by David O'Leary
Microsoft's Remote Access Service (RAS) provides users with seamless access to their corporate network through a remote dial-up connection. Once connected, users have the same capabilities they would have if directly connected to the network. Because RAS uses the same network protocols for communication as direct office connections, all aspects of standard networking are fully supported. RAS also provides, in conjunction with Windows NT Server, secure network protection via logon validation, access permissions and restrictions, encryption schemes, and callback capabilities.
Some RAS implementations may only include one or two analog modems. Others may have hundreds of modemsñmixing analog, ISDN, and ADSL. The uses of RAS are as diverse as the uses of standard networks, but with the added capability of being able to connect to your network from almost anywhere. Through such applications as e-mail, sales force automation, home offices, videoconferencing, and a host of other possible uses, RAS frees employees from the constraints of the office.
As networks become prevalent, the ability of people to dial in and access networks becomes increasingly important. The widespread adoption of client-server technology and other network-centric technologies, such as intranets, has opened up the power of RAS. The work done in business process re-engineering has focused on automating processes with network-based applications that, in most cases, can be accessed just as effectively through RAS.
RAS supports all major networking clients, including Windows for Workgroups, Windows 95, Windows NT, UNIX, Mac OS, NetWare, LAN Manager, and OS/2.
With the release of Windows NT 4.0 and Windows 95, Microsoft has made significant changes, additions, and enhancements to the Remote Access Service. The following sections detail these changes.
With the incorporation of the Windows 95 look and feel into Windows NT 4.0, significant changes have been made to RAS to make it easier to install, use, and administer. One of the biggest changes is the incorporation of the wizards in the setup/installation process. The RAS Setup Wizard automates many parts of the setup and installation process.
Like in Windows 95, the RAS client application is now called Dial-up Networking. In addition, the Dial-up Networking interface, as shown in Figure 11.1, is quite different from Windows 95. It was changed to make it more powerful and to give you more information for troubleshooting problems.
The new Dial-up Networking interface is easier to use and provides additional features for connecting to remote computers.
The addition of the Multilink capability to RAS enables you to increase the bandwidth of a single PPP session by combining two or more physical communication links. This is most commonly used to bundle the two B, or bearer, channels of an ISDN modem to get a 128 Kbps connection. However, if you have two phone lines and two analog modems (or any combination of lines and modems), you can also use multilink to increase your bandwidth. RAS Multilink is based on the IETF standard RFC 1717, which proposes advances to the PPP protocol with a method for splitting, recombining, and sequencing datagrams across multiple logical data links.
PPTP is a protocol created by Microsoft to support multi-protocol virtual private networks. Through PPTP, users can use the Internet or any other public network to connect to their corporate networks. This is particularly useful for avoiding long distance charges for users calling from outside of calling areas. PPTP also enables corporations to out source their remote access needs to Internet service providers or other remote access providers to reduce administrative overhead and costs.
NOTE: A virtual private network (VPN) enables users to securely access their private networks through a public network, such as the Internet. To ensure security, VPNs must prevent data from being intercepted and also encrypt the data so that it cannot be read. In addition, VPNs must prevent unauthorized users from gaining access to the private network.
As with any VPN implementation, security is a major concern. The integration of PPTP into RAS enables it to use the same encryption technologies and security mechanisms that RAS uses to ensure that unauthorized users do not gain access to your corporate network or intercept sensitive communication. PPTP is an open industry standard that supports the most common networking protocols (TCP/IP, IPX, and NetBEUI). For more information about PPTP, see Chapter 9, "Using TCP/IP with Windows NT Server."
A common problem with transferring large files over analog modems is that a lost connection during this lengthy process forces you to start the process all over again. The Restartable File Copy feature should enable the transfer to continue from where it left off. When RAS detects a disconnect, it remembers the status of your file transmission and, upon reconnecting, attempts to restore the transfer to its previous state.
If the Windows 95 or Windows NT 4.0 machine is unable to connect to the resource to which it was previously connected through a Dial-up Networking connection, Dial-up Networking will automatically be initiated using previously cached information to access the resource. This feature allows for the seamless integration of remote resources. For example, if you use Microsoft Exchange for sending and receiving electronic mail and your Exchange server is located at a remote location, double-clicking the Exchange icon causes Exchange to search for the Exchange server. If the server is not found and was previously accessed through Dial-up Networking, a dialog box like that shown in Figure 11.2 will ask if you want to use Dial-up Networking to connect to the remote resource.
The Auto-Dial dialog box pops up when a remote resource cannot be reached.
This feature automatically disconnects users who have been inactive for a specified amount of time. This amount of time can be determined by either the Dial-up Networking client or the Server. By disconnecting idle users, this feature can help to free up lines, possibly allowing for the reduction of the total number of supported connections.
