Best Practices for Securing L2TP

It is important to note that L2TP is, in and of itself, a tunneling protocol. By itself it offers no data encryption. L2TP is traditionally used with IPSec to add encryption to this IP tunnel. L2TP offers a feature that used to be unavailable with PPTP. This feature is the ability to place the VPN server behind a Network Address Translation device. This is to say that the L2TP VPN device does not require a routable IP address to be usable from the Internet. It merely requires that the appropriate UDP port be mapped to the firewall and the necessary protocols be passed to the L2TP server. These ports, configured in the Advanced TCP/IP Settings for the system network adapter shown in Figure 18.1, are specified:

• UDP source port of 500. This allows IKE traffic to be sent to the L2TP server.

• UDP source port of 1701. This allows IPSec traffic to be sent to the L2TP server.

• IP Protocol ID of 50. This allows IPSec ESP traffic to reach the L2TP server.

• IP Protocol ID of 51. This allows IPSec AH traffic to be sent to the L2TP server.

To secure the L2TP server itself, it is useful to treat the VPN server like a firewall. This is to say that all unessential services should be disabled. The POSIX subsystem should be disabled and the OS2 subsystem should be disabled as well. File securities should be audited to ensure that no users have access to any of the files. The High Security Workstation template from the Security Analysis and Configuration Tool is a great starting point.

To ensure that traffic passes through the VPN device it should be configured with at least two network cards that should be addressed on different networks. One NIC would connect to the production network and the other would normally connect to the DMZ network. This enables you to configure the two interfaces differently. TCP/IP filtering should be enabled on the DMZ interface of the L2TP device. Only the required ports and protocols should be accepted by the server. This greatly minimizes the attack profile of the server. Because this server is a gateway into the network, it should be treated as such and locked down as far as possible.

Using L2TP in Parallel with a Firewall

It is a fairly common practice to install a VPN device in parallel with the firewall. This is to say that both the firewall and the VPN device have an interface that is connected directly to the Internet. Remote VPN users connect directly to the VPN device and their traffic does not pass through the firewall.

This configuration requires that the VPN device itself be well hardened and secured. Careful monitoring of the device will also help to ensure that it is not compromised. This configuration is often used in cases where the firewall is not able to correctly pass L2TP traffic to the VPN device.

One advantage of the VPN in parallel with the firewall is that it offloads traffic from the firewall, resulting in a smaller load on the firewall. Configuration of the VPN is also simpler as there is no configuration of the firewall necessary. This configuration can also reduce the number of licenses needed for the firewall because each VPN connection doesn't use up an outgoing session license.

If an L2TP device is going to be run in parallel with the firewall it is preferable for the device to be a dedicated VPN device with a dedicated operating system. If the L2TP device runs a full operating system, such as Windows Server 2003 RRAS, it is recommended you perform the following tasks :

• Disable all nonessential services

• Enable TCP/IP port filtering on the external facing NIC

• Allow only UDP ports 500 and 1701

• Allow only protocols 50 and 51

• Enable logging on the L2TP server

• Require IPSec encryption

• Do not allow unencrypted passwords (PAP)

• Require MS-CHAP v2

• Allow EAP methods MD5, PEAP, and smartcard or other certificate

Using L2TP in Series with a Firewall

If the firewall supports it, there are numerous security advantages to placing the L2TP VPN device in series with a firewall. The concept of layering security is a popular one and the philosophy works well with VPNs. In addition to being able to secure the local VPN device as was described in the previous section, "L2TP in Parallel with Firewall," having the firewall in series and ahead of the VPN device enables you to filter traffic at the firewall as well. In this way, before the VPN device could be attacked , the firewall would first have to be compromised. Anything that increases the time necessary to compromise a system increases the overall security of an environment.

Most Application Layer firewalls, Proxy Level firewalls, and Port Filtering firewalls will work very well with L2TP. L2TP can be passed through a firewall as well as be translated to an Internet host via Network Address Translation. This allows smaller companies with a single IP address to map L2TP services through a firewall back to an internal VPN device.

L2TP Client Requirements

To make an L2TP/IPSec virtual private network (VPN) connection, you must first have an Internet connection. If a system tries to make a VPN connection before it has an Internet connection, it will likely experience a noticeable delay, perhaps 60 seconds, and then receive an error message stating that there was no response or that something is wrong with the modem or other communication device.

To use L2TP/IPSec connections, it is useful to understand how an L2TP/IPSec connection works. When a system starts the connection, an initial L2TP packet is sent to the server. This packet is requesting a connection. This packet causes the IPSec layer on the client computer to negotiate with the VPN device to set up an IPSec protected session. This protected session is also called a security association or simply an SA. Based on network speed and latency, the IPSec negotiations can take from a few seconds to several minutes. When an SA has been established, the L2TP session starts. When this session starts, the user will be prompted for a username and password. After the VPN device accepts the username and password, the session setup is completed.

Some common issues with the use of L2TP/IPSec connections include:

• An incorrect or missing certificate

• An incorrect or missing pre-shared key

• An incorrect or missing IPSec remote access policy

• Insufficient dial in rights for the user

• Use of Network Address Translation at the client side

Many small networks use a router or firewall with NAT functionality to share a single routable address among all the computers on the network. The original version of IPSec drops a connection that goes through a NAT because it detects the NAT's address-mapping as packet tampering. Home networks also frequently use an NAT. This blocks the use of L2TP/IPSec unless the client and VPN gateway both support the NAT Transparency standard for IPSec. NAT transparency is supported by Windows Server 2003.

Leveraging Remote Access Policies

For a common policy, you must choose the following:

• An access method:

  VPN access

  Dial-up access

  Wireless access

  Ethernet

• Whether to grant access permissions by user or by group

• Authentication methods

• Levels of allowed encryption (depending on the access method selected)

For a custom policy, you must configure the following:

• A set of policy conditions

• Whether remote access permission for the policy is granted or denied

• Remote access policy profile settings