Issues and Trends: Remote access servers
By Tim Greene
Network World, 3/23/98
While most network equipment vendors try to dazzle you with grandiose
claims of new cutting-edge features, remote access server providers remain
focused on the bread-and-butter basics. And well they should, because it's the
basics - authentication, encryption, compression, modularity, fault tolerance
and port density - that will serve you well when it comes to enterprise-level
remote access.
That said, there is one feature that's starting to stand out as a popular
accompaniment to those core functions: a virtual private network (VPN).
VPNs can save you big bucks on your long-distance telephone bills by using
the Internet to tie remote users to the corporate backbone. But VPNs add
something else too - network security vulnerabilities.
Look for an enterprise-class remote access server that enables VPNs and
sports ironclad security. These boxes also give you the flexibility of
maintaining direct dial-up ports for remote users who connect through a
local call or those who want to use a secure dedicated circuit.
Because many of you want the biggest and best remote access server vendors
have to offer, our Buyer's Guide Chart focuses on hardware-based products
with a minimum of 24 ports. After all, these are the boxes that have the most
differentiating features.
Stripped-down models can function as simple access concentrators with
modems and a LAN feed. But higher end products can be fitted with a
battery of security ranging from simple user name/password to secure token
support. Just under half of the remote access servers on the chart support
tunneling technology that encrypts IP packets and encapsulates them for
transport across IP networks.
In this initial phase of deployment, tunneling is best suited for remote access.
Remote users call their local Internet service provider, use the Internet for a
long-haul link, then reach the corporate site over a dedicated feed from the
ISP. Expected upgrades will improve management, making it easier to assign
limited access rights for extranets.
All but one product in the chart - Lantronix's LRS32F - are modular
chassis-based systems. Most of these devices support authentication,
authorization and encryption. Enhanced management interfaces make it
easier for administrators to establish and maintain VPNs.
For example, 3Com Corp. this spring is expected to release Web-based
management tools for its Total Control HiPer Access System/EdgeServer
Pro Module, part of the product line 3Com gained last year when it acquired
U.S. Robotics. The tools enable you to set up and manage security features
such as IP tunnels, controlling access based on time of day and session
length. 3Com will add tunneling support to the Total Control box this
spring.
Other vendors with current or planned support for some form of tunneling -
including Adtran, Inc., Ascend Communications, Inc., Bay Networks, Inc.,
Compaq Computer Corp. and RAScom, Inc. - claim their remote access
servers will support the Layer 2 Tunneling Protocol after the standard is set
sometime this year.
Virtually all vendors included in the chart support a battery of authentication
security mechanisms, including the Terminal Access Controller Access
Control System (TACACS), Challenge Handshake Authentication Protocol/
Password Authentication Protocol (CHAP/PAP), dialback and Remote
Authentication Dial-In User Service (RADIUS).
These security options range in sophistication. Dialback, for example, simply
identifies the phone number of an incoming call. The remote access server
only calls back authorized numbers to initiate a connection. A step up is
CHAP, in which the server issues a challenge - a unique code - to the calling
client. The client responds with a password that is encoded based on the
challenge it has received. In theory, only an authorized client will be able to
respond with a properly encoded response.
TACACS and RADIUS support com-munication between the remote access
server and a separate security server that performs authentication. In
addition, RADIUS provides call accounting and can define limits on
individual or group access rights. Some vendors even support Kerberos
server-to-server authentication.
Many of the advanced features of high-end remote access servers are
designed for service providers, but these features parlay into benefits for
corporate users, too. For example, voice-over-IP capabilities enable ISPs to
offer new voice services, but the tech-nology also represents a cost-saving
opportunity for the enterprise.
Some remote access servers can route voice calls to distant sites over an IP
network, including the Inter-net, obviating long-distance phone charges or
the need for separate voice trunks. Total Control, for example, already
supports IP voice, and vendors such as Ascend, Bay and Cisco have promised
support in upcoming models of their boxes.
Among the differences you'll find between enterprise-class servers and their
poorer cousins are redundant power supplies, hot-swappable cards and
support for ever-increasing port densities.
For example, Bay's Versalar 5000 Access Switch and Versalar 5399 Remote
Access Concentrator Module support dual channelized T-1 cards with 48
modems. The cards provide the building blocks for enormous capacity (see
review). Other vendors, such as start-up Aptis Communications, Inc.,
specialize in port density. Aptis' CVX 1800 crams 1,344 modems on a single
shelf.
At the same time, vendors are trying to keep the number of required
modems to a minimum. For example, Compaq's Microcom 6200
concentrator can direct calls to the desired network device via any available
route. If all direct modem connections to a particular LAN-based
asynchronous device are busy, Compaq's ADAPTive switching technology
sniffs out alternate routes and modems.
You'll find enhancements to some of the more traditional remote access
server features, too. Most of the pro- ducts featured in the chart had 56K
bit/sec modem support before the preliminary V.90 modem standard was set
in February. Modem vendors accept those specifications as the likely
standard and are readying soft- ware upgrades to make their devices
compliant.
What's more, most of the products included in the chart continue to support
ISDN via Primary Rate Inter- face trunks.3Com and Cabletron Systems,
Inc.'s products support digital subscriber lines (DSL). DSL enables dedicated
broadband access over regular phone lines to support power users who need
to move big files to and from remote offices or home. DSL is still maturing
and service availability is limited so far, but it's coming. Thanks to new
cards and software upgrades that can add functionality, today's remote access
servers stand to live long lives. |