Microsoft added a number of new APIs to allow for additional RAS monitoring capabilities so that third-party tools, as well as their own applications, can access more detailed information about active RAS connections. For a complete list and detailed descriptions of using the new RAS APIs in Windows NT 4.0, please refer to the Microsoft Developer Network at http://www.microsoft.com/msdn/.
The components of a RAS implementation can vary according to the needs of the enterprise (see Figure 11.3). The two biggest factors in determining the specific components needed are the desired speed and the number of supported users. This section will describe the various components, the role they play, and when they are and are not necessary.
A RAS implementation contains many separate components which must all work together to allow remote network connectivity.
NOTE: Multiport hardware may not be necessary for basic implementations.
The RAS server acts as the central communication hub for your remote networking clients. For the purposes of this book, the RAS server is running Windows NT Server 4.0 with RAS installed and running. For users to be able to connect to the LAN, your RAS server must be either the main network server for your corporate LAN or connected to the main domain server for standard network security rights and general networking needs.
If you plan to support only one or two remote access connections to your network, you can probably connect the devices directly to your computer. However, if you plan to support three or more simultaneous connections, you will most likely need to connect your modems to multiport hardware. With multiport hardware, one RAS server can support 256 concurrent connections.
At this time, analog modems are the most common connection device for both clients and servers. However, the maximum transmission rate for this type of device will soon reach its limit, not because of the modems themselves, but because of their transmission medium: the phone system. As the need for faster transmission rates continues to grow, other devices and mediums will increasingly become more dominant.
ISDN has already become a fairly popular technology for increasing bandwidth with transmission rates of up to 128 Kbps. Two other technologies, ADSL and cable modems, which boast even greater transmission rates, should begin to outpace the growth of ISDN within the next year. All of these technologies are discussed in depth in the "Data Lines" and "Communication" devices sections.
Most RAS implementations communicate through copper, twisted pair wiresñthe same as those used in the telephone system. These wires are not the best for data transfer, but because they already connect houses and business throughout the world, they have become the most commonly used method (see the following Note).
In general, you will need one dedicated communication line for every device you have. The type of line must match the type of modem. For example, if you plan to support ADSL modems, each modem will need its own ADSL line. The number and types of connections needed depends on the technologies available to your users based on their individual needs. (Information on choosing the types and numbers of connections in a following section, "Choosing the Type and Number of Communication Lines.")
NOTE: Even though ADSL, ISDN, and analog modems all use the same twisted pair copper wires for communication, the hardware used by the phone company to support these different technologies are very different, and the associated costs passed on to you will vary widely.
For now at least, the available client-side devices are the same as the server devices: ADSL, ISDN, and analog and cable modems. However, with the movement towards asymmetric transmissions for which the amount of downstream data is much greater than the amount of upstream data, this may change.
The transfer of digital data over analog phone lines is a complicated process because of the large number of variables involved in the communication process. When setting up a LAN, most of the devices involved in the communication are bought, set up, and configured with the sole intention of transferring digital data from one computer to another. However, with remote network access, the data must travel through communication lines and devices that were intended only for the transfer of a voice. Because of this, many things can go wrong.
When something does go wrong, it is not always clear what it was and what can be done to fix it. This section is intended to give you an understanding of all that is involved in modem communication so that you can understand how it works and how to troubleshoot problems more effectively.
The series of copper wires, routing systems, amplifiers, and filters that make up the phone system are by no means the best way to transfer digital data from one computer to another. However, due to the sheer number of twisted pair copper wires running throughout the planet and the existing infrastructure of the modern phone system, this system will continue to be the medium through which the majority of computers will communicate. With the explosion of interest in the Internet and its technologies, modem companies, communication companies, and research laboratories have spent a great deal of time and money in overcoming the inherent weaknesses of digital communication over the existing phone system. As a result, communication is steadily becoming more reliable and much faster.
The early phone network consisted of a pure analog system that connected telephone users directly by wires. This system was very inefficient, was prone to breakdown and noise, and did not lend itself easily to long-distance connections. Beginning in the 1960s, the telephone system gradually began converting its internal connections to a packet-based, digital switching system. Today, nearly all voice switching within the telephone network in the US is digital. Nonetheless, the final connection from the local central office to the customer equipment was, and still largely is, an analog Plain Old Telephone Service (POTS) line.
Except for cable modems, the technologies I describe all use twisted pair copper wire. Although the wire is the same, the methods used for sending signals over great distances without signal degradation vary widely. This section is intended to give you an overview of the different technologies being used and/or tested. It describes the basics of how they work, their most common applications, and general information about availability.
Analog Phone Lines
Data sent over analog phone lines is routed through the core switching network without alteration; the network treats the data exactly like a voice signal. The core switching network, as shown in Figure 11.4, routes calls from the caller's phone through a series of switches and then to the recipient's phone. The bandwidth limitations of these lines are a result of filters used by the core switching network to reduce line noise in voice transmissions.
