When we talk about “security” we know what we want, but describing it and making it happen can be different matters altogether. Network security has a natural conflict with network connectivity. The more an autonomous system opens itself up, the more risk it takes on. This, in turn, requires that more effort be applied to security enforcement tasks. This article is chapter eight of the book, Cisco: A Beginner's Guide, third edition, by Anthony Velte and Toby Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354).
Entering an internetwork via a dial-in connection is almost always done through an access server. The access server is a dedicated device that fields phone calls from remote individuals trying to establish a connection to a network. Access servers are also called network access servers or communication servers. Their key attribute is to behave like a full-fledged IP host on one side, but like a modem on the other side. Figure 8-2 depicts the role access servers play in dial-in connections.
Figure 8-2. Access Servers are devices dedicated to supporting remote dial-in connections.
When you connect to an internetwork’s host from the enterprise campus, you usually do so over a dedicated twisted-pair cable that is connected to a hub or a switch. To make that same connection from afar, you usually do so over a normal telephone line through an access server—a device that answers the phone call and establishes a network connection. Besides making connections for remote dial-in users, access servers can also be used to connect remote routers.
User-Based Security for Local Connectivity When you turn on your PC and log in at work, you’re not dealing with TACACS+ or RADIUS. The username and password prompts are coming from your local server. Most LAN servers run Windows 2000/2003, Linux, UNIX, or Novell platforms. They have security subsystems and user databases of their own to authenticate and authorize users. RADIUS isn’t used because it’s a dial-in password protocol. TACACS+ isn’t used because it controls entry into the Cisco network devices themselves—routers, switches, and access servers—in addition to providing dial-in security much like RADIUS.
In this chapter, discussions of local or “in-network” connections refer to network administrators logging into IOS to work on a Cisco network device.
User-Based Security for Remote Connectivity Small office and home office users tap into their enterprise internetworks via an access server, making it perhaps the most basic device in any wide area network. Low-end access servers are inconspicuous desktop devices resembling a PC without a monitor. When you dial into your ISP to get into the Internet from home, the call is also answered by an access server. As you might imagine, an ISP’s computer room is jammed with rack-mounted high-density access servers to handle connections made from thousands of subscribers. (As a reminder, high density means many ports per device.)
Access servers are intelligent devices that handle other tasks in addition to making a line connection. They provide special services to accommodate configurations frequently encountered in enterprise internetworks:
Routing service Run by access servers called access routers, this makes it seem as if the dial-in user is sitting directly on the campus network. The key feature of access routers is dial-on-demand routing (DDR), which makes it possible to route traffic from a remote LAN to the main network over low-cost, dial-up phone lines.
Terminal service Many WAN connections still use terminal protocols. For that reason, most access servers support terminal protocols such as IBM’s TN3270, UNIX rlogin, or Digital Equipment’s Local-Area Transport (LAT). A PC could run terminal emulation software to make such a connection.
Protocol translation A remote user may be running a virtual terminal protocol and then connect to a system running another virtual terminal protocol. Most access servers still support protocol translation.
As computing infrastructure improves, terminal service and protocol translation are declining in use. In contrast, access routers are increasing in popularity as small offices build LANs of their own and turn to DDR for convenience and savings.
As you’ve learned by now, there’s a protocol for just about every major internetworking task. Making dial-in network connections work properly presents special problems because most telephone company infrastructure was designed to handle voice, not high-speed data. Dial-in protocols exist to handle the point-to-point dial-in connections over normal telephone lines.
PPP Point-to-Point Protocol is the de facto standard for remote dial-in connections to IP networks; virtually all dial-in connections to the Internet use PPP. Most PPP connections are over asynchronous lines, but a growing number are made over ISDN in areas where it’s available.
SLIP Serial Line Internet Protocol is also used to make point-to-point dial-in connections to IP networks from remote sites. SLIP is the predecessor to PPP, but is still in use in some quarters. You may also encounter a SLIP variant called CSLIP, Compressed Serial Line Internet Protocol.
ARAP AppleTalk Remote Access Protocol is Apple’s tool for dial-in connectivity to remote AppleTalk networks.
In the old days, to make a remote connection, you dialed into a PBX or terminal server to connect to a mainframe or minicomputer as a dumb terminal. With the rise of internetworking, network-attached terminal servers took over the job of taking dial-in calls. As demand for remote computing grew even more, simple terminal connections were replaced by those made using the SLIP protocol. By that point, many desktops had PCs instead of terminals, but they emulated terminals in order to make dial-in connections. The boom in demand for Internet connectivity drove the market to replace SLIP with PPP, a protocol even more capable of computer-to-computer communications over phone lines. For our purposes, we’ll assume PPP as the dial-in protocol unless otherwise noted.