Virtual Private Networks
Virtual private networks (VPNs) provide secure network services over a public network, like a private network does, but at a reduced cost. VPNs allow company staff and other authorized users to connect to the corporate network from remote locations as securely as they can from a company site. Therefore, all corporate network services can be securely offered over VPNs. VPNs require more effort than nonsecured public connections to understand, set up, and support, but they provide fully secure connections using low-cost Internet or similar connections.
You can use VPNs in conjunction with Routing and Remote Access, but this is not required. You can set up VPNs between sites using any kind of link and you can also use them within a site for enhanced security.
Virtual private networks typically work as follows:
The user dials into any Internet service provider (ISP).
The VPN client software contacts a designated VPN server owned by your company through the Internet and initiates authentication.
The user is authenticated and security details are provided.
The VPN server provides a new Transmission Control Protocol/Internet Protocol (TCP/IP) address to the client computer and the client computer is directed to send all further network traffic with that address through the VPN server.
All network packets are then fully encrypted as they are exchanged in a manner that only the VPN client and VPN server can decrypt.
Figure 17.4 illustrates the relationships among these computers.
Figure 17.4 Sample Virtual Private Network Configuration
You can also use VPNs to connect multiple computers at a site to your corporate network, or to restrict communications with a subnet to authorized staff only.
Windows 2000 Server includes Windows 2000 VPN software as part of Routing and Remote Access, which is an optional Windows 2000 component. The Internetworking Guide contains extensive information about how Windows 2000 VPNs work and what facilities they provide. Windows 2000 Server Help describes how to install VPNs.
If you are planning to deploy VPNs, there are various issues you need to consider, such as:
Which security protocol to use — Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP).
Whether to use IPSec (if L2TP is selected).
What certificates to use when connecting with L2TP/IPSec.
Where to locate the VPN server — in front of your firewall, behind it, or beside it.
How to use Connection Manager to give users predefined settings.
How to use VPNs as part of your remote access policy
PPTP vs. L2TP
Point-to-Point Tunneling Protocol (PPTP) is a TCP/IP network protocol that encapsulates IP, IPX, or NetBIOS Enhanced User Interface (NetBEUI) protocols. PPTP allows non-TCP/IP, or multiprotocol, network activity over the Internet (or similar networks). PPTP-based VPNs also provide user authentication, access control, and the opportunity to apply dial-up profiles to carefully restrict certain types of remote access use by specific users. PPTP provides an internal address configuration to the remote client, so they can participate on the internal network as if they were directly connected. PPTP provides compression and options for standard and strong RC4 (a symmetric stream cipher encryption for the traffic that is carried inside the tunnel.
L2TP is very similar to PPTP but uses UDP, and therefore can be used over asynchronous transfer mode (ATM), Frame Relay, and X.25 networks as well. When L2TP is used over IP networks, it uses a UDP port#160;1701 packet format for both a control channel and a data channel. L2TP can also be used with IPSec to provide a fully secured network link. IPSec first does a security negotiation, using certificates for authentication, between client and VPN server for L2TP traffic. L2TP then provides authentication using a user account and password or using a user certificate.
Internet Protocol Security
Internet Protocol Security (IPSec) is a protocol for securing Internet Protocol (IP) network traffic. IPSec provides complete security between two computers, so that no section of the connection is insecure. Configuration of IPSec is performed using IPSec policies. These policies can contain a number of security rules, each one specifying a certain type of traffic with filters, associated with a filter action and authentication method. IPSec policies can be creating and assigned locally on a computer, or in Active Directory within Group Policy.
IPSec does provide end-to-end IP security, but it does not encrypt all protocols that run over IP. IPSec has built-in exemptions for certain traffic such as Internet Key Exchange negotiation, Kerberos authentication, IP broadcast, and IP multicast traffic. If necessary, additional protocols can be exempted by creating IPSec rules with a filter to specify the type of traffic and a filter action of permit.
For more information about IPSec, see Windows 2000 Server Help, and the TCP/IP Core Networking Guide . For more information about planning the deployment of your certification authority in a public key infrastructure, see "Planning Your Public Key Infrastructure"in this book .
VPN Server Location
You can use VPNs in conjunction with firewalls. Although VPNs can act similarly to firewalls, each offers additional benefits that the other cannot, and therefore both might be needed. In such a situation, consider the location of the VPN server in relation to the firewall.