Phone calls, along with analog data signals, are routed through a system of switches known as the core switching network to connect the caller to callee using the shortest possible path.
DSL-Based Technologies (ISDN and ADSL)
ISDN (Integrated Services Digital Network) and ADSL (Asymmetric Digital Subscriber Line) are both forms of the DSL (Digital Subscriber Line) technology developed by the Bellcore research arm of the Regional Bell Operating Companies (RBOCs). DSL technologies use the same twisted pair copper wire used for telephone service, but because DSL is a broad-band technology, it cannot be routed through the same series of switches as analog modems. DSL-based modems are fundamentally different than analog modems in that they use digital signaling at the wire level. DSL modems use high-speed computer chips to process the signal and filter out the inherent line noise of copper wires. This enables faster and more reliable connections.
ISDN has been around since the late 1970s, but has only recently gained popularity for use in remote access applications. However, due to more advanced DSL forms, such as ADSL, its popularity may be short lived. ISDN is a switched digital communication product that gives your single phone line the capability to transmit voice and packet data simultaneously over a single twisted pair connection. ISDN transmissions must be routed through special digital switches or over special phone lines known as DS1 (T1) lines.
There are two basic types of ISDN service: Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI consists of two 64 Kbps B channels and one 16 Kbps D channel. Using a channel aggregation protocol, such as Multilink-PPP or BONDING, BRI supports an uncompressed data transfer speed of 128 Kbps. PRI is intended for users with greater capacity requirements. Typically, the channel structure is 23 B channels plus one 64 Kbps D channel for a total of 1536 Kbps. In Europe, PRI consists of 30 B channels plus one 64 Kbps D channel for a total of 1984 Kbps. BRI is intended for remote access type applications and, as such, it will be the focus of this section.
With BRI, B channels can be used for data transmission only, or in many setups, one channel is used for data and the other channel can be used for voice or data. In other words, you can talk on the phone while simultaneously transmitting data at 64 Kbps or you can transmit and receive data at 128 Kbps.
With ISDN, instead of the phone company sending a ring voltage signal to ring the bell in your phone (in-band signal), it sends a digital packet on the channel. This signal does not disturb established connections, and call setup time is very fast: usually one or two seconds as opposed to 30 to 60 seconds for analog modems. The signaling also indicates who is calling, what type of call it is (data/voice), and what number was dialed. Available ISDN phone equipment is then capable of making intelligent decisions for directing the call.
ADSL was designed to maximize downstream transmission rates over single twisted pair wiring. As its name implies, the ADSL transmits an asymmetric data stream with much more data going downstream than upstream (see the following Note). ADSL transmission rates top out at 9 Mbps downstream and 640 Kbps upstream. However, there are many factors involved in ADSL transmission rates. The biggest factor is distance. Unlike analog modems, which transmit data at frequency rates of only up to 3 kHz, ADSL is a broad-band technology that uses a much broader frequency range.
Higher frequencies degrade quickly when transmitted over long distances. As a result, achievable transmission rates for ADSL are largely dependent on the distance between the subscriber's connection and the telephone company's nearest central office. Because of this and because of ADSL's asymmetric nature, ADSL is a technology intended for, and is particularly well suited to, connections to individual homes for such uses as video on demand, home shopping, and Internet browsing.
NOTE: Transmission from a service provider to a subscriber's modem is generally referred to as a downstream transmission. An upstream transmission is the opposite, going from a subscriber's modem to the service provider. For many Internet based applications, the data flow is mostly downstream; upstream traffic is largely limited to requests for data.
Cable Lines
Like phone lines, the coaxial cables used for cable TV are also quite plentiful, particularly in the United States. Cable lines enable broad-band transmission, whichñif used only for data transmissionñsupports downstream transmission speeds of up to 36 Mbps. However, most of the bandwidth in today's cable systems is devoted to TV channels. Each TV channel occupies 6 MHz of the spectrum (although some cable companies multiplex several channels into one). In addition, the available bandwidth must be shared between all the homes connected to a particular line. Typical cable systems serve between 500 to 2,500 homes on one line. Further, as is the case with an Ethernet network, too many nodes competing for bandwidth slow network performance. If your neighbors do a lot of downloads, your throughput will suffer unless the cable operator provides additional capacity or extra routers and channels.
The main issue with cable lines being used for digital data transmission is that the current cable infrastructure is set up for one way transmissions, from the provider's transmission site to all connected homes. To become interactive, cable operators must allocate spectrum on the cable for upstream signals and add hardware to receive and re-transmit these signals to their servers. Most of today's implementations use low frequencies for upstream transmission because the inherent noise of low frequencies prevents use for television broadcasts.
To use these lower frequencies for upstream transmission, cable operators must filter out this noise somewhere between the head end and the cable recipient. Cable operators will also have to modify their cable amplifiers to separate the upstream and downstream signals. In many areas, this will require replacing most amplifiers and running fiber optic cable closer to each home.
