Remote Access Security
Remote access has a very wide range of applications. Operating systems and third party software developers all offer various solutions that allow remote connectivity to different kinds of resources. Special care should be taken in choosing a remote access solution that fits the needs of your library.
Some of the main reasons a library may want to implement remote access are as follows:
- Provide access to staff email
- Provide access to the library network
- Provide access to resources inside a library network such as a catalog database
Remote access is simply the process of allowing connectivity to a resource that is usually in a different location. This can be anything from providing full access to a network using VPN technology to allowing a limited number of users access to just one small resource inside a network. There are many solutions and considerations when planning remote access.
Importance of Encryption
One of the most important considerations when establishing remote connectivity is encryption. Encryption helps to ensure that data sent back and forth between two points is in a format that no one except those who are authorized can actually read. It is possible for someone with the right tools and knowledge to intercept data, analyze it, and reveal whatever information they've intercepted, such as passwords and other content. However, if the data is encrypted, it is much more difficult to read intercepted information.
VPN (Virtual Private Network) is a very popular method of remote access. It is essentially a method of creating a private entrance to a private network using the Internet, a VPN server and a VPN client. The VPN server acts as the gateway to the private network. It authenticates the VPN client connecting to it and encrypts the data that is then sent back and forth. This private connection is established over the Internet, which normally is not private at all. Once a VPN connection is successfully established, the client is connected just as if it were actually inside the network. A VPN connection can be used for connecting to just about any resource inside a network, such as a mail server, web server, or database.
VPNs can be implemented in various ways. Firewalls often provide VPN access as an added feature. Whether the firewall is a software solution or a device, it often provides some kind of VPN access. Most VPNs require an extra licensing fee to activate and come with proprietary software clients. Others allow the use of native VPN client software, such as the VPN client features that come with Windows 2000 and Windows XP. Using a firewall for VPN access is ideal as it consolidates and minimizes points of entry to a network.
Another popular way to implement VPN connectivity is by using a software solution such as that offered in Windows NT, Windows 2000 Server, or Windows XP. Like a firewall, this requires two network interfaces. A server can be implemented to solely provide VPN access, or VPN server software can be installed on an existing server as long as it has an outside connection to the Internet and a static IP. For more on VPN, see this About.com VPN Tutorial.
Terminal emulation is another popular form of remote access. Like VPN access, terminal emulation requires a server and a client. However, terminal emulation's specific function is not to connect a client to a network; it is to connect a client to a computer. Terminal emulation allows someone to connect to a computer and use it or its applications as if that computer were actually at the remote site.
Like VPN connectivity, it is important to ensure that encryption is utilized if the connection is made over a public network such as the Internet. Most products have built-in encryption features; however, many don't have encryption enabled by default (pcAnywhere, for example). It is always important to check that encryption is enabled.
Terminal emulation (also referred to as thin client) technology has many applications:
- Desktop Support - IT departments often implement terminal emulation technology to provide support to users without having to make an actual visit to their workstations. Support staff can talk to a user by telephone and simultaneously access the user's workstation to make changes or see what the user sees.
- Server Access - As with desktop support, terminal emulation can be used to access servers to avoid visits to a server room or offsite co-location sites.
- Thin Client Workstations - Part of or an entire network can be set up with thin client technology, allowing applications and other resources to be concentrated on servers. The client workstation becomes a kind of "dumb" terminal that only serves to emulate connections to the server, where everything really resides. This kind of setup allows quick and easy workstation setup and makes for low support needs. However, it requires additional configuration time and resources on the server side.
- Offsite Access - Terminal emulation can be used for simple access to workstations while a user is offsite. This is ideal for users who need to access their home or office computers while they are offsite.
There are many terminal emulation products available:
- pcAnywhere - pcAnywhere is one of the most popular terminal emulation products for home and small business users. It provides other features such as FTP, encryption, integration with Windows OS user accounts, and printer mapping.
- Citrix - Citrix was originally designed to use Microsoft's NT 3.51 OS. Its latest release is XenApp, which is designed to work with Microsoft Windows Remote Desktop Services. It enhances many features of Windows RDS, such as printer mapping, drive mapping, individual seamless application emulation, and a web access interface that allows users to view and launch applications using a web browser. Citrix also provides Macintosh- and Linux-based clients.
- Other Terminal Emulation Products - The above products are some of the more popular terminal emulation products, but there are many others available. Following is a short list of just a few:
- VNC is a free, basic product that provides terminal emulation with encryption.
- ZOC is a low-cost cross-platform (Windows or Mac) terminal emulator. It supports vt102, vt220 and several types of ansi as well as Wyse, TVI, 3270, and Sun's CDE.
- PuTTY is a free cross platform (Windows and UNIX) terminal emulator. It supports both SSH and SSH-2 sessions.
Because almost everyone knows how to use a web browser, it has become a popular interface for many applications. Some may not realize that when you visit an interactive website, you are often gaining some form of remote access. Some ways people use websites for remote access are:
- Web-Based Email - Gmail, Yahoo and Hotmail are excellent examples of how people use a web interface to remotely access their email. Although it appears that you are directly reading your email when logged in to Yahoo or Hotmail, you are not. You are actually using your browser as the client-side software to gain remote access to a mail server that stores your email. These programs offer options to use SSL security to encrypt activities such as logging in. Other kinds of web-based email are Novell GroupWise and Microsoft Exchange. Like Gmail, Hotmail and Yahoo, you log in to a website and use a web interface to gain access to a mail server. Both of these solutions are fairly easy to implement for a standard network, especially one in a library.
- Online Catalog Systems - Many libraries offer public access to their online catalog systems over the Internet. Like web-based email, this solution uses a website to allow access to a database behind the website. However, unlike web-based email, encryption and authentication is seldom used because the information being passed is not sensitive.
- Z39.50 Gateways - Z39.50 servers are used to search other library catalogs. The Z39.50 client software may be embedded within the library's OPAC, or it may be a special program the end-user runs to perform the search. Either way, this information is not considered sensitive, and it is usually allowed to pass through the firewall unencrypted.
Although it is not commonly thought of as remote access, UNIX systems by their nature allow remote login by simply accessing a server's IP address using telnet. UNIX systems also allow multiple sessions, enabling more than one user to log in to a server at the same time.