Virtual Private Networks

A common method of securing information sent across unsecured networks is to create a virtual private network (VPN), which is effectively a connection between two private nodes or networks that is secured and encrypted to prevent unauthorized snooping of the traffic between the two connections. From the client perspective, a VPN looks and feels just like a normal network connection between different segments on a networkhence the term virtual private network.

Data that is sent across a VPN is encapsulated, or wrapped, in a header that indicates its destination. The information in the packet is then encrypted to secure its contents. The encrypted packets are then sent across the network to the destination server, using what is known as a VPN tunnel.

VPN Tunnels

The connection made by VPN clients across an unsecured network is known as a VPN tunnel. It is named as such because of the way it "tunnels" underneath the regular traffic of the unsecured network.

VPN tunnels are logically established on a point-to-point basis but can be used to connect two private networks into a common network infrastructure. In many cases, for example, a VPN tunnel serves as a virtual WAN link between two physical locations in an organization, all while sending the private information across the Internet. VPN tunnels are also widely used by remote users who log in to the Internet from multiple locations and establish VPN tunnels to a centralized VPN server in the organization's home office. These reasons make VPN solutions a valuable asset for organizations, and one that can be easily established with the technologies available in Windows Server 2003 or extended even further with technologies that integrate directly with Windows Server 2003 VPN technology, such as the Internet Security and Acceleration (ISA) Server 2004 product.

Note

VPN tunnels can either be voluntary or compulsory. In short, voluntary VPN tunnels are created when a client, usually out somewhere on the Internet, asks for a VPN tunnel to be established. Compulsory VPN tunnels are automatically created for clients from specific locations on the unsecured network, and are less common in real-life situations than are voluntary tunnels.

Tunneling Protocols

The tunneling protocol is the specific technology that defines how data is encapsulated, transmitted, and unencapsulated across a VPN connection. Varying implementations of tunneling protocols exist, and correspond with different layers of the Open System Interconnection (OSI) standards-based reference model. The OSI model is composed of seven layers, and VPN tunneling protocols use either Layer 2 or Layer 3 as their unit of exchange. Layer 2, a more fundamental network layer, uses a frame as the unit of exchange, and Layer 3 protocols use a packet as a unit of exchange.

The most common Layer 2 VPN protocols are the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP), both of which are fully supported protocols in Windows Server 2003.

PPTP and L2TP Protocols

Both PPTP and L2TP are based on the well-defined Point-to-Point Protocol (PPP) and are consequently accepted and widely used in VPN implementations. L2TP is the preferred protocol for use with VPNs in Windows Server 2003 because it incorporates the best of PPTP, with a technology known as Layer 2 Forwarding. L2TP allows for the encapsulation of data over multiple network protocols, including IP, and can be used to tunnel over the Internet. The payload, or data to be transmitted, of each L2TP frame can be compressed, as well as encrypted, to save network bandwidth.

Both PPTP and L2TP build on a suite of useful functionality that was introduced in PPP, such as user authentication, data compression and encryption, and token card support. These features, which have all been ported over to the newer implementations, provide for a rich set of VPN functionality.

L2TP/IPSec Secure Protocol

Windows Server 2003 uses an additional layer of encryption and security by utilizing IP Security (IPSec), a Layer 3 encryption protocol, in concert with L2TP in what is known, not surprisingly, as L2TP/IPSec. IPSec allows for the encryption of the L2TP header and trailer information, which is normally sent in clear text. This also has the added advantage of dual-encrypting the payload, adding an additional level of security into the mix.

L2TP/IPSec has some distinct advantages over standard L2TP, namely the following:

• L2TP/IPSec allows for data authentication on a packet level, allowing for verification that the payload was not modified in transit, as well as the data confidentiality that is provided by L2TP.

• Dual-authentication mechanisms stipulate that both computer-level and user-level authentication must take place with L2TP/IPSec.

