Virtual Private Network (VPN) Technology
The virtual private network (VPN) technology included in Windows Server 2003 helps enable cost-effective, secure remote access to private networks. VPN allows administrators to take advantage of the Internet to help provide the functionality and security of private WAN connections at a lower cost. In Windows Server 2003, VPN is enabled using the Routing and Remote Access service. VPN is part of a comprehensive network access solution that includes support for authentication and authorization services, and advanced network security technologies.
There are two main strategies that help provide secure connectivity between private networks and enabling network access for remote users.
Dial-up or leased line connections
A dial-up or leased line connection creates a physical connection to a port on a remote access server on a private network. However, using dial-up or leased lines to provide network access is expensive when compared to the cost of providing network access using a VPN connection.
VPN connections
VPN connections use either Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec) over an intermediate network, such as the Internet. By using the Internet as a connection medium, VPN saves the cost of long-distance phone service and hardware costs associated with using dial-up or leased line connections. A VPN solution includes advanced security technologies such as data encryption, authentication, authorization, and Network Access Quarantine Control.
Using VPN, administrators can connect remote or mobile workers (VPN clients) to private networks. Remote users can work as if their computers are physically connected to the network. To accomplish this, VPN clients can use a Connection Manager profile to initiate a connection to a VPN server. The VPN server can communicate with an Internet Authentication Service (IAS) server to authenticate and authorize a user session and maintain the connection until it is terminated by the VPN client or by the VPN server. All services typically available to a LAN-connected client (including file and print sharing, Web server access, and messaging) are enabled by VPN.
VPN clients can use standard tools to access resources. For example, clients can use Windows Explorer to make drive connections and to connect to printers. Connections are persistent: Users do not need to reconnect to network resources during their VPN sessions. Because drive letters and universal naming convention (UNC) names are fully supported by VPN, most commercial and custom applications work without modification.
Virtual private networks are point-to-point connections across a private or public network such as the Internet. A VPN client uses special TCP/IP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header. The header provides routing information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data being sent is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.
There are two types of VPN connections:
• Remote access VPN
• Site-to-site VPN
Remote Access VPN
Remote access VPN connections enable users working at home or on the road to access a server on a private network using the infrastructure provided by a public network, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization’s server. The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.
Site-to-Site VPN
Site-to-site VPN connections (also known as router-to-router VPN connections) enable organizations to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated WAN link. When networks are connected over the Internet, as shown in the following figure, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and, for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
VPN Connection Properties
Encapsulation
VPN technology provides a way of encapsulating private data with a header that allows the data to traverse the network.
Authentication
There are three types of authentication for VPN connections:
1. User authentication
2. Computer authentication with L2TP/IPSec
3. Data Encryption
User authentication
For the VPN connection to be established, the VPN server authenticates the VPN client attempting the connection and verifies that the VPN client has the appropriate permissions. If mutual authentication is being used, the VPN client also authenticates the VPN server, providing protection against masquerading VPN servers.
Computer authentication with L2TP/IPSec
By performing computer-level authentication with IPSec, L2TP/IPSec connections also verify that the remote access client computer is trusted.
Data authentication and integrity
To verify that the data being sent on an L2TP/IPSec VPN connection originated at the other end of the connection and was not modified in transit, L2TP/IPSec packets include a cryptographic checksum based on an encryption key known only to the sender and the receiver.
Data Encryption
Data can be encrypted for protection between the endpoints of the VPN connection. Data encryption should always be used for VPN connections where private data is sent across a public network such as the Internet. Data that is not encrypted is vulnerable to unauthorized interception. For VPN connections, Routing and Remote Access uses Microsoft Point-to-Point Encryption (MPPE) with PPTP and IPSec encryption with L2TP.
Connection Manager
Connection Manager is a service profile that can be used to provide customized remote access to a network through a VPN connection. The advanced features of Connection Manager are a superset of basic dial-up networking. Connection Manager provides support for local and remote connections by using a network of points of presence (POPs), such as those available worldwide through ISPs. Windows Server 2003 includes a set of tools that enable a network manager to deliver pre-configured connections to network users.
These tools are:
• The Connection Manager Administration Kit (CMAK)
• Connection Point Services (CPS)
The Connection Manager Administration Kit (CMAK)
A network administrator can tailor the appearance and behavior of a connection made with Connection Manager by using CMAK. With CMAK, an administrator can develop client dialer and connection software that allows users to connect to the network by using only the connection features that the administrator defines for them. Connection Manager supports a variety of features that both simplify and enhance implementation of connection support, most of which can be incorporated using the Connection Manager Administration Kit Wizard.
CMAK enables administrators to build profiles that customize the Connection Manager Installation package so that it reflects an organization’s identity. CMAK allows administrators to determine which functions and features to include and how Connection Manager appears to end-users. Administrators can do this by using the CMAK wizard to build custom service profiles.
Connection Point Services (CPS)
Connection Point Services (CPS) automatically distributes and updates custom phone books. These phone books contain one or more Point of Presence (POP) entries, with each POP supplying a telephone number that provides dial-up access to an Internet access point for VPN connections. The phone books give users complete POP information, so when they travel they can connect to different Internet POPs rather than being restricted to a single POP.
Without the ability to update phone books (a task CPS handles automatically), users would have to contact their organization’s technical support staff to be informed of changes in POP information and to reconfigure their client-dialer software.
CPS has two components:
• Phone Book Administrator
• Phone Book Service
Phone Book Administrator
Phone Book Administrator is a tool used to create and maintain the phone book database and to publish new phone book information to the Phone Book Service.
Phone Book Service
The Phone Book Service runs on an IIS server and responds to requests from Connection Manager clients to verify the current version of subscribers’ or corporate employees’ current phone books and, if necessary, downloads a phone book update to the Connection Manager client.
No comments:
Post a Comment