Consider your home or apartment for a moment. It contains all your property, and theoretically,
it’s a private space for you and your family. Most likely, the door has a lock of some kind
that restricts entry, and, with the use of a key, only you and other authorized persons are able
to enter.
In this example, the door is very much like the remote access device in the network. It
provides a gateway between the outside world and the home—in this case, the corporate
network. The electronic door also has a key of sorts—frequently a username and password.
Access control
defines the manner in which these metaphorical keys are allocated and used;
also, it defines what each person who enters the system can do.
Cisco access control solutions are used to implement the security policies of the network—
specifically, the remote access connectivity. These solutions are targeted for a wide variety of
platforms and functions. You will find Cisco access solutions for several platforms, including
Windows NT and Unix.
Consider the following components used in remote access:
Clients
In Cisco access control, a client is typically a remote user using a dial-in connection
like the one that would be found on an asynchronous or an ISDN connection. These clients can
use different forms of security and authentication, including CHAP and PAP (discussed in
Chapter 24), or they can use remote client software, such as CiscoRemote. In addition, hardware-
based tokens can be used to increase security—the tokens do this by calculating the proper
response to a one-time challenge from the access server.
RADIUS and token-based authentication usually require the use of PAP, which
passes the password in cleartext and is less secure than CHAP.
Access servers
Clients connect to
access servers
, which provide the far end of a connection as
viewed from the remote user’s perspective. Stated another way, the access server is the front
door to the network for remote users. The Cisco IOS and other software, including Cisco
Broadband Operating System (CBOS), can provide varying degrees of security, including dialer
profiles, access control lists (ACLs), and encryption.
To communicate between security servers and access servers, new protocols
were developed, including TACACS+, RADIUS, and Kerberos.
Security servers
Security servers provide a centralized means of controlling policy and storing
account information. This can greatly simplify administration—similar to the way that Domain
Name Server (DNS) eases name-to-address resolution. Recall that before DNS, each workstation
was populated with a hosts file, which had to be modified for each change. DNS enabled hosts to
query a single server for the resolution. Security servers operate in much the same manner—rather
than storing usernames and passwords on each router, they can be stored on the server and queried
by the network device when needed. Cisco’s security server offering is called CiscoSecure, and
it operates on Unix and Windows NT platforms. CiscoSecure is discussed in the next section.
Protocols for centralized authentication
CHAP and PAP were designed for use on serial connections,
making them unsuitable for Ethernet and other LAN technologies.