The emergence of the Internet has changed the way corporations do business today. Successful business these days advertise, communicate, and
Virtual private networking also allows you to take advantage of the vast array of computing client platforms, such as laptops, Pocket PCs, smartphones, Tablet PCs, and other devices. The list is limitless. Using VPN, you can use the Internet to communicate to any and every type of client, which opens up possibilities for your users to work where they want to and optimizes their performance and the performance of your business.
Now that we have established the business case for virtual private networks (VPNs) in the company’s communications solutions, it’s time to get into the nuts and bolts of how VPNs work and the various communications solutions VPNs can provide. This chapter will cover the following topics:
An overview of virtual private networking and the VPN technologies supported by Microsoft Windows Server 2003 and Microsoft Windows XP Professional
Basic definitions for VPN technology
A high level overview of tunneling and VPN administration
An overview of Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/IPSec), which are the two
When Microsoft Windows XP is mentioned in this book, we are referring to Windows XP Professional Edition. Windows XP Home Edition does not have the Active Directory directory service and domain authentication features to support VPN.
Likewise, all references to Microsoft Windows NT 4.0 assume the Routing And Remote Access Service (RRAS) feature has been added. This feature was a part of the separately available Networking Add-on Pack.
A VPN is the extension of a private network that encompasses links across shared or public networks such as the Internet. A VPN enables you to send data between two computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link. In essence, it makes the remote computer virtually part of the private network by making an encrypted tunnel through the public Internet. The act of configuring and creating a VPN is known as virtual private networking.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, allowing the data to traverse the shared or public transit internetwork to reach its endpoint. To emulate a private link, the data being sent is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The portion of the connection in which the private data is encapsulated is known as the tunnel. The portion of the connection in which the private data is encrypted is known as the VPN connection. Figure 2-1 shows the VPN connection.
Figure 2-1: The VPN connection.
VPN connections allow users working at home or on the road to connect in a secure fashion to an organization’s remote server by using the routing infrastructure provided by a public internetwork (such as the Internet). From the user’s perspective, the VPN connection is a point-to-point connection between the user’s computer and an organization’s server. The nature of the intermediate internetwork is irrelevant to the
VPN technology also allows a corporation to connect to branch offices or to other companies over a public internetwork (such as the Internet) while maintaining secure communications. The VPN connection across the Internet logically operates as a wide area network (WAN) link between the sites.
In both of these cases, the secure connection across the internetwork appears to the user as a private network communication—despite the fact that this communication occurs over a public internetwork—hence the
Neither of these solutions provides the necessary scalability, in terms of cost, flexible administration, and demand for connections. Therefore, it makes sense to replace the modem pools and private network infrastructure with a less expensive solution based on Internet technology so that the business can focus on its
VPNs provide remote access to an organization’s resources over the public Internet, while maintaining privacy of information. Figure 2-2 shows a VPN connection used to connect a remote access client to an organization’s intranet. This is known as a remote access VPN connection.
Figure 2-2: Using a VPN connection to connect a remote access client to an organization’s intranet.
Rather than making a long distance (or 1-800) call to an organization’s server or outsourced network access server (NAS), the user dials a local ISP. Using the connection to the local ISP, the VPN client creates a VPN connection between the remote access computer and the organization’s VPN server across the Internet.
The two traditional methods of connecting remote offices to the home corporate network were to have dial-up connections that worked over the public switched telephone network (PSTN) or to use dedicated leased WAN link using frame relay or Point-to-Point Protocol (PPP) synchronous circuits. These
Using site-to-site VPN technology allows a company to remove the recurring monthly costs of high-speed circuits. Using local ISP connectivity on the remote office sites and a single high-speed circuit at the corporate office allows a company to eliminate multiple high-speed connections, frame relay overlay management, the maintenance of a WAN routing architecture, and the significant financial and administrative recurring costs associated with these items.
There are two methods (
Always-On VPN Networking. Using dedicated lines to connect a branch office to an organization’s local area network (LAN). Rather than using an expensive long-distance dedicated circuit between a branch office and a corporate hub, both the branch office and the corporate hub routers can use a local dedicated circuit and local ISP to connect to the Internet. The VPN software uses the local ISP connections and the Internet to create a VPN between the branch office router and corporate hub router.
Figure 2-3: Using a VPN connection to connect two remote sites.
In both cases, the facilities that connect the branch office and corporate office to the Internet are local. Either of these approaches allows the corporation to avoid heavy long-distance charges associated with using the PSTN or long-haul leased line costs because both sides are making local phone calls or short-hop leased line connections to their ISP. The ISP then deals with the intermediate network communications issues, Internet routing issues, and site-name resolution—all the complexity is taken out of wide area networking by using site-to-site VPN connections.
When using site-to-site VPN configurations, the corporate hub router that acts as a VPN server must be connected to a local ISP with a dedicated line that is always on-line and listening for incoming connection
In some organizations’ internetworks, some departmental data is so sensitive that the department’s LAN is physically disconnected from the rest of the organization’s internetwork. Examples of this would be company Human Resources records being sealed off from general access or Microsoft’s policy of
Figure 2-4: Using a VPN connection to connect to a secured or hidden network.
VPNs provide a solution that allows a department’s LAN to be physically connected to the organization’s internetwork but technically shielded and protected by a VPN server. In this configuration, the network physically connects the shielded department network to the rest of the corporation, but by using a VPN server as a gateway to the
When deploying a remote networking solution, some basic features need to be addressed to provide privacy, data integrity, and connection management for facilitating controlled access to the organization’s resources and information. Providing all these features is a complex process and requires the cooperative effort of several technologies. The solution must allow roaming or remote clients to connect to LAN resources, and it must allow remote offices to connect to each other to share resources and information (site-to-site connections). To ensure the privacy and integrity of data as it traverses the Internet, encryption, authentication, and authorization technologies are required as well. The same requirements apply in the case of sensitive data traversing an organization’s internetwork.
To support all these requirements, a VPN solution should provide all of the following:
User Authentication. The solution must verify the VPN client’s identity and grant VPN access to authorized users only. It must also provide audit and accounting records to show who connected and for how long.
Address Management. The solution must assign a VPN client an address on the intranet and ensure that addresses used on the intranet are kept private. Also, certain information to allow the client to access resources on the protected network needs to be provided. For example, routing information, resource name resolution, and quarantine security can be provided as well as security filters to ensure the protection of internal data from unauthorized use.
Data carried on the public network must be rendered unreadable to
To use encryption, the VPN solution needs to provide some
An Internet VPN solution based on PPTP or L2TP/IPSec meets all these basic requirements and takes advantage of the broad availability of the Internet. Other solutions, including IPSec tunnel mode (IPSec TM), meet only some of these requirements, but they
The remainder of this chapter discusses VPN concepts, protocols, and components in greater detail.