a few users will require remote access, it is much cheaper and easier to setup a software-based solution such as Windows NT Remote Access Server (RAS). Also, if greater control over the configuration of the connections and user accounts is required (for example, Jane Doe may only log on between 6:00pm and 12:00 midnight), it would be best to keep these functions in-house.

Best Practice: If ease of implementation is a major plus, VPN. s should be outsourced. If lower costs, more control and/or a small number of users are priorities, then it is best to do this in-house.

Though the need for a Virtual Private Network can be assessed by considering the business case for it, several technical issues must be considered by network administrators and integrators before implementing such a solution.

1. Server-Server connections: Basically, this technique can be used to connect two different servers in remote locations via a secure tunnel. This connectivity is commonly used for the purposes of database replication or for the replication of E-Mail and other types of messaging connections.

2. Client-Server connections: This is a common scenario for remote clients connecting to a server over the Internet. Usually, the VPN server will have connectivity to the Internet, and often to a LAN, as well. Clients connect to the Internet via any available mechanism (most commonly dial-up via analog lines or ISDN). They then "dial" a second connection to the VPN server and establish a secure connection. From here, they may utilize all network resources as if they were physically connected to the network.

3. LAN-to-LAN connections: In many cases, entire LANs can be connected to each other over the Internet. This is often done in the case of a company that has several small branch offices in various locations. The amount of traffic between the locations will depend on the type of VPN servers used at each end. These connections can be on-demand (for low-bandwidth situations), or persistent (in the case of a lot of traffic on the LAN). A great advantage is realized when connecting multiple sites to each other as a "spider web" is avoided.

The reliability of the Internet has often been cited as a major concern regarding the usage of VPN. s. However, the very nature of the Internet protects against many types of failures through redundancy. It is much more likely that dedicated routes will fail than it is for all possible routes on the Internet to be unavailable at the same time. If remote access connectivity is mission-critical, companies will want to have guaranteed levels of availability for their Internet access and will want to implement redundant connections with fail-over capabilities. Performance can also be increased as clients can use their ISP. s connection for general Internet access instead of using up the LAN. s resources.

Best Practice: If it is unknown whether a specific server (computer or router) can handle the anticipated amount of traffic, load testing is important. If remote access is mission-critical, take steps to make connectivity and devices fault tolerant.

For carrying VPN traffic, there are three major protocol "standards" available on the market today.

Point-to-Point Tunneling Protocol (PPTP): PPTP is a software-based VPN protocol developed by Microsoft for point-to-point connectivity. It is available free as part of Windows 95 (OSR 2.x and above), Windows 98, Windows NT 4.0 and Windows NT 5.0. The use of this protocol is highly recommended for smaller to medium-sized businesses (i.e., less than 50 concurrent connections) as it is freely available in the most common desktop operating systems and is very easy to implement. The method requires no additional setup by an ISP, but will require minor reconfiguration of clients. PPTP is currently limited to 40-bit RSA-DC4 encryption and can only use Microsoft-compatible authentication mechanisms.

Layer 2 Forwarding (L2F): Also devised for client-server remote access scenarios, this standard has been proposed by Cisco and is a hardware router-based protocol. It is available on specific Cisco routers. These devices will accept incoming data from the Internet and route it to the appropriate servers on a LAN. A benefit over PPTP is that stronger encryption schemes may optionally be implemented. Also, various authentication mechanisms (such as RADIUS and TACACS+) are supported by the specification. As L2F is implemented as a hardware-based solution, it may be more scalable than a software implementation of VPN. s and is recommended for medium- to large-sized businesses.

Layer 2 Tunneling Protocol (L2TP): In an effort to consolidate the above two incompatible standards, Cisco and Microsoft are collaborating to create a single protocol for use in VPN. s. It is expected that this technology will be available in all Microsoft Operating Systems in mid- to late-1998, and broad industry support from all major hardware vendors has already been announced. L2TP will be backwards-compatible with both PPTP and L2F.

IP Secure (IPSec): IPSec is being developed by the Internet Engineering Task Force (IETF) as an encrypted protocol for transferring data over the Internet. As of the time of this writing, IPSec had not yet been released as a complete standard for secure Internet tunneling. The design goal for IPSec is for supporting LAN-to-LAN connectivity, and therefore is not a direct competitor for L2TP. IPSec is lacking in support for various secure authentication mechanisms as part of the specification. This major drawback, though being reconsidered, makes it useful for full-time connections.

