understanding remote access technologies (nov 16, 2011) (beginner)

Henry Van Styn

IntelliTree Solutions

November 16th, 2011

Types of Remote Access

What they all have in common: communicate over

the Internet – common challenges

Brief technical/anecdotal background info – it’s

interesting! (at least I think so)

Practical implications and considerations

Using Remote Access effectively – discuss a few

of the currently available tools/solutions

General:

◦ VPN – (Virtual Private Network)

◦ Remote Desktop

Specific:

◦ Web applications

◦ Other applications

Most everything is now Internet based, including any mainstream Remote Access solution

◦ Legacy: Dial-in, ISDN, other WAN connections (but even those are all IP based)

Global Public Network

Any computer can reach any other computer by its

unique address (“IP Address”)

◦ Example IP Address: 74.125.225.20

Another Global Public Network:

The Postal System

Internet74.125.225.20(google.com)

209.173.141.162

Any computer/device can reach

any other computer/device if it

knows the IP Address….

All Internet applications communicate

over this basic computer-to-computer

connection.

Websites, e-mail, Skype and Remote

Access are all examples of Internet

applications…

There aren’t enough of them

◦ (Compare to CC numbers: ~ 1 trillion per issuer)

“Long-term” fix: IPv6

“Short-term” fix: ugly hacks & workarounds, most

notably “NAT”

Would have run out of addresses 10 years ago

(which is about how long IPv6 has been “right

around the corner”)

(only ~ 4 billion)

(approaching 20 years old)

(~ 340 undecillion)

NAT (Network Address Translation) allows multiple computers to share the same Public IP address. Totally ubiquitous.

Router/Firewall acts as intermediary and tracks individual connections

Major limitation: outbound only – built for things like browsing the web

But also provides security by design – often synonymous with the term “Firewalling”

Primary cause of complexity for Remote Access

Internet

209.173.141.162

192.168.1.5

74.125.225.20(google.com)

NAT Router/Firewall

NAT Allows multiple computers to transparently share a single

public IP Address

Private IP

Internet

209.173.141.162

192.168.1.5

74.125.225.20(google.com)

But NAT only allows outbound access…

Computers on the Internet cannot be the initiator of

new connections

Private IP

Internal computers can only receives replies to

connections they initiate

Internet

Cannot directly

communicate

Internet

VPN

A VPN is itself an Internet Application

that carries network traffic within it

192.168.1.5 Private IP

192.168.1.6 Private IP

Can communicate virtually

Internet

Permanent network-to-network VPN

192.168.1.5

192.168.1.6

A VPN connection alone does not provide Remote

Access

Mapped network drives

Direct network application access over the VPN

(generally slow – example: QuickBooks)

Remote Desktop alternative (such as Windows

RDP, Terminal Services, Citrix)

Doesn’t require a VPN connection or IT

department to setup on the Router/Firewall

Relies on 3rd party servers

Remote Desktop Application with built-in

connectivity

Internet

Services like GotoMyPC provide

Remote Desktop access and work

behind NAT because both sides

initiate connections to a 3rd party

public accessible server

3rd party

server

WebEX

LogMeIn - Free

GotoMeeting alternative: http://join.me – Free

Windows XP and later has RDP and requires no

custom install – but you need to be able to

connect (i.e. VPN)

VNC – also free, Remote Desktop

Cisco, Netgear, Sonicwall, others

OpenVPN – SSL based

OpenS/WAN – IPSec based

Internet

For easy RDP access to a home PC without a

VPN, configure a port forward (supported on

all firewall/router devices, such as Linksys)

Port forward

(RDP: 3389)

192.168.1.5 Private IP

DDNS:

Use DDNS service to be able to use

a hostname instead of an IP address:

• DynDNS

• DNS2Go

• No-IP

Encryption: doesn’t require a VPN

RDP, and most remote access applications are

encrypted anyway

VPN does guarantee encryption

Access policies a larger issue

Remote Access potentially opens your network to

the world – use strong passwords and limit access