NOTE: The head end is the term for the building from which the cable company broadcasts signals. Head-end buildings receive both satellite and traditional broadcast TV signals and then broadcast these channels over the cable lines to each customer.
Finally, cable operators will have to set up a community-wide Internet point of presence (POP) to serve all the networks associated with a particular head end. This will require the cable companies to plan very carefully and to gain an enormous understanding of TCP/IP networking. They will have to set up routers and servers at the head end and at strategic places around the cable system to manage Internet traffic.
With the many costs and infrastructure changes required for data transmission through cable lines, more focus is being put on the development of DSL technologies for remote access applications.
Connection devices are the heart and soul of any RAS implementation. They make remote communications possible through whatever medium is chosen. This section discusses the main types of devices.
Analog Modems
Analog modems are by far the most common means of digital communication from remote locations. Advancements in their speed and reliability have enabled users to do much more than before. Through a process called modulation, analog modems convert digital data into an audio signal that can be broadcast over the standard telephone system.
Initially, analog modem manufacturers attempted to maximize throughput by maximizing the baud rate (see the following Note). Eventually, it was found that 2,400 signal transitions per second was the upper limit for signal transitions transmitted through the telephone system.
NOTE: Baud is the number of discrete conditions or signal elements per second. It signifies the maximum capacity for information carrying of a communication channel in symbols per second. A symbol is a unique state of the communication channel, distinguishable by the receiver from all other possible states. For example, it may be one of two voltage levels on a wire for a direct digital connection, or it might be the phase or frequency of a carrier.Named after J.M.E. Baudot, the French engineer who constructed the first successful teleprinter, the term baud was originally a unit of telegraph signaling speed, set at one Morse code dot per second.
The term baud causes much confusion and is usually best avoided when talking about modem communication rates. Use bits per second (bps) instead.
To surpass this rate, a second technique, called multi-phasing, is used. Multi-phasing sends several 2,400 baud signals at the same time. Each signal is restricted to a specific frequency range so that the signals do not get mixed. This is like several different tunes being whistled simultaneously with each tune being restricted to a certain range of notes. A 28.8 modem sends 14 signals simultaneously at different frequencies. Now, with 33.6 modems, it is believed that we have reached the threshold of the number of signals that can be sent simultaneously because of the limited frequency range available on the telephone system. However, analog modem manufacturers are beginning to explore asymmetric transmissions, like those used in ADSL, to maximize downstream transmission rates. Even so, do not expect modems to get a whole lot faster than the 56 Kbps now reached.
The third method that modem manufacturers use to maximize the throughput of analog modems is compression. Hardware compression works the same way software compression works in such programs as PKZip: It is only effective at compressing data that has not already been compressed. Most large programs, pictures, and sounds have already been compressed and, therefore, do not benefit much from the hardware compression applied to them.
ISDN
ISDN is a fully digital technology that enables computers to communicate by sending digital signals as high-speed pulses at rates of up to 128Kbps without converting the signal to an analog or audio signal. ISDN devices come in two forms: routers and terminal adapters.
An ISDN router connects to your computer or to a networking hub through an Ethernet cable. Your computer will need an Ethernet card to use an ISDN router. In general, ISDN routers are more expensive than a terminal adapter because the router is responsible for deciding when to dial the line, when to hang up, and when to add more speed. It is also responsible for moving Internet packets from the ISDN line to the Ethernet. Routers provide greater speed because they can change speeds without having to call back. A routers also provides more flexibility because it is an Ethernet device; therefore, its capabilities can be shared by all computers on the network.
An ISDN terminal adapter connects to your computer's serial port and acts just like an analog modem. Terminal adapters are slightly slower than routers because they are connected to the serial port, which, in most cases, can only handle 115 Kbps. If both B channels are being used for data transmission, this is slightly slower than full capacity. Also, in order to change speeds, the adapter must terminate the connection and reconnect.
ADSL Modems
ADSL is also a fully digital technology. It promises to provide even greater speeds because it is a broad-band technology, meaning it uses much more of the available frequency range for its transmissions.
With ADSL, your modem connects to another ADSL modem at the telephone company's nearest central office. The data is then transmitted over the phone company's backbone using another technology to a third ADSL modem, which then transmits the data to the recipient's ADSL modem (see Figure 11.5).
There are actually four modems involved in an ADSL implementation.
Cable Modems
Like analog modems, cable modems modulate and demodulate the cable signal into a stream of data. Otherwise, the technologies are completely different. Cable modems are much more complicated because they are required to perform many additional functions not required by analog modems. These additional functions can include the following:
The cable modems in use today have an Ethernet port that connects to the computer (or network) on one side and to the cable connection on the other. An Ethernet adapter needs to be installed in the computer and then connected to the cable's Ethernet port via a standard RJ-45 connector. As far as your computer is concerned, it is hooked directly to the Internet via an Ethernet cable. There are no phone numbers to dial and no limitations on serial-port throughput.
