Planning Security for a VPN
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Because a dial-up networking solution provides a secure data path over a circuit-switched connection, security is not a critical issue in your design for a dial-up remote access solution. In contrast, a VPN remote access solution routes data over a packet-switched connection that does not intrinsically provide the same level of security. Therefore, security is an important part of your VPN remote access server design.
The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol.
In designing security for your VPN remote access server solution, perform the following tasks:
Select a VPN protocol.
Select authentication protocols.
Select the scope and level of encryption.
If needed, plan a certificate infrastructure to support client authentication for remote access.
Optionally, plan for Network Access Quarantine Control.
Optionally, enhance security by using remote access account lockout.
Note
- You can increase the security and manageability of your remote access server solution by using IAS to centralize VPN or dial-up networking authentication, authorization, and accounting. In operating systems in the Windows 2000 Server family, IAS is an implementation of a RADIUS server; in Windows Server 2003, IAS is an implementation of a RADIUS server and proxy. For information about designing and deploying Internet Authentication Service (IAS), see "Deploying Internet Authentication Service (IAS)" in this book.