Best Practice: In evaluating current products, consider the use of L2TP as a major plus for remote users since this will be the new standard for Virtual Private Networking. IPSec will be an important standard for LAN-to-LAN connections. If current solutions do not yet support these standards, ensure the availability of an upgrade path.

Best Practice: For lower costs and ease of implementation and administration, use a software-based VPN router (Such as Microsoft Windows NT Server 4.x or above). If performance and scalability are main priorities, consider dedicated hardware-based solutions.

1. The remote client establishes an Internet connection. This may be via an ISP (reached by using Dial-Up Networking) or by a LAN connection through which the client has Internet access.

2. A second Dial-Up Networking connection specifying the IP address of the remote server is used.

3. On the VPN server, the user is authenticated and a secure, encrypted virtual connection is created. The user now has access to both the Internet (via the original connection from Step 1) and to the remote LAN (via the VPN server).

If client reconfiguration for existing remote access clients is expected to be difficult (such as in the case of a large number of users or users with non-Microsoft Operating Systems), VPN access can be implemented transparently to the user by using hardware routers or making arrangements with the ISP. If a company allows its users to choose their ISP. s or if there are multiple different ISP. s in use, this solution may not be as feasible.

Best Practice: Client configuration is relatively straight-forward and simple for Microsoft-based operating systems. For non-Microsoft Operating Systems that do not support VPN, consider outsourcing or using hardware-based VPN front-ends. Also, if client configuration is a major issue, consider outsourcing with an ISP.

Figure 4. Reduction in Total Number of Connections needed to connect 5 sites.

Local Area Networks can be connected through the use of VPN-capable routers at both ends of the communications path. For example, if a company based in New York acquires a company located in Los Angeles, a VPN can be setup between the two locations. This will allow a full-time, persistent connection between both sites while keeping data transport costs to a minimum. Additionally, this configuration could be transparent to network users, who may continue to work as they had before. This can be particularly beneficial in situations where both environments used different addressing schemes, network topology and protocols. Finally, a great reduction in the number of leased lines required to connect a specific number of sites can be realized using VPN. s. In the following figure, 10 total leased lines are required to connect 5 sites together (left). On the right-hand side, it is clearly seen that each site requires only one connection to the Internet. Naturally, this effect is amplified with a greater number of sites. Though the same benefit is available through Frame Relay, the cost per bandwidth ratio is usually much less for standard lines (such as ISDN), thus making VPN. s the better solution.

Windows NT VPN Setup

Installation of the service involves entering the Network options in Control Panel to add the service. Administrator access is required to add this service. The Remote Access Service configuration box will allow enabling the available hardware devices specified in hardware configuration. Any number of available devices can be added to RAS. Each device must be configured to allow either dial-in, dial-out or both. Finally, the acceptable protocols to be enabled for each port must be chosen. To activate the configuration, the server must be restarted.

Windows NT RAS can take advantage of the Internet as a medium for connecting remote clients to corporate networks. PPTP provides a secure way to encapsulate PPP data in IP packets. Since it carries PPP, it can use multiple protocols and can transmit any kind of packet over IP. Instead of using a direct ISDN or modem connection, users can utilize any connection to the Internet for transport.

PPTP can currently be implemented in one of two ways. The first is a hardware-based solution that takes advantages of services offered by Internet Service Providers. All installation, configuration and management of the secure connection is provided by the ISP. s hardware. Several hardware manufacturers . including 3Com, Ascend and U. S. Robotics . support this standard. This method has the benefit of being client-independent . As long as the server and client can establish a connection, encryption can be provided by the hardware. The below diagram shows this setup:

Alternatively, if connecting Windows NT 4.0, Windows 95 and other operating systems that support PPTP, no additional support from the ISP is required since the client and the server can handle all encryption via the operating system.

For security, RAS use RSA RC4 40-bit encryption for transferring data. For authentication, both PAP and CHAP encryption may be used (see Security for a description of these methods). In effect, this allows the Internet to act as a secure network backbone that can not only support TCP/IP, but also can transmit IPX and NetBEUI. Additional security for PPTP can be configured by using Windows NT. s built-in packet filtering. When enabled, this effectively disables all protocols except PPTP for the specified port. This is important for multi-homed machines because it can limit all incoming traffic to that server to authenticated, secure PPTP connections.

