Page 888 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 888

private network. You may need to further specify this policy by
               indicating that those with portable systems must either remove their

               modems before connecting to the network or boot with a hardware
               profile that disables the modem’s device driver.


               Dial-Up Protocols

               When a remote connection link is established, a protocol must be used
               to govern how the link is actually created and to establish a common

               communication foundation over which other protocols can work. It is
               important to select protocols that support security whenever possible.
               At a minimum, a means to secure authentication is needed, but adding
               the option for data encryption is also preferred. The two primary
               examples of dial-up protocols, PPP and SLIP, provide link governance,
               not only for true dial-up links but also for some VPN links:

               Point-to-Point Protocol (PPP) This is a full-duplex protocol used

               for transmitting TCP/IP packets over various non-LAN connections,
               such as modems, ISDN, VPNs, Frame Relay, and so on. PPP is widely
               supported and is the transport protocol of choice for dial-up internet
               connections. PPP authentication is protected through the use of
               various protocols, such as CHAP and PAP. PPP is a replacement for
               SLIP and can support any LAN protocol, not just TCP/IP.


               Serial Line Internet Protocol (SLIP) This is an older technology
               developed to support TCP/IP communications over asynchronous
               serial connections, such as serial cables or modem dial-up. SLIP is
               rarely used but is still supported on many systems. It can support only
               IP, requires static IP addresses, offers no error detection or correction,
               and does not support compression.


               Centralized Remote Authentication Services


               As remote access becomes a key element in an organization’s business
               functions, it is often important to add layers of security between
               remote clients and the private network. Centralized remote
               authentication services, such as RADIUS and TACACS+, provide this
               extra layer of protection. These mechanisms provide a separation of

               the authentication and authorization processes for remote clients that
   883   884   885   886   887   888   889   890   891   892   893