Physically, you can install the two on the same server. This creates a single point of failure if the server is unavailable or if the security of the server is compromised. However, having fewer servers reduces the probability of server unavailability, as well as reducing the costs of server maintenance. There can also be capacity implications. Consider how each of these factors affects your situation to determine the specific design you need.
A more significant set of issues is the logical relationship of the VPN server to the firewall. The options, as shown in Figure 17.5, are to have the VPN server logically in front of the firewall, behind it, or beside it. Windows 2000 can provide firewall services, either with Proxy Server or using packet filter routing. For more information about these kinds of solutions, see "Routing and Remote Access Service" in the Internetworking Guide .
When the VPN server is in front of the firewall, the firewall only provides its external services to authorized VPN users. Therefore, general Internet or similar access is not provided. The exception to this is if Internet access is provided at the far end of the VPN connections.
Figure 17.5 Sample Logical Positioning of VPN Server in Relation to a Firewall
When the VPN server is behind the firewall, the firewall provides all its traditional services, but it needs to be configured to open ports that are needed by the VPN server. These include ports needed for IPSec if you are using an L2TP with IPSec VPN.
When the VPN server is beside the firewall, each provides their services independently of each other. However, this configuration provides two access routes to the corporate network, which increases potential for a security breach. Normally, neither provides a route around the other, but with two routes, the risk is doubled.
Choosing the best relationship for your situation depends on which security issues you are most comfortable with. With the servers beside each other, you have two routes into your Intranet, and thus two sets of security risks. With the VPN server behind the firewall, you have to open more ports on the firewall. With the VPN server in front of the firewall, the VPN server does not benefit from the security that the firewall provides, but all the traffic it processes does benefit from the firewall.
Providing VPN facilities to your users requires some configuration on each client computer. The settings are not necessarily easy to make, however, Windows 2000 includes a Connection Manager that eases the user setup process.
Connection Manager operates on computers running Microsoft® Windows® 95, Microsoft® Windows® 98, Microsoft® Windows NT®, or Windows 2000. Windows 2000 servers also have an administrative kit, called the Connection Manager Administration Kit , which allows you to create a customized connection manager for your users.
For more information about connections, the Connection Manager, and Connection Manager Administration Kit, see Windows 2000 Server Help. After following the instructions in Windows 2000 Server Help and running the Connection Manager Administration Kit, you will have a program and documentation that you can distribute to your users.
Remote Access Policies
Remote access policies allow you to specify which people can use Routing and Remote Access, and the various conditions that will be applied when they connect. You can specify policies based on which Windows 2000 group the user is in, the phone number they use, the time of day, and other relevant information. The policies can specify that the connection should be accepted or rejected, and a profile can be applied to the connection. The profile can specify how long the session can last, how long it can be idle, what kinds of dial-up media are allowed, which addresses are allowed, what authentication methods are required, and whether encryption or a VPN is required.
You can set remote access policies for either Routing and Remote Access or for Internet Authentication Service (IAS), which is discussed later in this section. For more information about remote access policies, including how to set them up and the options the policies provide, see Windows 2000 Server Help.
Consider applying different policies to different groups or conditions carefully. It is possible for policies to overlap and thus to disallow people that you intended to allow to dial-up, or to cause other problems. A complex combination of policies makes such problems more likely. Therefore, it is best to minimize the number of policies whenever possible. Windows 2000 Server Help includes a recommended procedure for troubleshooting remote access policies if problems develop.
VPN Server Capacity
As with all servers, VPN servers can be overwhelmed with work if excessive activity is sent their way. You need a lot of VPN links for this to occur, but it can become an issue for a large organization. In your pilot, you can test how much load your users are likely to put on your available VPN servers. You can also test how much capacity your VPN servers can handle by estimating the number of concurrent users you are likely to have and the amount of data they are likely to send. You can then send a comparable amount of data through the VPN server using a small number of client computers but over your local area network (LAN) and using large volume activities, such as copying large numbers of files. By monitoring the VPN server and its responsiveness, you can determine whether your VPN servers are adequate for the role. If necessary, you can increase the size of your servers, or add more VPN servers and use Network Load Balancing Service or round-robin DNS to balance the load.