Remote Authentication Dial-In User Service
Remote Network Access Security in an Open Systems Environment
Index of this White Paper:
Every time a modem is added to a computer or
communications server on a corporate network, that network becomes
more vulnerable to security breaches. Network Administrators are
left with few tools to guard against break-ins. State of the art
security systems generally require special hardware or are only
compatible with a small number of products. This problem is multiplied
several times in large networks with many points of access.
Lucent Technologies InterNetworking Systems has developed a distributed security solution called Remote Authentication Dial-In User Service, or RADIUS, that solves the problems associated with meeting the security requirements of remote computing. This solution eliminates the need for special hardware and provides access to a variety of state of the art security solutions. Distributed security separates user authentication and authorization from the communications process and creates a single, central location for user authentication data.
Based on a model of distributed security previously defined by the Internet Engineering Task Force (IETF), RADIUS provides an open and scalable client/server security system. The RADIUS server can be easily adapted to work with third-party security products or proprietary security systems. Any communications server or network hardware that supports the RADIUS client protocols can communicate with a RADIUS server. Lucent offers the RADIUS server free of charge to its customers and supports the RADIUS client protocols in its PortMaster family of communications servers and routers. Lucent is assisting the IETF's Network Access Server Requirements Working Group to allow other vendors to utilize this technology.
RADIUS is a system of distributed security that secures InterNetworking Systems to networks and network services against unauthorized access. RADIUS includes two pieces: an authentication server and client protocols. The server is installed on a central computer at the customer's site. RADIUS is designed to simplify the security process by separating security technology from communications technology.
All user authentication and network service access information is located on the authentication, or RADIUS, server. This information is contained in a variety of formats suitable to the customer's requirements. RADIUS in its generic form will authenticate users against a UNIX password file, Network Information Service (NIS), as well as a separately maintained RADIUS database. Communications servers working with modems-such as the PortMaster-operate as RADIUS clients. The RADIUS client sends authentication requests to the RADIUS server and acts on responses sent back by the server.
The distributed approach to network security provides a number of benefits for Lucent Technologies customers. They include the following:
The RADIUS client/server architecture allows all security information to be located in a single, central database, instead of scattered around a network in several different devices. This approach increases security. A single UNIX system running RADIUS is much easier to secure than several communications servers located throughout a network.
RADIUS creates a single, centrally located database of users and available services, a feature particularly important for networks that include large modem banks and more than one remote communications server. With RADIUS the user information is kept in one location-the RADIUS server-which manages the authentication of the user and access to services from one location. Because any device that supports RADIUS can be a RADIUS client, a remote user will gain access to the same services from any communications server communicating with the RADIUS server.
RADIUS is fully open, is distributed in source code format, and can be easily adapted to work with systems and protocols already in use. This feature saves tremendous amounts of time by allowing users to modify the RADIUS server to fit their network rather than rework their network to incorporate the PortMaster Communications Server.
RADIUS can be modified for use with any security system on the market and will work with any communications device that supports the RADIUS client protocol. The RADIUS server has modifiable "stubs" which enable customers to customize it to run with any type of security technology.
As new security technology becomes available the customer can take advantage of that security without waiting for Lucent to add support to the PortMaster. The new technology need only be added to the RADIUS server by the customer or outside resources. RADIUS also uses an extensible architecture which means that as the type and complexity of service the PortMaster must deliver increases RADIUS can be easily expanded to provide those services.
Any company with a centralized MIS department managing a large corporate network is concerned with security issues. Many of these customers have already installed RADIUS and others are in the planning stages. All those customers that are using RADIUS have customized it in some way to work with their network systems.For example, one computer manufacturer has adapted its RADIUS server to work with Enigma's security cards. In this network, the RADIUS server manages the communications with the Enigma security technology to validate the user and allow access to the network. In this way, the customer was able to install PortMaster Communications Servers and also maintain its investment in Enigma's security technology.