Typically, a cable modem sends and receives data in two slightly different fashions. In the downstream direction, the digital data is modulated and then transmitted in several phases simultaneously with each phase using a 6 MHz allocation, somewhere between 42 MHz and 750 MHz.
Cable modem speeds vary greatly, depending on whether the cable lines are used strictly for transmission and what kind of infrastructure the cable company has for supporting two-way communication. In the downstream direction (from the network to the computer), speeds can be anywhere up to 36 Mbps. Modems this fast are not currently on the market, but should appear some time in 1997. Few computers will be capable of connecting at such high speeds, so a more realistic number is 3ó10 Mbps. In the upstream direction (from computer to network), speeds can be up to 10 Mbps. However, most modem producers will probably select a more optimum speed of between 200 Kbps and 2 Mbps.
In the first few years of cable modem deployment, an asymmetric setup will probably be more common than a symmetric setup. In an asymmetric scheme, the downstream channel has a much higher bandwidth allocation than the upstream channel. This is by design, as current Internet applications tend to be asymmetric in nature.
Cable modems are commonly available, although priced significantly higher than twisted pair modems. Each modem manufacturer currently uses a different data-transmission specification, so cable modems from different vendors are incompatible. Standardization is underway and should be in place soon. However, service for cable modems (that is, cable lines that support data transmission) is only available in a few trial areas. As discussed in a previous section, the cable industry has many changes to make in its communication infrastructure to support this technology. Most experts believe that DSL technologies will be implemented more quickly and cheaply and will become the primary high data rate technology.
Line protocols establish the method for the transfer of data over a telephone line. Data is packaged by the networking protocol, and then further packaged by the line protocols before being sent over the communication medium (see Figure 11.6). This section covers line protocols supported by Windows 95.
Line protocols are responsible for encapsulating data to transport it through the transmission medium.
Point-to-Point Protocol
Point-to-Point Protocol (PPP) is a standard encapsulation protocol for the transport of different network protocols across a serial link. It is capable of supporting multiple data protocols on a single connection simultaneously. It also supports link quality testing, header compression, and error detection. Because of its advanced error detection and prevention mechanisms and its built in extensibility, PPP is quickly becoming the defacto standard for both dial-up accounts and semi-permanent connections.
Serial Line IP
Serial Line IP (SLIP) is a very simple remote-access protocol designed to be easy to implement and to offer connectivity across many different platforms. SLIP is commonly used by Internet service providers (ISPs) to offer Internet connectivity to remote users.
The RAS Line Protocol
Remote access capabilities were first provided by Microsoft in LAN Manager 2.1. For early implementations, Microsoft created its own proprietary line protocol also known as RAS. The RAS line protocol was based on Microsoft's proprietary networking protocol NetBEUI. Because it was based on NetBEUI, the RAS line protocol is only capable of supporting NetBEUI and it does not allow for data compression. Using the RAS Line Protocol, you can connect to Windows for Workgroups 3.11 and Windows NT 3.1 servers running the RAS Dial-Up server.
Networking protocols define how data is packaged and prepared for transfer. The actual transfer is then performed by the network adapter, which, in the case of RAS, is the dial-up adapter. This section provides an overview of the networking protocols as they relate to RAS. For more information about networking protocols, see Chapter 4, "Enterprise Planning and Implementation."
TCP/IP
TCP/IP is particularly well suited to remote access because it was designed by the Internet community specifically for transmitting data on the Internet. Because it was designed to operate in environments where the conditions are not particularly suitable for data transmission, it has strong error detection and correction capabilities. For more information about TCP/IP, see Chapter 9, "Using TCP/IP with Windows NT Server."
NetBEUI
NetBEUI (Netbios Extended User Interface) is a network protocol developed by IBM and Microsoft for use on LANs of 250 nodes or fewer. Microsoft initially used NetBEUI to add networking capabilities to its Windows operating system. NetBEUI is not very well suited to remote access applications because its error detection and handling capabilities are not as robust as TCP/IP, and it is not routable. However, if your ' operating systems or line protocols support only NetBEUI, it can be used. For more information about NetBEUI, see Chapter 4, "Enterprise Planning and Implementation."
IPX/SPX
IPX/SPX is the primary network protocol used on NetWare networks. With additions made to it by Novell, it supports routing and works quite well in remote access applications. However, unless Dial-up Networking clients require IPX/SPX or servers can be accessed only using IPX/SPX, there is no reason to support it. For more information about IPX/SPX, see Chapter 4, "Enterprise Planning and Implementation."
