ISA Server 2004 leverages and significantly enhances the built-in routing and remote access technology that is built into the Windows Server 2003 Operating System. ISA takes these capabilities to the next level, extending them and tying them into the rules-based control provided by ISA. Before you try to understand how to deploy -an ISA VPN infrastructure, it is important to look at the general VPN options and requirements.
Understanding ISA Server 2004 VPN Protocols
ISA Server 2004 supports two VPN protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) with Internet Protocol Security (IPSec) encryption. It is important to remember that although both protocols have advantages and disadvantages, the ISA VPN server can support both types of VPN tunnels simultaneously. This type of scenario has several distinct advantages. For example, an organization could provide down-level PPTP VPN client support while performing a staged rollout of the more complex L2TP/IPSec configuration. Another example could be to provide additional security to a smaller division of users that need a higher level of security provided in an L2TP/IPSec VPN, such as users with elevated privileges or Human Resources employees. This would result in a reduction in costs because the higher cost of purchasing and maintaining certificates, required for L2TP/IPSec, would be limited to fewer users.
Both the PPTP and L2TP protocols are based on the Point-to-Point Protocol (PPP). The technology works by encapsulating IP packets within PPP frames to transmit them securely across a link. If the packets are intercepted, the contents of the frames are unreadable and garbled, making them useless to unauthorized users. Both PPTP and L2TP perform the same basic tunneling functionality by wrapping the PPP frame with additional information required to route the data across the internet to the remote VPN server. The remote VPN server receives the packet, removes the wrapper, and delivers the packet to the destination, essentially creating a virtual tunnel, such as the one shown in Figure 9.1. The encryption provided in both VPN protocols ensures the data is kept private, completing the Virtual Private Network.
Figure 9.1. Examining PPP VPN encryption technology.
Comparing PPTP and L2TP Compression Methods
PPTP and L2TP both use Microsoft Point-to-Point Compression (MPPC) to provide data compression to help reduce the size of the data traveling across the connection. It is important to remember that although the data is compressed, the encryption and additional wrappers added take up a good portion of the available bandwidth, essentially slowing down the application using the connection. This slowdown is typical of encryption technology, and should be taken into account when planning for bandwidth speeds.
Understanding PPTP and L2TP Encryption and Data Security Methods
A PPTP VPN uses Microsoft Point-to-Point Encryption (MPPE) to encrypt the data. MPPE can provide 40-bit, 56-bit, and 128-bit RSA/RC4 encryption. PPTP encrypts only the PPP frame, which is where the data is stored. In a PPTP VPN configuration, it is highly recommended to use the most secure authentication method possible, such as 128-bit encryption. A PPTP VPN has only a single layer protecting the users' credentials. For many organizations this level of protection is still adequate, when combined with strong domain password policies.
A L2TP/IPSec VPN uses Internet Protocol Security (IPSec) for encryption. IPSec supports the industry standard Data Encryption Standard (DES) and Triple DES (3DES) encryption. IPSec encrypts the entire packet with the exception of an IP header and the IPSec header and trailer. This provides an additional layer of security because the encryption is nego tiated before the user authenticates, unlike PPTP, which establishes encryption after the user successfully authenticates and the remaining PPP negotiation is completed. Essentially user credentials are protected with several secure layers when IPSec encryption is combined with strong authentication methods and strong domain password policies.
An L2TP/IPSec VPN has additional security functionality that comes with the IPSec protocol. Encapsulating Security Payload (ESP) provides this additional security in the form of confidentiality, authentication, integrity, and anti-replay protection.
Comparing PPTP and L2TP Authentication Methods
PPTP and L2TP use the same user authentication methods as discussed in detail later in this chapter, but the L2TP/IPSec VPN provides an additional layer of computer-level authentication. This guarantees that the VPN server and the client workstation establishing the VPN tunnel are who they claim to be.
Additional information regarding PPTP and L2TP can be found by referencing the request for comments (RFCs) that are published describing how they work. RFC 2637, describing PPTP, and RFC 2637, describing L2TP, can be easily found on the Internet Engineering Task Force's (IETF) website as follows:
Analyzing VPN Protocol Implementation Issues
A significant technical disadvantage of L2TP is that it can't be easily used behind a Network Address Translation (NAT) device. In other words, if ISA is deployed within the DMZ of an existing firewall that is translated via NAT, or if it is within any private address range of an organization, L2TP encryption cannot be used in most cases.
It is potentially possible to set up a configuration like this using IPSec NAT Traversal (NAT-T) if the router and/or firewalls between the ISA Server and the client support the new NAT-T implementation. It is important to validate this in advance because this could affect a VPN deployment strategy. If the ISA Server is directly connected to the Internet as an edge firewall, this issue is moot, and VPN clients can easily use L2TP to connect.
An additional disadvantage to an L2TP/IPSec VPN is the complexity surrounding the implementation of the supporting technology. The IPSec protocol and the required Public Key Infrastructure (PKI) are often considered complex and difficult to understand, let alone implement and support. This means that although a L2TP/IPSec VPN is technically considered to be more secure than PPTP, this security is quickly diminished if the implementation and supportability surrounding the technology are too complex to guarantee they are secured correctly and functioning properly.
Understanding Network Bandwidth Constraints with VPNs
One of the most important aspects to consider when implementing an ISA VPN server is the Internet connection over which the VPN traffic will travel. The available internal bandwidth and the projected additional load VPN communication will add should be calculated to determine whether the existing environment will be suitable. There isn't necessarily a clear-cut method to determine how much Internet bandwidth VPN users will consume while connected to the VPN server, and several factorsincluding the type of information or applications that the users will accessalmost always affect the bandwidth consumption. Generally existing bandwidth monitoring should be able to give average consumption and availability during specific times. These numbers, along with proto typing the VPN design and expected user load, usually generate reasonably accurate numbers to determine whether the implementation is currently possible under the current conditions.
The roaming users' Internet connection also needs to be taken into consideration. Often factors that influence the overall user experience are beyond an organization's control, such as link speed and reliability while users are in remote locations. These types of aspects should be taken into consideration early in the planning stage.
Preparing Internal Resources for Remote Access
Preparing the internal network infrastructure for remote access is an important process to start well in advance of the actual implementation of the ISA VPN solution. The ISA VPN server, along with the supporting components, should be implemented carefully to avoid errors that could result in security vulnerabilities. The internal resources that remote users will be accessing should also be evaluated to ensure that the proper security layers have been applied and tested to guarantee the appropriate level of control and management is in place and, most importantly, kept current.
Another aspect of implementing the ISA VPN for remote access is domain password policies and authenticating auditing. Unfortunately, most organizations are slow to adopt bio-metric scanning devices or even smart cards, and are still relying on archaic user-defined passwords. It is highly recommended to implement strong password policies and authentication auditing to effectively reduce the possibility of anyone quietly slipping into an internal network. ISA VPN solutions support smart cardbased authentication, in addition to third-party SecurID two-factor authentication mechanisms, so it is fairly straight forward to include this additional security to an ISA implementation.