1. Remote Access Service
   1. any combination of hardware and software to enable the remote access tools or information that typically reside on a network of IT devices. A remote access service connects a client to a host computer, known as a remote access server.
2. Challenge Handshake Authentication Protocol (CHAP)
   1. A layer 2 authentication protocol, used to authenticate a user or network host to an authenticating entity.
   2. CHAP provides protection against replay attacks by the peer, through the use of an incrementally changing identifier and a variable challenge-value.
   3. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network. Because of this, CHAP provides better security compared to Password Authentication Protocol (PAP) which is vulnerable for both these reasons.
   4. The version of CHAP specific to Microsoft, MS-CHAP, does not require either peer to know the plaintext and does not transmit it, but it has been broken.
   5. CHAP is specified in RFC 1994.
   6. CHAP, PPP, and LCP:
      1. CHAP is an authentication scheme used by Point-to-Point Protocol (PPP) servers to validate the identity of remote clients.
      2. CHAP periodically verifies the identity of the client by using a three-way handshake.
      3. This happens at the time of establishing the initial link using Link Control Protocol (LCP), a protocols used with PPP, and may happen again at any time afterwards.
      4. The verification is based on a shared secret (such as the client's password).
   7. CHAP authentication follows these steps:
      1. After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
      2. The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.
      3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
      4. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.
3. Virtual Private Networks
   1. Virtual Private Network (VPN):
      1. A technology that extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
      2. Applications running across a VPN may benefit from the functionality, security, and management of the private network.
   2. List secure VPN connection protocols:
      1. IPsec
      2. SSL/TLS
      3. Secure Shell (Rarely)
   3. Older VPNs use either:
      1. Point-to-Point Protocol (PPTP):
         1. Port 1723
      2. Layer 2 Tunneling Protocol (L2TP):
         1. Port 1701
         2. L2TP may use IPsec.
   4. OpenVPN:
      1. A free and open-source software application that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.
      2. Uses a custom security protocol that utilizes SSL/TLS for key exchange. Because TLS operates at the Application Layer, OpenVPN is capable of traversing network address translators (NATs) and firewalls.
      3. OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates or username/password.
      4. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority. It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features.
      5. OpenVPN has been ported and embedded to several systems.
   5. Explain the concept of split tunneling:
      1. A computer networking concept which allows a user to access dissimilar security domains, like a public network and a local LAN or WAN, at the same time, using the same network connections.
      2. This connection state is usually facilitated through the simultaneous use of a LAN NIC, radio NIC, WLAN NIC, and VPN client software application without access control.
      3. A split tunnel configured to only tunnel traffic destined to a specific set of destinations is called a split-include tunnel.
      4. When configured to accept all traffic except traffic destined to a specific set of destinations, it is called a split-exclude tunnel.
   6. Generic Routing Encapsulation (GRE):
      1. A tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of Layer 3 protocols inside virtual point-to-point links over an IP network.
      2. GRE may be used:
         1. with PPTP, to create a VPN
         2. with an IPsec VPN, to allow routing between connected networks
         3. with Linux and BSD systems, to establish ad-hoc IP over GRE tunnels that are interoperable with Cisco equipment
         4. to connect a DDoS-protected device to an otherwise unprotected endpoint device, with the goal of protecting the second device from the DDoS attack.
         5. with MPLS, to provide security from the open nature of MPLS network architecture.
4. RADIUS and TACACS+
   1. RADIUS:
      1. Remote Authentication Dial-In User Service
         1. AAA protocol mainly used to provide network access services.
         2. The authentication and authorization parts are specified in RFC 2865, while the accounting part is specified in RFC 2866.
         3. RADIUS is a client-server protocol:
            1. In the context of RADIUS, the client is the access server, which is the entity to which a user sends the access request.
            2. The server is usually a machine running RADIUS services and that provides authentication and authorization responses containing all the information used by the access server to provide service to the user.
