PTP/PPTP
The Point-to-Point Tunneling Protocol (PPTP) is used to create a secure tunnel between two points on a network over which other protocols such as the Point-to-Point Protocol (PPP) can be used. This tunneling functionality provides the basis for many VPNs. Although PPTP is a widely used tunneling protocol, other tunneling protocols, such as L2TP with IPsec, provide even greater security. PPTP also cannot authenticate the end of the tunnel and thereby prevent a man-in-the-middle attack, but L2TP can. Because of these disadvantages of PPTP, it has been largely replaced by L2TP.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) provides a centralized system for authentication, authorization, and accounting. Remote access servers become clients of another server referred to as a RADIUS server. The authentication of the users is then actually performed by the RADIUS server based on certificates, Kerberos, or some other type of authentication. RADIUS uses UDP to broadcast the communication between the remote access servers (RASs) and the RADIUS server. The RAS becomes a go-between that opens the door, or doesn’t, for the client computer to come in and use the resource. Also, because all requests are centralized through the RADIUS server, accounting for those requests is also centralized. RADIUS is supported on all Microsoft Servers. When RADIUS is used with wireless networks, IEEE 802.1x, and WPA, the result is WPA for Enterprise.
RAS
Remote Access Service (RAS) is a remote access solution that is included with Microsoft Windows Server products. Its main function is to give users the same access to the network from a remote location as if they were actually sitting at their desks, although sometimes the access is much slower. RAS is implemented in Windows NT Server as RAS and in Windows 2000 Server, Windows Server 2003, and Windows Server 2008 as Routing and Remote Access Server (RRAS), but both product implementations offer the same basic functionality – remote access connectivity to a LAN environment. RAS servers can provide dial-up connections using modems as well as VPN connections using WAN miniports. Figure 1.4 shows an RRAS server on Windows Server 2008.
FIGURE 1.4 An RRAS server on Windows Server 2008
TACACS+
Terminal Access Controller Access Control System+ (TACACS+) is a service that is similar to RADIUS but uses TCP to communicate between the RAS and the TACACS+ server. It was developed by Cisco Systems to address the need for a more scalable AAA solution. The fact that it uses TCP (a connection-oriented protocol) instead of UDP (a connectionless protocol) offers several advantages, namely that the RAS server receives an acknowledgment from the TACACS+ server that the authentication request has been received and is being processed. Also, because the two can communicate with a connection-oriented protocol, more sophisticated security mechanisms can be employed. For example, while RADIUS encrypts only the password in the packet that is passed from the RAS to the RADIUS server, TACACS+ encrypts the entire body of the packet, including the information regarding the username and the service that the user is requesting. This makes TACACS+ a much more secure service than RADIUS. Of course, TACACS+ also keeps an accounting of all requests from a RAS, and that accounting can also be secured.
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.
Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.