Remote access servers allow users to securely access a private network from a remote location. Proper authorization is crucial to prevent unauthorized access. There are a few key methods remote access servers use to authorize users before granting access.
Two-Factor Authentication
Two-factor authentication (2FA) adds an extra layer of security beyond just a username and password. There are three main types of factors used in 2FA:
Knowledge Factors
This is something the user knows, like a password or PIN. This is the most basic factor.
Possession Factors
This is something the user has, like a token device that generates random codes. The code must be entered along with the password.
Inherence Factors
This is something the user is, like fingerprint or facial recognition. Biometrics fall into this category.
Requiring two or more factors makes it much harder for an unauthorized person to gain access.
VPN Authentication
Virtual Private Networks (VPNs) are a very common remote access solution. VPNs encrypt traffic between the client and server to keep it secure over the public internet.
There are a few ways VPN authentication works:
Username/Password
The user simply enters their defined username and password. This is the least secure option but very simple to implement.
Certificates
Digital certificates use encryption to validate identity. The user is granted a client certificate that the VPN server recognizes. More secure than only a password.
Token Authentication
This uses a physical token device that generates one-time codes. Users must enter the current code from their token along with their PIN/password.
RADIUS Authentication
RADIUS (Remote Authentication Dial In User Service) is an authentication protocol used by many remote access servers.
With RADIUS, authentication is handled by a separate RADIUS server instead of the remote access server itself. This allows central management of all users in one place.
User credentials and permissions are stored in the RADIUS server’s database. The remote access server passes log in data to the RADIUS server, which responds with approval or denial for that user.
TACACS+
TACACS+ (Terminal Access Controller Access-Control System) is a similar protocol to RADIUS used for remote authentication.
It separates the authentication process from the network device. It also allows more granular control over user permissions during each session.
TACACS+ provides detailed accounting logs for user activity tracking and auditing. Cisco remote access servers often utilize TACACS+.
Access Control Lists
Access Control Lists (ACLs) allow remote access servers to control access at a granular level. ACLs contain sets of permissions assigned to specific users, groups, or IP addresses.
For example, an ACL could limit a user to only access one subnet within the network. Or it could restrict a group to only use SMTP and HTTP traffic.
ACLs act as firewall rules on the remote access server itself to authorize and limit remote user activities.
Server Certificates
Using valid server certificates is crucial for remote access servers to prove their authenticity to users and prevent man-in-the-middle attacks.
Certificates bind a cryptographic key to the server’s details using encryption. The remote client can verify that the certificate is signed by a trusted Certificate Authority to confirm the server’s legitimacy.
Self-signed certificates are weaker since they are signed by the server itself, not a CA. For stronger security, remote access servers should use CA-signed certificates.
Securing The Authorization Process
Proper configuration is vital to leverage these authorization methods securely:
- Enforce password complexity rules
- Set passwords to expire every 60-90 days
- Block accounts after 10 failed login attempts
- Use lockouts to prevent unlimited login attempts
- Consider IP whitelisting to limit locations
- Combine multiple factors when possible
- Update authentication protocols like RADIUS and TACACS+
- Log and monitor user activity
Following security best practices for remote access servers is crucial to prevent breaches. Using multilayered authorization via multiple factors and secured protocols prevents unauthorized entry.
Common Authorization Servers/Protocols
There are a few common platforms used to handle remote access authentication:
Microsoft Server Products
- Active Directory – Directory-based identity and authentication
- Network Policy Server (NPS) – RADIUS/network policy server
- Routing and Remote Access Service (RRAS) – Remote access VPN server
Cisco Products
- Cisco Secure Access Control Server (ACS) – TACACS+
- Cisco Identity Services Engine (ISE) – Policy-based access control
Third-Party Options
- RADIUS servers like FreeRADIUS and Radiator
- TACACS+ products from vendors like Oracle/NetApp/F5 Networks
VPN servers such as OpenVPN, pfSense, Pritunl
Choosing secured, supported software for remote access is key for authorization and access control. Utilizing multiple factors and granular ACLs also improves security.
Common Ways Authorization is Bypassed
While remote access servers have solid authorization methods, attackers are constantly trying to bypass this first line of defense. Some common attack vectors include:
Credential Stuffing
Using compromised username/password lists and trying them against remote access logins. Automated tools make this easy to do at scale.
Brute Force Attacks
Trying endless password combinations once a valid username is known. Can try millions of guesses.
Password Spraying
Similar to brute force attacks but tries a single common password against many different known usernames.
Phishing
Sending spoofed login pages to collect user credentials. Very common and often quite convincing to unsuspecting users.
Protocol Exploits
Finding and leveraging vulnerabilities in AAA protocols like RADIUS and TACACS+ when they are not properly updated.
VPN Vulnerabilities
Identifying security holes in popular VPN packages that allow slipping past VPN encryption or authorization steps.
Session Hijacking
- Stealing an existing authorized session after a user has successfully logged in.
- Enable proper logging and monitoring to detect such authorization bypass attempts in real-time.
Auditing and Logging
Auditing remote access activity is crucial to identify misuse and security violations. Remote access servers should produce logs with:
- All log-in attempts – successful and failed
- Username, source IP address, timestamp
- Authentication factors used
- Date/time the user logged out
- Sessions disconnect reasons
- Commands run and activities performed
- Changes made to users, files, configurations
Sending this log data to a central SIEM system allows proper oversight into remote access behavior and quicker response if incidents occur.
Analyzing remote access logs against stuff like HR records can highlight unauthorized accounts present or in use as well.
Conclusion
Remote access servers authorize users in various secure ways before allowing access to private networks and resources. Multifactor authentication, VPNs, RADIUS, TACACS+, ACLs, and certificates all play a role in securely verifying user identity and enforcing proper permissions.
However, despite these safeguards, attackers are constantly trying to bypass authorization through password attacks, exploits, stolen credentials, and more. Proper auditing and logging are key to detecting such security breaches rapidly.
Securing authorization on remote access servers should be a top priority for any organization with remote workers, devices, or networks in order to prevent devastating data breaches or malware. Using multiple layered controls provides optimal protection against external threats.
