| The authentication protocols used in conjunction with Windows Server 2003 RRAS include the following: PAP PAP uses unencrypted (plaintext) passwords for authenticating users on a PPP link. SPAP SPAP is used to allow Shiva client computers to connect to a Windows Server 2003 server and to allow Windows 2000 client computers to connect to Shiva servers. CHAP CHAP provides a more secure PPP authentication mechanism than PAP by negotiating encrypted authentication with Message Digest 5 (MD5). MS-CHAP MS-CHAP is an extension of CHAP that increases CHAP's capabilities by integrating the encryption and hashing algorithms used on Windows networks. MS-CHAPv2 MS-CHAPv2 corrects several problems with the original version of MS-CHAP, including removing the support for the notoriously weak LAN Manager authentication, adding the ability for two-way authentication (which allows the client to authenticate the PPP host to which it is connecting), and adding support for much stronger cryptographic keys for the authentication process. EAP EAP was developed in response to an increasing need for stronger authentication mechanisms for remote user access services such as remote access servers and VPNs. The number of mobile users has increased and the technical sophistication of attackers has also increased, and today user ID/password authentication is not secure enough for many organizations. EAP provides a standard mechanism for support of additional authentication methods within PPP. These methods include token cards, one-time passwords, and public key authentication using smart cards or certificates. Unlike the user ID/password capabilities of the other PPP authentication protocols, EAP, in conjunction with external authenticators such as a smart card or token card, is not vulnerable to brute-force or dictionary password attacks. RADIUS RADIUS is an authentication and accounting system that is used by many Internet service providers and is available in Windows Server 2003.
IAS is included as part of Microsoft Windows Server 2003, Standard Edition, Enterprise Edition, and Datacenter Edition. IAS is not included with the Web Edition of Windows Server 2003. IAS is the Microsoft implementation of the RADIUS server and proxy. Acting as a RADIUS server, IAS is commonly used to provide centralized authentication, authorization, and accounting for remote access and VPN connections. IAS can be used to forward authentication and accounting messages to other RADIUS servers, such as a central RADIUS server. Windows Server 2003 uses three types of remote access policies to control access: Group policies Local IAS policies Central IAS policies
In conjunction with the remote access policy, there is also a component known as the remote access profile. This profile contains several variables that allow you to further refine the parameters of the remote access policy. One of the most interesting features of Windows Server 2003 is the ability to implement packet filters. A packet is a portion of a message that is transferred across a network. For example, when you download Windows Server 2003 SP1, the file is broken into many smaller packets to be transmitted to your computer, and then it is reassembled after all the packets have been delivered. A packet filter acts as a crude form of firewall, permitting or denying traffic based on rules set in the filter. Packet filters work by looking at the makeup of each packet, comparing that composition to the list of filters, and then making a decision about whether to forward or drop the packet based on those rules. Windows Server 2003 supports three types of routing interfaces: You typically see demand-dial routing used in two instances: for redundant network links and for small office connections. The Windows Server 2003 demand-dial router supports several types of connections, including the following: Modem or ISDN connection With this type of configuration, the configured phone number is dialed. VPN connection With this type of configuration, the configured host or IP address is used to establish either a PPTP or IPSec connection. Direct serial or direct parallel port connection With this type of configuration, a direct connection is made between the calling router and the answering router over the serial port or parallel port. (This is almost never used outside a lab/test environment.)
There are two common types of VPNs that you will encounter: remote access VPNs and site-to-site VPNs. Windows Server 2003 supports two VPN protocols: PPTP and L2TP: PPTP uses the proprietary MPPE protocol to encrypt the link between the VPN client and server, and it uses the Generic Routing Encapsulation (GRE) protocol for the encapsulation of the encrypted PPTP data in the PPP frame, which can be an IP datagram, an IPX datagram, or a NetBEUI frame. One of the key benefits of PPTP is that because Microsoft helped develop it, it has been bundled with all current versions of Microsoft's operating systems. This caused some problems because some security experts felt that PPTP was not secure enough to be used for Internet-based VPN connections, but Windows Server 2003 contains an updated version of PPTP that is secure. L2TP is a combination of the best features of PPTP and the Layer 2 Forwarding (L2F) protocol. The L2F protocol was an early competing protocol for PPTP that was developed by Cisco Systems. Like PPTP, L2TP was designed as an extension of PPP to allow PPP to be tunneled through an IP network. However, L2TP defines its own tunneling protocol, based on L2F. L2TP support was first included in a Microsoft server product with the release of Windows 2000 Server, and it continues to be supported in Windows Server 2003. Prior to Windows 2000, PPTP was the only supported VPN protocol in the Windows operating system family. L2TP uses one of the IPSec protocols, Encapsulating Security Payload (ESP), for encryption. For this reason, L2TP under Windows Server 2003 is also known as L2TP/IPSec. The use of IPSec as the encryption mechanism allows L2TP/IPSec to utilize third-party encryption hardware to offload the encryption functions of the VPN connections from the VPN server.
|
