Planning Security for a VPN
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Because a dial-up networking solution provides a secure data path over a circuit-switched connection, security is not a critical issue in your design for a dial-up remote access solution. In contrast, a VPN remote access solution routes data over a packet-switched connection that does not intrinsically provide the same level of security. Therefore, security is an important part of your VPN remote access server design.
The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol.
In designing security for your VPN remote access server solution, perform the following tasks:
Select a VPN protocol.
Select authentication protocols.
Select the scope and level of encryption.
If needed, plan a certificate infrastructure to support client authentication for remote access.
Optionally, plan for Network Access Quarantine Control.
Optionally, enhance security by using remote access account lockout.
You can increase the security and manageability of your remote access server solution by using IAS to centralize VPN or dial-up networking authentication, authorization, and accounting. In operating systems in the Windows 2000 Server family, IAS is an implementation of a RADIUS server; in Windows Server 2003, IAS is an implementation of a RADIUS server and proxy. For information about designing and deploying Internet Authentication Service (IAS), see "Deploying Internet Authentication Service (IAS)" in this book.