A chip known as a Universal Asynchronous Receiver/Transmitter (UART) is fundamental to serial data communication. In short, this device converts parallel data (e.g., 8-bit bytes) into a serial data stream that can be transmitted over a telephone line. Internal modems are equipped with their own UARTS. External modems, however, utilize the UART incorporated into your PC's COM port. If you are using an external modem, it is important to know what type of UART your COM port is using.
A 16550A type UART is capable of transmitting data at speeds of up to 115,200 bps and are fine for 28.8 modems. If you have an 8250 or 16450 type UART, communication between your computer and modem is limited to 19,200 bps. This can cause the modem's buffer to run empty at times, thus decreasing your effective throughput. If you have an 8250 or 16450 type UART and want to connect a 28,800 bps or higher modem, you may want to consider upgrading your UART. If you have a serial card (or motherboard) with a socketed 8250 or 16450 UART, you can replace the chip with a 16550A. You can also purchase an add-on, high-speed data communication card with 16550A (or equivalent) UART from your local computer store at prices ranging from $20 to $75, depending upon the number of ports and other features.
Ten to 20 percent of the data sent between modems for RAS is used to ensure that the data sent is exactly the same as the data received and that none got lost along the way. Several mechanisms are used to ensure data integrity. These methods are explained in the following sections.
Cyclic Redundancy Checks (CRC)
Cyclic redundancy checks are used to preserve the integrity of data in storage and transmission applications. CRC can be performed by hardware or software. In the traditional hardware implementation, a single shift register circuit performs the computations and handles data one bit at a time. In software implementation, the data can be handled in terms of bytes or even words.
CRC uses a mathematical polynomial to check the transmission of both bit-oriented and character-oriented sequences. This polynomial interacts through a predetermined algorithm on the data being transmitted to create a remainder that is transmitted in addition to the data. (The remainder comes from dividing the polynomial into the transmitted bit stream.) The polynomial is chosen to be one bit longer than the desired remainder, and the exact bit pattern chosen depends on the type of errors expected.
Framing Errors
All serial communication is set in chunks of data known as frames. Frame size is usually determined by the line protocol to maximize throughput with a minimum amount of lost data. To set off the frames, each frame begins with a Start bit and ends with the selected number of Stop bits. The number of bits between the Start and Stop bits is sent across as well. If the Stop bit is not where it is supposed to be due to line interference, a framing error occurs. When a framing error is detected, the frame is re-sent so that no data is lost.
Hardware Overruns
A hardware overrun occurs when the data in the serial port buffer is not moved in time to another location before new data overruns it. This arises when your computer is unable to keep up with the transmitted data, which occurs when you have a very slow computer or when your computer is busy performing processor-intensive activities. Although your computer will generally recover without intervention, large data blocks will need to be re-transmitted, significantly reducing overall system performance. Because one of the variables that causes overruns is system loading, do not be surprised if you find that their frequency varies depending on the programs that are running and how they are being used.
Buffer Overruns
A buffer overrun occurs when the data in the modem's buffer is not sent before new data overruns it. This usually signifies a problem with communication between the computer and the modem and can usually be fixed by adjusting your flow control method. Flow control specifies how your modem signals your computer to send additional data or to stop sending data. There are two types of flow controlñhardware (RTS/CTS) and software (Xon/Xoff). Hardware flow control tends to give the most reliable connections.
The minimum hardware requirements for setting up your Windows NT 4.0 server to support RAS are simply a phone line that can be accessed from an outside number and an analog modem. From this very basic setup, there are many other options. In fact, the number and economy of options increases regularly.
Often, the most difficult part of a RAS implementation is choosing the hardware and getting it all to work together. Resource conflicts, modem incompatibilities, poor documentation, imprecise error messages, incompatible protocols, and line noise all can lead to major headaches for the RAS administrator. That is not to mention the problems associated with relatively new technologies, such as ISDN, ADSL, and cable modems.
Choosing the right hardware and making sure you have installed and configured it properly can save you a lot of time and frustration in the future. This section gives guidelines and pointers for choosing the right numbers and types of hardware to suit your needs.
You first need to choose the kind of connection devices to use: analog modems or a faster alternative. Consider the following guidelines:
TIP: Internal modems are not the most flexible option due to the limitation on the number of expansion slots available in a machine. Also, it is more difficult to monitor and diagnose problems with internal modems.
TIP: If you need to support several connection devices, then consider using rack-mounted modem pools, which contain up to sixteen devices in a single rack-mounted unit. These banks take up considerably less space than several individual modems, and incompatibility between the modems is less of a concern. In a non-integrated modem bank, cabling is often messy and confusing, and overheating problems can arise.
Decide the number of connection devices you need. Because this decision really depends on the needs of your enterprise, this is not addressed here. In making your decision, consider your future needs and options and keep flexibility in mind.