Virtual Private Networking on Windows NT has recently been expanded to allow server-to-server connections. Functionality is provided in the Windows NT Server Routing Upgrade (formerly code-named "Steelhead"), available free from Microsoft. This effectively allows distributed corporate networks to use the Internet as a virtual backbone for remote sites. The main advantage is a dramatic decrease in the costs associated with provisioning WAN leased lines. Since there is already a global infrastructure available for transporting data securely, there is no longer a need for companies to lease a line to connect two or more remote locations.

Configuration

Windows NT 4.0 and Windows 95 are the only operating systems that currently support PPTP technology. Windows 95 does not include a PPTP server service and requires the recently-release free Dial-Up Network 1.3 Upgrade from Microsoft in order to connect to PPTP servers. Therefore, software-based PPTP implementations are recommended for Microsoft-O/S based corporations. In general, PPTP is configured very much like other Dial-Up Networking connections. The main difference is that an IP address is entered instead of a phone number for the connection information. The client connection sequence is as follows:

1. The remote client establishes an Internet connection. This may be via an ISP (reached by using Dial-Up Networking) or by a LAN connection through which the client has Internet access.

2. A Dial-Up Networking connection specifying the IP address of the remote server is used.

3. On the server, RAS authenticates the user and creates a secure, encrypted virtual connection. The user now has access to both the Internet (via the original connection from Step 1) and to the remote LAN.

The client configuration procedure is similar for both Windows NT and Windows 95. On both operating systems, the "Point-to-Point Tunneling Protocol" must be installed and bound to the dial-out device. Additionally, a Dial-Up Networking connection must be created. On Windows 95, this connection will specify the remote IP address to which to connect. The Dial-Up Adapter will be a "VPN Port" (a logical device used by PPTP). On Windows NT, after installing the PPTP protocol, a "Virtual Port" is created (by default named "RASPPTPVPN1"). This . port. acts exactly like any other dial-out device and must be selected as the adapter for dial-out in the new Dial-Up Networking connection.

In order to allow PPTP connections, the Windows NT Server must have the "Point-to-Point Tunneling Protocol" installed. When installing the protocol, the number of "Virtual Private Networks" must be defined. This number refers to the actual maximum number of connections that will be allowed to the RAS server via the Internet. The maximum number of connections supported is 256. Each of these . Virtual Ports. must then be configured in the RAS Administrator as available dial-in ports.

In order to allow PPTP packets into a network, all routers along the virtual circuit must allow the passage of control information on Port 1723 and allow data transfer via Protocol #47 (Generic Routing Encapsulation) to be passed. This will not be a concern for most implementations as most ISP. s forward these packets by default. Some packet-filtering configurations may restrict data throughput on this port, and therefore may need to be reconfigured. The same concern is valid for hardware implementations of PPTP . that is, if any router along the way restricts these packets, sessions cannot be established.

Following a reboot of the server, several new options will be available. The Remote Access Administrator is part of the "Administrative Tools" program group and can be used to start and stop the RAS service, view the number of current connections, show which ports are available for dial-in and dial-out, and to grant or revoke remote login permissions for users. To grant remote dial-in permissions to users, the Remote Access Administrator can be used. A list of users specified on the server will be shown, along with a check box to grant login permissions. From this screen, call-back verification options can also be set (see Security for further information). The same permissions and call-back options can also be controlled via the User Manager application.

RAS can be configured to let clients access only the resources on the RAS server itself, or it may allow access to the entire network (assuming the client has appropriate permissions). After the RAS service has been started, the server will be ready to accept remote connections from any of the designated dial-in ports.

Selecting from the three available protocols is usually fairly straight-forward and are based on the needs of the client.

• NetBEUI should be used for clients connecting to servers that use NetBIOS. Its main advantage is that it is a very efficient protocol, especially over slow serial links. By itself, NetBEUI is a non-routable protocol. If necessary, the "NetBIOS Gateway" can be enabled on the server to allow the protocol to be routed to remote networks (if the client needs to access the entire network).

• TCP/IP is required for applications that use Windows sockets. It is also the protocol used by the worldwide Internet. Additional configuration for TCP/IP requires defining a static address pool for incoming connections. An option is also available to allow remote clients to request a specific IP address. RAS TCP/IP allows clients to use DHCP (for acquiring IP configuration information), WINS (for name resolution) and DNS (also for name resolution). Additionally, static HOSTS and LMHOSTS files, as well as broadcasts, may be used.

