Remote authentication: Four tips for improving security

1. Use RADIUS or a similar authentication, authorization and accounting (AAA) server to granularize who gets access to what and to keep track of those users' activities. Most versions of Windows Server support the Internet Authentication Service, which is Microsoft's version of RADIUS. IAS interacts with Active Directory to create a unified identity store that prevents you, as the administrator, from having to maintain separate databases of approved remote users. You can also authorize access to certain parts of the network based on group membership and control the assignment of static versus dynamic IP addresses for remote clients. In addition, you can maintain an active, easily searchable log in case you need to examine forensics for a connection.
   Benefits: improved security, better probability of a faster connection sequence, less security hardening required
   
   
2. Invest in devices, not full servers, to maintain your endpoints. Using real servers and operating system software functionality to perform AAA processes directly at your endpoint requires almost a full-time employee to keep that server monitored, updated and hardened. Even with auxiliary services turned off, the core of the operating system is probably not designed to weather the constant beating that an Internet-facing system takes. On the other hand, devices that are specifically designed to perform only remote concentration and remote authentication services have a significantly smaller attack surface and a well-tuned kernel specially designed to perform limited functions. Thus, they are a better bet for maintaining a high level of security at the "back door" of your network.
   Benefits: improved security, better probability of a faster connection sequence, less security hardening required
   
   
3. Consider a quarantine solution to prevent infected or damaged machines from having unfettered access to your network. Machines connecting to a quarantine-enabled endpoint are scanned automatically against a common baseline to ensure patching has taken place, firewalls are enabled, antivirus software is up to date and so on. If the connecting machine fails these tests, the machine is placed in quarantine and is able to access only selected machines that contain the tools needed to fix the failing element. Cisco's Network Access Control technologies are available today and will be completely compatible with Microsoft's new Network Access Protection (NAP) specification and protocol, when Microsoft introduces it in the client upon the release of Windows Vista and in the server when Longhorn Server is finally released. In the meantime, check out the complete deployment guide to Network Access Quarantine Control that I wrote earlier this year for SearchWindowsSecurity.com. NAQC is a more limited but functional quarantine utility that's available today for systems based on Windows Server 2003 Service Pack 1.
   Benefits: sets a minimally acceptable security baseline for your network, cements security policy, can cleanse problematic machines, reduces chances of an infected machine spreading virus payloads internally
   
   
4. Be consistent with your remote authentication policies. If different departments on your campus are responsible for maintaining their own endpoints into your network, form a working group and draft a unified specification for secure, rapid remote authentication into your network. Think about pitching the idea of a single network endpoint to the powers that be -- an endpoint that operates under a single, comprehensive security framework. This is a proactive -- rather than reactive -- step. Otherwise, you may have different departments with more or less stringent requirements to authenticate and authorize, creating an opportunity for those weaknesses to be exploited.
   Benefits: easier administration, fewer rules for users to remember, better logging

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption Network Security Monitoring Networking data visualization not just for pointy-headed bosses Visual Security Analysis -- 'Applied Security Visualization,' Chapter 5 SIEM platform secures university's open network Network forensics appliance gets storage boost and 10 GbE support Tracking NetFlow over MPLS helps airline with compliance Securing the new network architecture: Security for distributed, dynamic networks When it comes to data loss prevention, networking should be part of the conversation What is data loss prevention? -- An introduction to DLP What are the best methods for handling rogue access points? Internet monitoring vendor adds throttling, filtering, to its appliance Network Monitoring Networking data visualization not just for pointy-headed bosses What network security threat does a QM FSM error pose in IPsec VPNs? Juniper updates Network and Security Manager to manage full portfolio Network management software vendors readying IPv6 DNS management becoming critical to businesses but poorly understood SolarWinds adds enterprise scalability to its network monitoring tool Network forensics appliance gets storage boost and 10 GbE support Tracking NetFlow over MPLS helps airline with compliance When it comes to data loss prevention, networking should be part of the conversation Network management takes interface tips from gaming industry, Google Network Monitoring Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.