Virtual Private Networks
Virtual Private Networking (VPN) is a way to connect a company’s computer at one location to a computer or server at a second location through the use of a secure, encrypted low cost dial-up or broadband (DLS or Digital Cable) Internet connection, instead of directly dialing in to a 800 number or utilizing more expensive Frame-Relay or point-to-point high speed connections.
Using a Virtual Private Network transiting the Internet can result in considerable cost saving for companies that need to link multiple computers or Local Area Networks at different locations, whether across town or across the country, by eliminating incoming "800" numbers charges or Frame-Relay/P-T-P monthly fees which are mileage based. without incurring a data security exposure.
A Virtual Private Network can make employee telecommuting faster and more efficient.
A VPN connection consists of a secure, encrypted session embedded inside a standard IP session between a computer connected to the Internet to another computer connected to the Internet. This secure, encrypted, connection is called a "Tunnel."
Utilizing an existing connection to the Internet via for both computers, one computer (a "caller") computer initiates the tunnel connection to the other using one or more standard protocols such as Point to Point Tunneling Protocol, or Layer 2 Tunneling Protocol (L2TP) for example.
The "called" computer validates the incoming request, including username and password and establishes a secure tunnel inside of the connected IP session.
This called computer can validate using passwords, biometrics, "smart card" or time-variable "token" devices (such as SecureIDtm), as determined by the site’s security needs, to establish the identity of the caller. This authenticating computer can be one of the following, in the case of a Microsoft Windows server: a Radix server, a RAS (Remote Access Server) or a RRAS (Routing and Remote Access Server).
Once authenticated, the caller can access other servers for email, files, etc., as allowed.
One can consider the external IP connection to be a pipe – through which "flows" the VPN session. The VPN session is a logical connection, an opaque (or encrypted) data "pipeline" (or tunnel) within a transparent (clear) data "pipe" of the basic IP connection.
Data packets transiting the Internet can be inspected by devices or programs known as "sniffers." However VPN packets, which are encrypted, would be scrambled and unreadable, and thereby secure from "sniffing."
VPNs are actually operating system independent. However for the sake of simplicity, the Microsoft Windows model will be used.
Encryption for VPN is available in different "strengths." Microsoft’s PPTP VPN implementation uses 128 bit "High Encryption" for users inside the United States and Canada. This is the same encryption level used by web browsers for secured ("https") websites. Microsoft supports IPSEC over L2TP. IPSEC is a standards based encryption schema that requires a "Certificate" issued by a certificate server to authenticate and encrypt.
Other, proprietary VPN client/server implementations can be used that provide even stronger encryption.
For the purposes of exposition and example, the remainder of this white paper will focus on using Microsoft’s Point-to-Point Tunneling Protocol (PPTP). L2TP and IPSEC will be the subject of a future document.
This implementation scenario assumes the remote or client computer is a computer running a variation of Windows and that the server computer is running a variation of Windows Server.
Each computer at both ends of the tunnel (the client and the server) must install the Microsoft PPTP (Point-to-point Tunneling Protocol). Client (remote) machines also require PPTP client software. An Internet connection is assumed, which may be either dial up or broadband. Windows 2000 Professional and Server, XP Professional and Home, and Windows 2003 Server support PPTP natively, requiring only that it be activated and configured. Windows NT 4.0 (workstation and server) and Windows 98 and ME require separate MS PPTP client software to be installed, and configured. Windows 95 machines need to have the Dial Up Network upgrade v1.2, or later, installed as well as the PPTP client.
Once the PPTP is installed, it must be configured.
Configuration is accomplished using a "wizard" to provide configuration information of the client.
Information required includes the IP address of the server to connect the tunnel to, whether a separate dial up modem connection is required, and so on. Additional configuration information include the username and password combination for the other end, whether or not a Windows domain is involved, type of encryption and authentication to use, and so on.
For the purposes of this document, it is assumed that the server is running Windows 2003 Server and is connected to the Internet using a 7x24 broadband connection.
In order for a connection to be established, the RRAS service on the server must be started and configured.
Configuring RRAS includes specifying the number of incoming ports (or connections) to allow and the distribution between PPTP and L2TP, how authentication should be handled, specifying which users will be allowed to log in, type of encryption to use, hours of operation, whether to grant access to the LAN or restrict the user to the RRAS server, specifying the IP address of the incoming connection on the LAN and so on.
The user at the client (remote) computer makes a normal Internet connection to the Internet via the ISP, if not already a 7x24 broadband one. Then the VPN connection is started by "dialing" or connecting to the IP address of the server. After authentication, the VPN session is established between the computer and the Windows 2003 server.
With the tunnel established, all IP traffic from the client will transit the Internet to the server using an encrypted tunnel.
Internet Service Providers: PPTP (tunneling) does not work on certain Internet Providers that use proprietary software compression algorithms to enhance effective data throughput. These include certain modem based dial up networks such as AOL and Netzero. If it is possible to use the ISP without "speed enhancement," it may be possible to tunnel on these networks.
The ability to tunnel using Dish satellite Internet services is problematical. Satellite uplink software uses propriety data compression software to speed up the effective communication speed up and back down from the geosynchronous satellite used for the communication link.
The key to successful tunneling using PPTP is the ability of the ISPs involved to support Protocol 47 and Port 1723.
Almost all "regular" Internet Service Providers support (allow transport of) this protocol and port.
Routers and Firewalls: The use of routers and firewalls on the Internet are ubiquitous. Routers direct data packets to their destination and firewalls block unwanted (or unsolicited) intrusion into a network. Since making a PPTP connection implicitly involves making an unsolicited connection to a server, routers and firewalls must be programmed to forward port 1723 session start packets to the authentication server in order to establish a tunnel.
Most business, small office or home office Local Area Network (LAN) scenarios requiring VPN for inbound connection also use a hardware router/firewall combination utilizing Network Address Translation (NAT) or other method to protect the computers on the LAN from outside attack. In order for a computer (the authentication server) to accept a VPN tunnel establishment request, it must first receive data packets from the initiating computer.
This is accomplished by setting up "port forwarding" for port 1723, directed to the authentication server inside the router.
A example of what forwarding looks like on a typical Linksys router can be found here.
Once port forwarding is implemented, the router will automatically send any port 1723 packets to the VPN server.
While VPN will work with computers directly connected to the Internet using software firewalls and/or Internet Connection sharing schemas, the author believes that a standalone hardware router/firewall works best.
Once a Virtual Private Network tunnel is established, the client computer is, for all intents and purposes, networked with the server or other computers at the server’s location as if connected via a local area network. Mapping network drives, Terminal Services, Remote Access, etc., all work as if on a local area network because the tunnel transparently passes IP, IPX and other transport protocols and data packets across the Internet.
Copyright © 2011 ZoeS Network Consulting, Solar graphic image copyright © 2000 Christiana V.