NOTE: Under Windows NT 4.0 Server, RAS is capable of supporting up to 256 concurrent connections. However, to support this many connections, you will need a very powerful machine: at least a dual processor. If you anticipate needing this many connections, it would be wise to split the connections among multiple servers to ease administration, maintenance, and upgrading.
For each connection device, you should have one dedicated line of the same type. For example, if you have eight analog modems, you should have eight dedicated analog phone lines. For both analog and digital phone lines, most phone companies offer a service called a rollover phone number, which enables users to dial one phone number, yet access one of many dedicated lines (each assigned to a separate phone number).
NOTE: In order to achieve maximize bandwidth, modems running at 14.4 bps or above must make optimal use of all the frequencies available on an analog phone line. Most phone switches, which companies use to route calls and reduce the number of external lines needed, filter signals to reduce line noise (particularly in higher frequencies). These filters reduce the bandwidth available to modems. This results in slower connection rates and reduced reliability for high speed modems.
There are two basic types of multiport serial boards: UART-based and intelligent. UART-based boards simply transfer data between the modems and the computer. Because of limitations in the speed of UARTS and because the processing load falls on the servers CPU, UART based boards are limited in the number and speed of the modems that they can support.
Intelligent multiport boards have serial port controllers, larger buffers, and they usually contain their own processor-based UART with character recognition and flow control logic. More expensive models also have their own CPU to handle serial I/O and reduce the overall processing load on your server. More powerful boards can support more and faster modems; of course, more powerful boards are more expensive.
NOTE: Multiport boards are notorious for having driver-related problems. Therefore, make sure that the hardware you choose is on the Windows NT 4.0 supported hardware list and that there is a current, reliable driver available for it. Whatever you choose, if you need more than one, make sure that they are the same make and model so you don't have to troubleshoot two completely different sets of problems.
In choosing your multiport board, consider the number and speed of modems that you will need to support. Find available boards that support the number of connections you will need. If you need to support more than 16 modems, you will most likely have to purchase two or more boards, whichñdepending on the boardñcan either be daisy chained together or will each require its own expansion slot. The three most important statistics to consider are throughput, CPU usage (or processor load), and price. The main features that affect these statistics are the amount of RAM, the type of UART, and the type and speed of the onboard processor (if present).
You will need to take all of the preceding information into account when deciding on the system requirements of your RAS server. For most setups, your server will not need to be a dedicated RAS server. The processing load on the RAS server can vary widely depending on the number of connections you plan to support, the speed and type of those connections, and, most importantly, the multiport hardware being used (if it is used).
If you are not using multiport hardware and only have a few connections, the overall load will be very low. With multiport hardware, much of the serial I/O processing should be handled by the multiport hardware; your server will handle most of the networking related load. The documentation that comes with your multiport hardware should have specific information regarding the processing requirements of your server.
Because of the extra level of vulnerability resulting from users being able to access your corporate network without having to physically be in your office, security is a very important part of RAS. The security features offered by RAS, along with the integrated Windows NT Server security, should be enough to keep your private network private if properly implemented and monitored. Microsoft has made security a major issue in both RAS and Windows NT and is using the most advanced and accepted standards in their implementations to ensure the safety of your data.
However, no encryption algorithm is unbreakable. The most advanced hackers have impressive resources at their disposal and will go to great lengths to get what they are looking for. Luckily, advanced hackers tend to focus their efforts on breaking encryption algorithms for the companies that write the encryption algorithms or breaking into sites that have much more interesting data than the average business network contains.
There are many things you can do to ensure the safety of the data contained within your network. This section outlines RAS security mechanisms and how they integrate into the Windows NT Server mechanisms.
The most effective security mechanism that RAS has is its integration with Windows NT. To be able to log in to RAS, you must have an account on the domain on which the RAS server resides and that account must be granted dial-in permission through the Remote Access Admin tool. All security measures that apply to your Windows NT domain also apply to remote access users. Because of this, it is important that you have effective security on your Windows NT domain.
Intercepting data from a RAS connection is a very difficult thing. If someone is able to tap into a RAS transmission, encryption prevents him from being able to decipher the captured data. RAS supports several types of data encryption for password authentication and also supports the RSA RC4 encryption algorithm for all data transmission. This section covers the encryption mechanisms used in RAS. For more information about encryption, go to the RSA Data Security World Wide Web page at www.rsa.com.
Password Authentication Protocol (PAP)
PAP uses clear text (unencrypted) password authentication for user login. Many third-party remote access applications, such as Trumpet Winsock, can only use PAP for user validation and login. Chapter 12, "Implementing Remote Access Service (RAS)," covers enabling and disabling PAP.
Challenge Handshake Authentication Protocol (CHAP)
CHAP requires a challenge response with encryption on the response. Windows NT RAS server supports the following encryption algorithms in conjunction with CHAP authentication:
NOTE: The RSA MD4 is a message-digest algorithm developed by Ron Rivest in 1990. It is meant for digital signature applications where a large message has to be "compressed" in a secure manner before being signed with the private key.