• L2TP packets intercepted during the initial user-level authentication cannot be copied for use in offline dictionary attacks to determine the L2TP key because IPSec encrypts this procedure.

An L2TP/IPSec packet contains multiple, encrypted header information and the payload itself is deeply nested within the structure. This allows for a great deal of transport-level security on the packet itself.

Administering a VPN Using an Internet Authentication Service Server

Users who connect via a VPN connection need to be authenticated through a mechanism that stores the users' associated username and password information in a centralized location. Traditional VPN solutions utilized a directory on a Remote Authentication Dial-in User Service (RADIUS) server, which authenticated users based on their remote access usernames and passwords. Often, however, these user accounts were different from the domain user accounts, and administration of the two environments was complicated because multiple passwords and user accounts needed to be administered.

Windows Server 2003 simplifies the VPN authentication process by utilizing the Internet Authentication Service (IAS) installed on a Windows Server 2003 server to provide for RADIUS-based authentication of users using domain Active Directory usernames and passwords.

You can install and configure IAS on a Windows Server 2003 server by following these steps:

Depending on the administrative credentials used to install IAS, you may need to register it in Active Directory following installation if it will be used to authenticate users who exist in AD for VPN and dial-up access. To perform this function, follow these steps:

Using Routing and Remote Access Service to Establish VPNs

The Routing and Remote Access Server (RRAS), available for installation on Windows Server 2003, effectively provides servers with VPN functionality through the use of L2TP/IPSec and PPTP authentication. RRAS servers can be established to serve on one end or on both ends of a VPN conversation, and work in concert with IAS to authenticate VPN users.

RRAS in Windows Server 2003 adds key functionality such as network load balancing (NLB) support and increased performance; it also integrates the Internet Connection Firewall (ICF) component into RRAS.

Note

While Windows Server 2003 contains robust VPN support, additional VPN functionality can be obtained by extending Windows Server 2003 with the Internet Security and Acceleration (ISA) Server 2004/2006 product available from Microsoft. ISA Server extends the RRAS Service to allow for rule-based access control and application layer inspection of VPN traffic. For more information, reference Sams Publishing's ISA Server 2004 Unleashed and/or ISA Server 2006 Unleashed titles.

The Routing and Remote Access Server can be installed on a Windows Server 2003 computer by using the Configure Your Server (CYS) Wizard, as described in the following steps:

1.	Open the Configure Your Server Wizard (Start, All Programs, Administrative Tools, Configure Your Server Wizard).
2.	Click Next at the Welcome screen.
3.	Click Next at the Preliminary Steps screen. CYS will then check the network settings of the server.
4.	Select Remote Access/VPN Server, as illustrated in Figure 13.2, and click Next to continue. Figure 13.2. Installing the RRAS component.
5.	At the Summary screen, click Next to continue. CYS will then install the component and automatically invoke the RRAS Setup Wizard.
6.	Click Next at the RRAS Setup Wizard Welcome screen.
7.	The subsequent screen is critical because you can define specific RRAS functionality. RRAS can be set up for remote access VPN or VPN with Network Address Translation (NAT) access. In addition, it can be set up as one end of a VPN between two private networks. Finally, a custom configuration can be chosen, as illustrated in Figure 13.3. In this example, choose Remote Access and click Next to continue. Figure 13.3. Choosing RRAS options.
8.	Check the VPN box at the following screen and click Next to continue. Note If two network adapters are not installed in the server you are creating for the VPN setting, the wizard will prompt to choose the custom configuration option where a single network adapter can be configured for this setup.
9.	At the finalization screen, click Finish to finalize the RRAS settings chosen.
10.	A final confirmation box will indicate that RRAS has been installed and will ask whether the service should be started. Click Yes to start the service and complete the installation and then click Finish to close the CYS Wizard.

The RRAS server is the key to implementing the VPN options described in this chapter and can be used to provide for any of the options listed here.