Demand-dial routing security
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Demand-dial routing security
Security is less of a concern for demand-dial connections than for router-to-router VPN connections because data is not traveling across a public network like the Internet. However, data may be intercepted as it travels through the infrastructure of your telecommunications provider.
In addition to the security steps listed in Static routing security, you can enhance demand-dial routing security through:
Strong authentication
Data encryption
Strong authentication
For authentication, use the strongest authentication scheme that is possible for your demand-dial configuration. The strongest authentication scheme is the use of EAP-TLS with certificates. For more information, see Deploying certificate-based authentication for demand-dial routing.
Otherwise, use MS-CHAP v2 authentication and enforce the use of strong passwords on your network. For more information, see Enable authentication protocols.
Data encryption
For encryption, you can use either link encryption or end-to-end encryption:
Link encryption encrypts the data only on the link between the two routers. You can use 128-bit Microsoft Point-to-Point Encryption (MPPE). 40-bit MPPE can be used for compatibility with older versions of Microsoft operating systems. You must use MPPE in conjunction with either MS-CHAP or EAP-TLS authentication.
End-to-end encryption encrypts the data between the source host and its final destination. You can use Internet Protocol security (IPSec) to encrypt data from the source host to the destination host across the demand-dial link.
For more information, see Internet Protocol Security (IPSec).
To require encryption, clear the No encryption option and select the appropriate encryption strengths on the Encryption tab of the remote access policy profile that is used by your calling routers. For more information, see Configure encryption.