Imagine that you are back in your high school cafeteria. You need to get a message to your friend on the other side of the room, but your school has very strict rules, and yelling at him will get you thrown in detention. One way to get the message across the cafeteria would be to tell your neighbor, then have everyone in the cafeteria pass it on until it reaches the other side of the room. Assuming that each person in the chain correctly repeated the message it would eventually reach your friend. But what if the message was secret campaign information about the upcoming student election? You don’t want everyone to know so you quickly find two cans and a long piece of string. After connecting the two cans to each end of the string you pass one of the cans over to your friend while each classmate in between holds the string. That’s the basic idea behind a Virtual Private Network (VPN).
A VPN tunnels information through some “other” network. A VPN does not technically need to provide any authentication mechanisms or security for the information it is tunneling, though in reality this is the most common scenario. The analogy above illustrates the fundamental concepts behind most VPN implementations, which is passing private information securely via a public medium. The rest of this article will explore the uses, benefits, core concepts, and high level design points of VPN technology with a focus on Microsoft’s implementation.
Site-to-Site and Remote Access VPNs
The two most common VPN scenarios are site-to-site and remote access. Let’s take a closer look at each of these.
In a site-to-site scenario two separate networks are joined together by the VPN connection. For example, an organization may have its headquarters located in Portland, Oregon and a new satellite office located in Seattle, Washington. The boss wants folks in the new Seattle branch to have access to network file shares along with full Exchange connectivity, all of which are hosted in the Portland office. You could get an expensive leased line from the telephone company, but why pay big bucks when a site-to-site VPN will do the trick? With a site-to-site VPN connecting the two offices, computers on one local area network (LAN) will be able to communicate with computers on the remote LAN as if they were plugged into the same Ethernet switch. Of course, filters and other firewall rules can be put into place if you don’t want any and all communication going across the VPN connection.
In a remote access VPN scenario users who are away from your organization’s LAN are able to connect remotely and use the VPN to gain access to internal network resources. A good example of a remote access VPN in action would be the salesman in the field who needs access to a proprietary customer relationship management (CRM) application. If the CRM program does not have a Web interface then using a remote access VPN is a great way to provide off-site access to the application. Of course, a remote access VPN connection can also provide access to network file shares, printing, etc. One other nice feature of the remote access VPN scenario is some additional privacy and security when using public networks such as free wireless in a coffee shop. The remote access VPN client can be configured to send all traffic, including Internet traffic, through the VPN. This means that other users on the wireless network won’t be able to see what sites you are visiting including any other unencrypted traffic.
Deploying Microsoft VPNs
Next, let’s introduce two of the high level design decisions you will need to make when deploying a Microsoft VPN solution.
One of the most important choices to make is Point to Point Tunneling Protocol (PPTP) versus Layer 2 Tunneling Protocol/IP Security (L2TP/IPSec). These are the two tunneling protocols that encrypt your data and tunnel it safely across the Internet to its destination (i.e. the string between the two cans). PPTP is easier to setup because it doesn’t require certificates (aka a Public Key Infrastructure), but unfortunately it is not quite as secure as L2TP/IPSec. PPTP’s core weakness is that it depends on the strength of the user’s password, so be sure to have a good password policy in place if you use PPTP. PPTP is good enough for many environments, but if you need a 100 percent rock solid solution then you will want to use L2TP/IPSec. You can also choose to support both PPTP and L2TP/IPSec. In this scenario you would only have to distribute certificates to clients requiring the highest levels of security, and the rest of your users can stick with PPTP.
Another important design decision you need to make is whether or not to configure remote access VPN clients for a split tunnel or a full/single tunnel. A split tunnel occurs when VPN clients send Internet bound traffic through whatever Internet connection they are currently using, but send traffic bound for your organization through the VPN tunnel. This has the advantage of not clogging up the Internet gateway at your VPN server location, but it does leave VPN clients with less privacy and security if they are connecting from an un-trusted network. With a full/single tunnel all traffic whether it is bound for the Internet or your organizations network will be sent through the VPN tunnel.
Now that the basics are out of the way, next week we’ll take a more detailed look at VPN technology and walk through the steps involved in setting up a Microsoft VPN server.
- An analysis of Microsoft’s PPTP authentication extensions: http://www.schneier.com/paper-pptpv2.pdf (PDF)