RADIUS is being used to secure several university networks that provide dial-in IP connectivity to students and faculty. To provide distributed security, the RADIUS server has been customized to work with the Kerberos security system for authenticating user names and passwords.
Several Internet service providers use RADIUS to provide security to users accessing their networks from multiple POPs (Points Of Presence). UNIX security systems are typically used in these environments.
A utility company has customized the RADIUS server in a similar manner, storing names and passwords from over 1000 UNIX password tables.
An IETF Working Group for RADIUS was formed in January 1996 to address the standardization of RADIUS protocol. RADIUS is now an IETF-recognized dial-in security solution (RFC #2058).
What is network security?
The term network security covers a number of technologies that protect InterNetworking Systems to a network, whether over telephone lines or between networks. These technologies include passwords, encryption and call-back. Each of these technologies work in different ways, and network managers often combine them to create secure network environments.Why has network security become such an important issue?
Network security is not new to computing, though it is relatively new to personal computing. Mainframe computers have always used high-level security technology to protect sensitive business data. In the early days of personal computing, most CPUs were stand-alone units that could be protected by locking an office door.
Today, new users of technology have made security a critical issue for any type of computing. Growing use of local-area and wide-area networks, laptops and remote computing has increased access to critical business data. Hackers thrive on breaking into vulnerable networks, and security breaches can wreak havoc on a network. Not only is confidential information stolen, but "crackers" have been known to bring down a network through "worms," computer viruses and other hazards to network traffic.What type of security does Lucent Technologies PortMaster product family support?
Lucent Technologies PortMaster products use a number of advanced security features, including call-back, access filters for hosts and networks, packet filters and RADIUS.What is RADIUS?
RADIUS, or Remote Authentication Dial-In User service, is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the Internet Engineering Task Force (IETF) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group. RADIUS is now an IETF-recognized dial-in security solution (RFC #2058).What is distributed security?
Distributed security is a client/server approach that allows a number of communications servers, or clients, to authenticate a dial-in user's identity through a single, central database, or Authentication Server, which stores all information about users, their passwords and access privileges.Is distributed security better than other types of security?
Distributed security provides a central location for authentication data that is more secure than scattering that information on different devices throughout a network. It is also more scalable and much easier to manage.How many users can one Authentication Server support?
A single Authentication Server can support hundreds of communications servers, serving up to tens of thousand of users.Do Authentication Servers need to be located on the same network as the communications server?
Communications servers can access an Authentication Server locally or remotely over WAN connections.How do Authentication Servers work?
Authentication Servers can be set up in a variety of ways, depending upon the security scheme of the network they are serving. The basic process for authenticating a user includes the following steps: a user dials into a network through a communications server, or Network Access Server (NAS); the NAS forwards the user identification and password to the Authentication Server; then the Authentication Server validates the user and provides access privileges to the network.How do passwords work and what are their limitations?
Passwords are the most common form of computer security. Some networks require multiple levels of passwords to gain access to various servers or databases. Passwords become weak links when they are shared among colleagues, stolen, written down or created in such a way that they can be easily guessed. For example, users will try to create memorable passwords by using their names or social security numbers.How does callback work?
Callback is a security feature that works in the following way: a user dials into a communications server and enters a user name and password; the communications server then hangs up the modem connection, searches its database to authenticate the user and then calls the user back at a predefined number. Callback provides good security and cost savings to users who remotely access networks from one location. However, it is inconvenient for traveling executives.How does packet filtering work?
Packet filters allow network administrators to limit a user's access to specific services on the network. For example, a user may be allowed to send electronic mail, but not copy data files from the network. Packet filtering on the communications server analyzes each message being sent from a remote client. The filter can determine the computer and service the user is attempting to reach and either permit or deny access to that service.What is encryption?
Data encryption uses a secret code to
scramble information so that it can be read only by computers
using the same code, or encryption technology. While encryption
reduces the risk of unauthorized access, it doesn't create a totally
safe networking environment on its own. Code "crackers"
are excited by the challenge of breaking an encryption code.