Remote access equipment requirements
Jun 1, 2001 12:00 PM, By Kevin McNamara, CNE
Last month, I discussed three methods to remotely access your server � dial-up, extranet and the virtual private network (VPN). This month, we will look at some of the hardware and software required to implement those solutions.
Extending the accessibility of your company server can prove to be a valuable resource for your employees that spend time away from the office, or perhaps a means to bring timely information to a remote broadcast; but, at the same time, you provide a prime opportunity for hackers to gain entry onto the network. Whichever remote access solution you decide upon, the first and most important detail to be considered is securing the network. You have no doubt heard of, or perhaps even have set up, a firewall.
The firewall is a security mechanism used to control access to your network. Most firewalls are hardware devices; however, several software products are available for small networks and individual workstations. The hardware-based firewall has been around for several years, and is also known as a �proxy server� or �gateway.�
The concept behind it is simple: an outside user would first establish contact with the proxy server, which would require the proper authentication, typically in the form of user name and password. Once the user is verified and authorized, the proxy server will then establish a �session� between the user and server. You will recall that the networking model that is in use today is defined by a document known as the Open Standards Interconnect (OSI) and is comprised of seven layers: physical, data link, network, transport, session, presentation and application. Each layer provides services to the other layers immediately before and/or after it. Firewalls generally operate at either the Network or Application layer.
A proxy server is an example of a firewall operating at the application layer. Essentially, a firewall operating at the application layer eliminates the direct flow of data between the network and an outside user. Firewalls operating at the �network� layer route traffic based on the source and destination addresses, as well as the intended port of each IP packet. The definition and use of ports is a lengthy subject but, simply put, it presents �virtual slots� used to map connections between two hosts at the Transport Control Protocol (TCP) or User Datagram Protocol (UDP) levels. Network firewalls permit traffic into a network based on a set of rules that are programmed by the network administrator. The rules determine what type of traffic is permitted on the network and what will be blocked. The current generation of network routers has sufficient intelligence that allows them to be programmed to act as a simple firewall.
By far the simplest method for remote access, dial-up access to your network can be accomplished in a variety of ways, depending on the number and location of users that will need to use the network. The most rudimentary method to implement dial-in access would be to add a basic PC workstation equipped with one or more modems and a network card to your existing network. Outside users would dial the telephone line(s) that have been assigned to the modem(s). The login process may vary depending on the type of network operating system and configuration of the host PC. Most dial-in access uses the standard dialer client program that you probably use to dial-in to your Internet Service Provider. You would create a dial location containing the telephone number and protocols for your dial-in number.
Another means to gain remote access would be to use a program such as PC Anywhere or Co Session that would mimic the operation of the PC located in the office as if you were there. One drawback of this method is that someone could watch what you are doing remotely on the office PC and possibly gain privileged information.
Accommodating a larger user base is slightly more complicated and requires either the use of centrally located modem banks or access provided by the telephone company. Modem banks are typically rack-mounted equipment frames that accept plug-in modem modules. Each module is attached to a dedicated telephone line. Modem banks aggregate traffic flowing through the individual modems into a single signal such as T1 or USB.
Another approach, offered by the various telephone companies, allows users to access your server using local dial lines through leasing access to local modem banks located within a particular region or nationally. The data from these connections are delivered directly to your server using your existing Internet connection.
Extranets and VPNs
Extranets permit the access of company information through a web site using any Internet connection including dial-in, VPN, T1, etc. Implementation of an extranet typically doesn't require much in the way of external hardware, with the exception of a good firewall. The design of a proper extranet requires the collaboration of web designers and IT managers.
Using the global presence of the Internet, VPNs provide a secure and cost-effective solution to connect remote users to your network. One recent study predicts that, over the next three years, the majority of businesses will use VPNs. As you will recall, the VPN works through a process called �IP Tunneling.� IP tunneling permits the transport of both IP and non-IP protocols over any TCP/IP network, including the Internet. The VPN also offers a higher lever of encryption, thus eliminating the possibility of any data becoming �readable� by potential hackers.
Implementation of a VPN is achieved using the standard network hardware, such as a firewall, router, etc. More recently, single devices are available that integrate the firewall, router and a means to manage bandwidth into a single device which supports all the VPN specific protocols. Specialized software that handles the log-on/off, IP tunneling and encryption processes is loaded on the remote computer. Starting a VPN session is as easy logging on to your ISP.
As with any major addition to your network, it's important to have a complete understanding of the potential benefits vs. the security risks, and always maintain a security plan that is applied consistently.
Kevin McNamara, BE Radio's consultant on computer technology, is president of Applied Wireless Inc., New Market, MD.
All of the Networks articles have been approved by the SBE Certification Committee as suitable study material that may assist your preparation for the SBE Certified Broadcast Networking Technologist exam. Contact the SBE at (317) 846-9000 or go to www.sbe.org for more information on SBE Certification.