• IPX/SPX is required by clients who need to access the network via this protocol and for machines which intend to use the Client Services for Netware. Network numbers can be allocated automatically, or a specified range of addresses can be defined. There is also an option to assign the same network number to all IPX clients.

Whether the client can access only the remote server or the entire network can be determined in the options for each protocol.

In general, RAS can be a very scalable solution. The number of acceptable simultaneous connections can be increased by upgrading a servers hardware configuration. Even in cases where the current hardware of one RAS server is pushed to its limits, additional servers can be easily added to share the load. In order to determine the necessary hardware for achieving a given level of performance, monitoring current statistics is important. Installing the Remote Access Service makes . RAS Port. and . RAS Total. counters available in Performance Monitor. The RAS Port counters monitor performance of a single RAS port, and the RAS Total counters monitor all of the ports as a single unit. Among the available counters for both objects are:

• CRC Errors: Indicates how often data is corrupted in transit between the client and server; this can indicate line quality.

• Percent Compression In and Out: Reflects how much compression the RAS service achieves while transmitting and receiving data. This value can indirectly indicate the type of the data being transferred and the efficiency of the particular type of hardware being used.

• Serial Overrun Errors: How often the server fails to respond quickly enough to a client's transmission. An . overrun. occurs when the transmission buffer is full and the CPU is unable to process this data before more is requested. This can reflect the server's workload, and it can cause the server and client to negotiate a slower transmission speed, which in turn causes longer calls and more busy signals. This value should be used to determine whether a hardware upgrade of the server might be required.

• Bytes Transmitted/sec: By determining how much data is being passed through to remote connections, bandwidth utilization can be determined.

Additionally, the basic performance parameters for a server should be considered. A consistently high CPU utilization may indicate that either the remote access hardware is putting a heavy burden on the processor, or that the server is running too many different services to perform acceptably. A consistently large number of page faults per second is indicative of a need for more RAM on the server. Finally, a very high number of interrupts per second could indicate a possible hardware failure.

The Remote Access Administrator will show which ports are in use and which ports are available. If all ports are often in use, it will probably be necessary to increase the number of ports or to disconnect idle users periodically. If some ports are displayed as not available, this may indicate a configuration error or a hardware failure that needs attention. Additionally, Remote Access Administrator can be used to view the current state of all RAS servers in a domain. Using these monitoring methods can greatly reduce the amount of . trail & error. required to reach a given level of performance.

Monitoring Client Performance

For most current desktop and workstation configurations, the limiting factor in throughput will be the WAN adapter and, in the case of analog lines used by modems, the quality of the line. It is unlikely that CPU performance, serial interface rates and memory limitations will cause any appreciable decrease in achieve maximum throughput. In addition to monitoring the types of performance discussed earlier (see Server Configuration), the Windows NT Dial-Up Networking Monitor (Figure 1) can provide additional information about the connection speed and the quality of the line. Similar in-depth information, can be obtained by the Windows 95 System Monitor application (Figure 2). System Monitor includes a counter for Dial-Up Adapters and also a Counter for individual modem devices (as long as the "Record a log file" option is enabled. Both of these utilities can show if the line quality is acceptable and if the server is providing adequate throughput.

This section will discuss the various security considerations for implementing RAS as a solution for remote access. Security issues related to Point-to-Point Tunneling Protocol (PPTP) will be discussed in a later section.

Since WAN connections are not normally owned by a company, it is very important to protect all data travelling on these links. Passwords must be protected, even if they are intercepted during transmission by an intruder. To ensure that remote logins are at least as secure as logins over the Local Area Network, various options are available for sending passwords in encoded form. This reduces the likelihood of an intruder decoding passwords, even if they are intercepted from the connection. Authentication mechanisms include the following:

• Password Authentication Protocol (PAP) uses clear text passwords and is the least sophisticated authentication protocol. It should only be used if the remote workstation and server cannot negotiate a more secure form of validation. Shiva. s version of this protocol, SPAP, does not send clear-text on the wire and is therefore more secure. SPAP is used by RAS dial-out when connecting to Shiva devices but never for dial-in access.

• Challenge-Handshake Authentication Protocol (CHAP) uses a challenge response with a one-way encryption on the response. CHAP allows different types of encryption algorithms to be used such as DES, MD4 (MS-CHAP), and MD5 (MD5-CHAP).