The RAS Network Configuration dialog box enables you to select password encryption settings.
In addition, Windows 95 and the Windows NT 4.0 RAS client support the RSA MD5-CHAP encryption standard, which is used by many third-party PPP servers. The Windows NT RAS server does not support RSA MD5 because this method requires a clear-text password for login to the server.
NOTE: MD5 was developed by Rivest in 1991. It is basically MD4 with additional safety mechanisms to make it harder to break. Although slightly slower than MD4, it is more secure.
RSA RC4 40-Bit Session Key
RAS uses the RC4 encryption algorithm for encrypting and decrypting data. RC4 is a variable key-size stream cipher designed by Ron Rivest for RSA Data Security. RC4 is a confidential and propriety algorithm that uses random permutations for encrypting data. It is generally considered secure. It is popular because of its speed, security, and adjustable key size. Adjustable keys are important because keys larger than 40 bits cannot be exported from the US. Microsoft's implementation uses a 40-bit key.
Because of the serious security concerns presented by a RAS implementation, Microsoft provides additional features which allow you to customize you security setup. These features are described in the following sections.
Callback
With callback, after establishing a connection and validating the user, the RAS server hangs up and then calls back to the remote user to reestablish the connection. This can be used as a security mechanism by either forcing a remote user to call from a single number or, if the user is allowed to specify the callback number, by enabling the return phone number to be monitored.
Third-Party Host Security DLLs
For networks in which the basic Windows NT and RAS level of security is not enough, a third-party security DLL can be installed. The security DLL can then authenticate a remote user by reading security information from a database other than the standard Windows NT user account database. For example, the challenge could be a code that the user must provide as input to a cardkey reader. The cardkey reader then displays a response that the remote user types in the terminal window.
Even if the security DLL authenticates the remote user, the RAS server still performs its own authentication. This ensures that RAS security always authenticates a remote user, even if a security DLL is installed that grants access to all users.
A number of additional steps can be taken to increase the security of remote connections. The measures described in this section should provide most businesses more than adequate protection against unauthorized access to private data.
Restricting Your Remote Access Phone Number
Do not publish your remote access phone number. To be able to break into your Domain through RAS, the person must know the phone number to your RAS server. Because of this, one of the most basic steps that you can take to protect your network is to treat the phone number that provides access to your RAS server as an access code. If you are concerned about security, the phone number should probably not be published and should only be given to users as needed.
TIP: Be aware that there are programs that will try all possible phone numbers for an area to detect all numbers on which a modem answers. Once this number is found, the hacker can try to gain access to the network.
Monitoring Access
If you do suspect that an unauthorized person is gaining access to your network, the tools supplied with RAS should help you to monitor RAS access. You can turn on auditing for the RAS function by setting the Enable Audit key to 1 (found in the Registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters). With this enabled, Windows NT records all RAS events into the event log. In addition, all system, application, and security events are also recorded to the event log and can be viewed by administrators using the Event Viewer.
Using Firewalls
Where possible, put RAS servers on the outside of a firewall. If you are using RAS to enable users to access the Internet, e-mail, or some other public domain, consider protecting private network data behind a firewall. For more information about firewalls, see Chapter 17, "I-Net Tools and Techniques."
Restricting Hours for Remote Users
Specify the hours that remote users are permitted access to your system. Hackers tend to do much of their work or run their automated programs late at night. Restricting the hours during which remote access users can log in provides an extra level of security. Of course, you don't want to be overly restrictive and prevent a user from getting work done, particularly when working late to finish up.
Restricting Dial-in Permissions
Grant dial-in permissions only to those who request permissions. Many domain users do not need remote access capabilities, so it is generally a good security policy to grant dial-in permissions only to those who specifically need permissions.
Enabling Authentication
Set the maximum possible encryption settings. If users will be dialing in from
Windows 95 or Windows NT 4.0 machines, choose Require Microsoft
Encrypted Authentication and Require Encrypted Data in the RAS Network
Configuration dialog box.
This chapter is an overview of the devices, technologies, and protocols involved in RAS. With this overview, you should be able to make better decisions while installing and configuring RAS. This chapter also provides you an understanding of the various components and how they work so that you can troubleshoot problems as they arise.
As the need for fast, reliable connectivity has increased, modem technology has steadily improved and connectivity options have grown considerably and become much more affordable. As an administrator, it is important to choose reliable options for your RAS server. You should also expect to play a large role in the decisions and setup of your dial-up networking clients. If necessary, consider establishing guidelines or recommendations for dial-up networking clients. If you expect many users to be dialing in from computers they have set up themselves, you should probably write a document or find an existing document to walk them through the setup process.
For more information about the topics addressed in this chapter, see the following chapters:
© Copyright, Macmillan Computer Publishing. All rights reserved.