         4. The RADIUS server can act as proxy for other RADIUS servers or other authentication systems.
         5. RADIUS can support several types of authentication mechanisms, such as PPP PAP, CHAP, and EAP. It also allows protocol extension via the attribute field.
      2. RADIUS AAA consists of three processes:
         1. Authentication
         2. Authorization
         3. Accounting
            1. Performed over UDP port 1813
            2. The accounting exchange consists of two messages:
            3. ACCOUNTING-REQUEST
            4. ACCOUNTING-RESPONSE
            5. Accounting can be used to specify how long a user has been connected to the network (the start and stop of a session).
         4. Performed together over UDP port 1812
            1. This phase consists of two messages:
            2. The access server sends an ACCESS-REQUEST to the RADIUS server that includes the user identity, the password, and other information about the requester of the access (for example, the IP address).
            3. The RADIUS exchange is authenticated by using a shared secret key between the access server and the RADIUS server.
            4. Only the user password information in the ACCESS-REQUEST is encrypted; the rest of the packets are sent in plaintext.
            5. The RADIUS server may reply with three different messages:
            6. ACCESS-ACCEPT if the user is authenticated. This message will also include in the Attribute field authorization information and specific vendor information used by the access server to provide services.
            7. ACCESS-REJECT if access for the user is rejected.
            8. ACCESS-CHALLENGE if additional information is needed, RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.
   2. TACACS+:
      1. Terminal Access Controller Access Control System Plus (TACACS+)
         1. A proprietary protocol developed by Cisco.
         2. It also uses a client-server model:
            1. The TACACS+ client is the access server
            2. The TACACS+ server is the machine providing TACACS+ services (that is, authentication, authorization, and accounting).
         3. Similar to RADIUS, TACACS+ also supports protocol extension by allowing vendor-specific attributes and several types of authentication protocols.
         4. TACACS+ uses TCP as the transport protocol, and the TACACS+ server listens on port 49. Using TCP ensures a more reliable connection and fault tolerance.
         5. TACACS+ performs authentication, authorization, and accounting as three separate steps. This allows the use of different protocols (for example, RADIUS) for authentication or accounting.
         6. Additionally, the authorization and accounting capabilities are more granular than in RADIUS (for example, allowing specific authorization of commands). This makes TACACS+ the preferred protocol for authorization services for remote device administration.
      2. Packet Types used by TACACS+:
         1. START, REPLY and CONTINUE packets are used during the authentication process.
         2. REQUEST and RESPONSE packets are used during the authorization and accounting process.
      3. TACACS+ AAA consists of three processes:
         1. Authentication
            1. The access server sends a START authentication request.
            2. The TACACS+ server sends a REPLY to acknowledge the message and ask the access server to provide a username.
            3. The access server sends a CONTINUE with the username.
            4. The TACACS+ server sends a REPLY to acknowledge the message and ask for the password.
            5. The access server sends a CONTINUE with the password.
            6. The TACACS+ server sends a REPLY with authentication response (pass or fail).
         2. Authorization
         3. Accounting
   3. Discuss the differences between TACACS+ and RADIUS:
      1. RADIUS:
         1. Transport Protocol:
            1. UDP
         2. Security:
            1. Encrypts user password in ACCESS-REQUEST packets.
         3. AAA Phases:
            1. Authentication and authorization are performed with the same exchange. Accounting is done with a separate exchange.
         4. Command Authorization:
            1. No support for granular command authorization.
         5. Accounting:
            1. Strong accounting capabilities.
         6. Standards:
            1. RFC 2865 (authentication and authorization)
            2. RFC 2866 (accounting)
      2. TACACS+:
         1. Transport Protocol:
            1. TCP
         2. Security:
            1. Can optionally encrypt the full payload.
         3. AAA Phases:
            1. Authentication, authorization, and accounting are performed with separate exchanges.
         4. Command Authorization:
            1. Allows command authorization.
         5. Accounting:
            1. Basic accounting capabilities.
         6. Standard:
            1. Cisco proprietary