S 4.113 Use of an authentication server for remote access VPNs

Initiation responsibility: IT Security Officer

Implementation responsibility: Administrator

For remote access VPNs (RAS VPNs) with numerous users, consideration should be given to how remote access users can be administrated efficiently. In general, every RAS user needs to be given a system identifier (user account of the operating system) and must provide identification and authentication when using such a user account. RAS functionality and a common user administration system are already integrated into some operating systems (e.g. in current versions of Windows). In many cases, there is a problem with medium-sized and large networks, which are usually organised by dividing them into several different subnetworks (domains, administration areas), because the user data from each administration area needs to be administered separately. If users are also able to log in to other subnetworks, it is necessary to set up cross-certificates (trust relationships) or to set up and maintain a central directory service. Another alternative is to set up an additional user account for every user in the other subnetwork, but this makes administration of the user data more difficult. For RAS in particular, special authentication systems have emerged that can also be used for the "normal" authentication process when logging in to the system. Typical examples of such systems include RADIUS, TACACS, TACACS+, and other LDAP-based directory services.

These systems have the following basic design:

• The authentication data of the users is administered by a central server.
• The program used to log in to the system contacts the authentication server to check the authentication data entered by the user.
• A secure protocol is used as a general rule for communication between the login process and authentication server.

The login process must support the use of external authentication servers in this case. Furthermore, the network address of the authentication server to be used must be entered correctly in the configuration data of the login process. If a user now wants to log in to the system, the following (highly simplified) procedure is followed, regardless of whether the user is using a RAS connection for this purpose or is located directly in the LAN:

• If a connection is established using the system login process or the RAS login process, the corresponding process contacts the authentication server and informs it that a user has sent a request to open a connection. The authentication server returns a "challenge" to the process, provided that a "challenge/response" procedure is used, which then forwards the challenge to the user.
• The user authenticates him/herself to the VPN client by entering a password or a token.
• The login process forwards the authentication data (usually transparently to the user) to the authentication server.
• The authentication server verifies the user data and informs the login process of the result of the verification.
• Access to the (access) network is granted if the verification was successful.

Through the use of central authentication servers, it is possible to administrate the authentication data consistently on the one hand and, on the other hand, it allows for the use of authentication mechanisms that are better than those supported by default by the operating systems. Smart cards and token-based mechanisms are examples of such mechanisms. Depending on the system, the authentication mechanisms create one-time passwords that are shown once on the screen and the user must use as the password.

For medium-sized and large networks, the use of authentication servers is recommended, especially for RAS, because this offers a significantly higher level of security than user authentication. However, it is necessary to consider that this server needs to be administrated and maintained as well. On the one hand, an authentication server must be placed in the network so that it can be accessed performantly, but it also needs to be protected against unauthorised access on the other hand.

Review questions:

• Is consistent user administration guaranteed for RAS access and for access to systems and applications?
• Do the authentication procedures of the RAS-VPN used meet the security requirements specified?
• If separate authentication servers are used: Are these authentication servers operated securely and are they protected against unauthorised accesses?