Which authentication protocol is used is based on the capabilities of the client. CHAP provides the best level of security and is used as the default encryption method, whenever possible, by RAS. This method will use the government. s Data Encryption Standard (DES) which uses a 64-bit encryption key algorithm. MD5 can be used by RAS for dial-out, but is not included as part of RAS server for dial-in. If none of the above encryption methods are compatible, RAS can try to use clear-text authentication (PAP). This feature should be disabled to provide for the best possible security.

In order to gain access to network resources via a Windows NT RAS Server, a user must have appropriate permissions to login to the server remotely. If the server is in a workgroup, the user must have a valid account and password. For allowing dial-in access to the entire network, a domain setup is highly recommended. Among the advantages of this type of network are:

1. A centralized security database that can be viewed and administered from any server in that domain. Since all servers in a domain share the same security account, dial-in permissions can be granted or revoked from any one of these machines. Upgrading hardware or adding an additional RAS server is also greatly simplified since no permissions will need to be reassigned.

2. Centralized administration of all RAS servers in that domain. RAS Administrator will be able to show connections into the domain from the local machine or any other RAS server. Ports can be configured and reset easily from remote locations.

3. Ease of setting user permissions for the network. Instead of forcing the remote user to enter a password and username for each remote share he/she needs to connect to, a single, unified login will provide access to all resources available to this user. This may be useful in instances where, for example, the Administrator wants to prevent remote users from spooling large print jobs on the print servers over a slow serial link.

If the user is logging into a Windows NT Domain Controller (either Primary or Backup), the user must also have domain login permissions. After authentication, the domain user will have access to all resources that would be available over the LAN (had the user logged in over the network).

Call-back verification can add an extra level of security. Windows NT RAS can be configured to force users to enter the phone number from which they are calling as part of the login procedure and have the Server call them back to establish a connection. There are three options available for this feature: 1) Always return the call to a preset number; 2) Allow the caller to specify a phone number from which he is calling; and, 3) Allow no call-backs. Call-backs occur after a user has been authenticated, but before network access is granted. Therefore, no unauthorized callers may request callbacks from the RAS server. Connections can be restricted so that the must originate from a known phone number (for example, from the user. s home). This provides the benefit of ensuring that the client is calling from a trusted location and can help reduce the risk of outside hacking attempts. Additionally, call-backs can be used to shift the burden of long distance charges incurred by the remote user to the corporation directly.

The same security features used by Windows NT are applicable to remote connections. For example, account lockout after a specific number of unsuccessful login attempts can be enabled. Minimum and maximum password age and password uniqueness can also be enabled. Even after logging in, a user must have explicit permissions to access files, directories and printers. As already discussed, the benefits of domain security include the ease of administration and granting of permissions. For example, Domain Administrations can disconnect a single user logged-in remote to the domain from any RAS-enabled server regardless of which server was used to login.

Finally, for an additional level of security, several third-party products (which will not be discussed here) can be used to authenticate users before they can attempt a RAS connection. Some of these methods require a user to swipe a pass-card before connecting to the remote server. In order for these devices to work, a modification of the default Windows NT RAS scripts is usually required.

By default, PPTP uses RSA-DC4, 40-bit encryption for the transfer of data. For authentication, one of several methods is available. Windows NT Challenge-Handshake Authentication Protocol (CHAP) is recommended, as this method does not actually send the password over the network. Instead, it sends a string determined by a one-way function that is made up of the client machine name and the current user account. Though this is the most secure method of authentication, its drawback is that it is limited in use to clients that support this protocol . namely Windows 95/98 or Windows NT. For all other types of clients, Password Authentication Protocol (PAP) is available. Though this method does send a clear text password over the connection, it is the most compatible standard available.

Auditing can provide a very powerful method for viewing user activity on the server and the network. To enable auditing in Windows NT, the User Manager application can be used to set the system-level auditing policy. Here, tracking various events such as logon successes and failures and file access attempts can be enabled.

A high number of logon failures may indicate failed hacking attempts. Audit data is stored in the Windows NT Event Viewer under the . Security. log and can be viewed by any user with appropriate permissions. The audit log may also provide useful information about which users are frequently using remote access services and when they are calling.

Note: The following calculations do not include these items as they are similar in both cases: Internet connectivity (line and adapter cost), Server hardware, Installation and setup, Modem costs for clients