The VPN Client
A popular misconception about VPN clients is that they are workstations that connect to the corporate network over a VPN. Certainly, this is a type of VPN client, but it is not the only type of VPN client. A VPN client can be a computer or it can be a router. The type of VPN client that you should use for your network really depends on your company’s individual needs.
For example, if you happen to have a branch office that lacks direct connectivity to the corporate office, then using a router as a VPN client is probably a good option for you. By doing so, you can link the entire branch office to the corporate office through a single connection. There is no need for each PC to establish a connection individually.
On the other hand, if you have a few employees who travel frequently and need to access the corporate network while on the go, you would probably benefit from setting the employee’s laptops up as VPN clients.
Technically, any operating system can act as a VPN client as long as it supports the PPTP, L2TP, or IPSec protocol. In Microsoft circles, this means that you could use Windows NT 4.0, 9X, ME, 2000, and XP. Although all of these operating systems will technically work as clients, I recommend sticking with Windows 2000 or Windows XP because of their ability to support L2TP and IPSec.
The VPN Server
The VPN Server acts as a connection point for the VPN client. Technically, you could use Windows NT Server 4.0, Windows 2000 Server, or Windows Server 2003 as a VPN Server. In the interest of security though, I will assume, for the purposes of this article, that you are using Windows Server 2003.
One of the biggest misconceptions about VPN servers seems to be that they can do the job all by themselves. I’ve lost count of the number of times that I have had friends tell me that they were going to invest in a VPN server, without realizing that the VPN Server is only one of the necessary components.
The VPN Server itself is fairly simple. It is nothing more than a hardened Windows 2003 Server running the Routing and Remote Access Services (RRAS). Once an inbound VPN connection has been authenticated, the VPN server simply acts as a router that provides the VPN client with access to the private network.
One of the additional requirements for a VPN Server is that you have a RADIUS server in place. In case you are not familiar with RADIUS, RADIUS is an acronym standing for Remote Authentication Dial In User Service. RADIUS is the mechanism that Internet service providers typically use to authenticate subscribers when they attempt to establish Internet connectivity.
The reason why you need a RADIUS server is because you need some mechanism for authenticating clients who are coming into your network through the VPN connection. Your domain controllers aren’t really up to the task, and even if they were, it’s a bad idea to expose a domain controller to the outside world.
So the question now is where do you get a RADIUS server? Well, Microsoft has their own version of RADIUS called Internet Authentication Service or IAS. The IAS service is included with Windows Server 2003. That’s the good news. The bad news is that it really isn’t practical (for security reasons) to run IAS on the same box as RRAS (the VPN Server component). Even if it were practical, I am honestly not even sure if it would be possible outside of a virtual server configuration.
The other component required by your VPN is a good firewall. Yes, your VPN server accepts connections from the outside world, but that doesn’t mean that the outside world needs to have full access to your VPN server. You must use a firewall to block any unused ports.
The basic requirement for establishing VPN connectivity is that the VPN server’s IP address must be accessible over the Internet and that VPN traffic must be able to pass through your firewall to reach the VPN server. There is however one more optional component that you can use to make your VPN server a lot more secure.
If you are serious about security (and you have the budget), you can place an ISA Server between your perimeter firewall and the VPN server. The idea is that you can configure the firewall to direct all VPN related traffic to the ISA Server rather than to the VPN server. The ISA Server then acts as a VPN proxy. Both the VPN client and the VPN Server only communicate with the ISA Server. They never communicate directly with each other. This means that the ISA Server is shielding the VPN server from direct client access, thus giving your VPN server an added layer of protection.
Choosing a Tunneling Protocol
When VPN clients access a VPN Server, they do so over a virtual tunnel. A tunnel is nothing more than a secure passage through an insecure medium (usually the Internet). However, tunneling doesn’t happen by magic. It requires the use of a tunneling protocol. Earlier I mentioned that older Windows clients could connect to a VPN via PPTP (Point to Point Tunneling Protocol), but that I recommended using newer clients such as Windows 2000 and Windows XP because they supported L2TP (Layer 2 Tunneling Protocol). The fact is that either one of these protocols will work, assuming that the clients support them. However, there are distinct advantages and disadvantages to each protocol. Choosing the tunneling protocol that’s right for your organization is one of the most important decisions that you will make when planning your VPN.
The biggest advantage that L2TP has over PPTP is that it relies on IPSec. IPSec encrypts the data, but also provides data authentication. This means that IPSec proves that the data was sent by the person that it claims to be from and that it was not modified in transit. Furthermore, IPSec is designed to prevent replay attacks. Replay attacks refer to a hacker capturing authentication packets and retransmitting them later in an effort to gain access to the system.
L2TP also provides much stronger authentication than PPTP. Both the user and the computer are authenticated, and the PPP packets that are exchanged during the user level authentication are always encrypted.
Although it may seem that L2TP is the tunneling protocol of choice, there are a couple of advantages that PPTP has over it. I have already talked about one of these advantages; compatibility. PPTP works with way more Windows operating systems than L2TP does. If you have a lot of potential VPN clients that are running older versions of Windows, then you may not have a choice but to use PPTP.
The other advantage that PPTP has over L2TP is that L2TP is based on IPSec. In the section on the benefits of L2TP, I talked about IPSec like it was a good thing, and it is. However, there is one major drawback to using IPSec. IPSec requires your network to have a certificate authority.
The good news is that Windows Server 2003 comes with its own certificate authority. The certificate authority is even relatively easy to configure. The bad news is that from a security standpoint a certificate authority is not something that you want to play around with. The only way to preserve the integrity of a certificate authority is to run it on a dedicated server that has been hardened to the max. This means that you will have to shell out the cash for an extra server box, an extra Windows Server license, and you will have the extra administrative burden associated with having another server on your network. In my opinion though, the extra cost and administrative burden is definitely worth it. L2TP gives you much better security than PPTP does. Besides you can use your certificate authority for other things too, such as encrypting local traffic through IPSec.
While I’m on the subject of protocols, I want to take a moment and talk about authentication protocols. During the course of setting up a VPN, you will be asked to select an authentication protocol. Most people select the MS-CHAP v2 option. MS-CHAP is relatively secure, and it works with VPN clients running virtually any Windows operating system that was made in the last ten years. Best of all, MS-CHAP is easy to setup.
If you are planning on using L2TP and you want better security though, you should use EAP-TLS as your authentication protocol. EAP-TLS is supported only when the VPN clients are running Windows 2003 or Windows XP. Furthermore, the VPN Server must be set up so that a certificate authority issues user certificates. EAP-TLS can be a little tricky to set up, and it works best if the end users have been issued smart cards, but it does give you the best security. To put it simply, MS-CHAP is password based, EAP-TLS is certificate based.
Before you can create a VPN, there is a lot of planning that needs to be done. In this article, I have talked about some of the planning that must go into designing a VPN and about some of the decisions that you will have to make.