Managing Virtual Private Networking
Virtual private networking must be managed just like any other network resource, and VPN security issues, particularly with Internet VPN connections, must be addressed carefully. Consider the following questions:
Where is the user account data to be stored?
How are addresses assigned to VPN clients?
Who is allowed to create VPN connections?
How does the VPN server verify the identity of the user attempting the VPN connection?
How does the VPN server record the VPN activity?
How can the VPN server be managed using industry-standard network management protocols and infrastructure?
Managing Users
Because it is administratively unsupportable to have separate user accounts on separate servers for the same user and try to keep them all simultaneously current, most administrators set up a master account database at a domain controller (PDC) or on a Remote Authentication Dial-in User Service (RADIUS) server. This allows the VPN server to send the authentication credentials to a central authenticating device. The same user account is used for both dial-in remote access and VPN-based remote access.
Managing Addresses and Name Servers
The VPN server must have IP addresses available in order to assign them to the VPN server's virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection establishment process. The IP address assigned to the VPN client is assigned to the virtual interface of the VPN client.
For Windows 2000–based VPN servers, the IP addresses assigned to VPN clients are obtained through DHCP by default. You can also configure a static IP address pool.
The VPN server must also be configured with DNS and WINS server addresses to assign to the VPN client during IPCP negotiation. For more information about how the VPN server assigns the IP addresses of DNS and WINS servers, see "Remote Access Server" in this book.
Managing Access
For Windows 2000, configure the dial-in properties on user accounts and remote access policies to manage access for dial-up networking and VPN connections.
Access by User Account
If you are managing remote access on a user basis, set the remote access permission on those user accounts that are allowed to create VPN connections to Allow access . If the VPN server is only allowing VPN connections, delete the default remote access policy called Allow access if dial-in permission is enabled . Then create a new remote access policy with a descriptive name such as VPN access if allowed by user account .
If the VPN server is also allowing dial-up remote access services, do not delete the default policy, but move it so that it is the last policy to be evaluated.
As an example of typical settings, configure the remote access policy permission to Deny remote access permission and set the conditions and profile settings as listed in Tables 9.1 and 9.2. For detailed information about configuring these settings, see Windows 2000 Server Help.
Table 9.1 Remote Access Policy Conditions for VPN Access by User Account
Conditions |
Setting |
|---|---|
NAS-Port-Type |
Virtual |
Table 9.2 Remote Access Policy Profile Settings for VPN Access by User Account
Profile settings |
Setting |
|---|---|
Authentication tab |
Enable Microsoft encrypted authentication version 2 (MS-CHAP v2) and Microsoft encrypted authentication (MS-CHAP) . |
Encryption tab |
Select Basic , Strong , or Strongest . Clear No Encryption . |
If you want to define different authentication, encryption, or other settings for PPTP or L2TP connections, create separate remote access policies using the Tunnel-Type remote access policy condition set to either the Point-to-Point Tunneling Protocol or the Layer Two Tunneling Protocol .
Access by Group Membership
If you are managing remote access on a group basis, set the remote access permission on all user accounts to Control access through Remote Access Policy . Create a Windows 2000 group with members who are allowed to create VPN connections. If the VPN server only allows VPN connections, delete the default remote access policy called Allow access if dial-in permission is enabled . Then create a new remote access policy with a descriptive name such as VPN access if member of VPN-allowed group .
If the VPN server also allows dial-up networking remote access services, do not delete the default policy but move it so that it is the last policy to be evaluated.
As an example of typical settings, configure the remote access policy permission to Grant remote access permission and set the conditions and profile settings as listed in Tables 9.3 and 9.4. For detailed information about configuring these settings, see Windows 2000 Server Help.
Table 9.3 Remote Access Policy Conditions for VPN Access by Windows 2000 Group
Conditions |
Setting |
|---|---|
NAS-Port-Type |
Virtual |
Windows-Groups |
Windows 2000 group whose members are allowed to create VPN connections. |
Table 9.4 Remote Access Policy Profile Settings for VPN Access by Windows 2000 Group
Profile Settings |
Setting |
|---|---|
Authentication tab |
Enable Microsoft encrypted authentication version 2 (MS-CHAP v2) and Microsoft encrypted authentication (MS-CHAP) . |
Encryption tab |
Select Basic , Strong , or Strongest . Clear No Encryption . |
Managing Authentication
The VPN server can be configured to use either Windows or RADIUS as an authentication provider. If Windows is selected as the authentication provider, the user credentials sent by users attempting VPN connections are authenticated using typical Windows authentication mechanisms.
If RADIUS is selected and configured as the authentication provider on the VPN server, user credentials and parameters of the connection request are sent as a series of RADIUS request messages to a RADIUS server.
The RADIUS server receives a user-connection request from the VPN server and authenticates the user using its authentication database. A RADIUS server can also maintain a central storage database of other relevant user properties. In addition to a yes or no response to an authentication request, RADIUS can inform the VPN server of other applicable connection parameters for this user — such as maximum session time, static IP address assignment, and so on.
RADIUS can respond to authentication requests based on its own database, or it can be a front end to another database server, such as a generic Open Database Connectivity (ODBC) server or a Windows 2000 PDC. The latter example can be located on the same computer as the RADIUS server, or elsewhere. In addition, a RADIUS server can act as a proxy client to a remote RADIUS server.
The RADIUS protocol is described in RFC 2138 and RFC 2139. For more information about the RADIUS protocol and the Windows 2000–based RADIUS server known as Internet Authentication Service, see "Internet Authentication Service" in this book.
Managing Accounting
You can configure the VPN server to use either Windows or RADIUS as an accounting provider. If you select Windows as the accounting provider, the accounting information accumulates on the VPN server for later analysis. If you select RADIUS, RADIUS accounting messages are sent to the RADIUS server for accumulation and later analysis.
You can configure most RADIUS servers to place authentication request records into an accounting file. A number of third parties have written billing and audit packages that read RADIUS accounting records and produce various useful reports. For more information about RADIUS accounting, see RFC 2139.
Network Management
The computer acting as the VPN server can participate in a Simple Network Management Protocol (SNMP) environment as an SNMP agent if the Windows 2000 SNMP Service is installed. The VPN server records management information in various object identifiers of the Internet Management Information Base (MIB) II, which is installed with the Windows 2000 SNMP service. Objects in the Internet MIB II are documented in RFC 1213.