Microsoft RAS and VPN for Windows 2000 • Chapter 6 241 Layer 2 Tunneling Protocol (L2TP) The Layer 2 Tunneling Protocol (L2TP) provides the same functionality as PPTP, but overcomes some of the limitations of the Point to Point Tunneling Protocol. It does not require IP connectivity between the client workstation and the server as PPTP does. L2TP can be used as long as the tunnel medium provides packet-oriented point-to-point connectivity, which means it works with such media as Asynchronous Transfer Mode (ATM), Frame Relay, and X.25. L2TP can authenticate the tunnel endpoints, and can be used in conjunction with secure ID cards on the client side and with firewalls on the server side. L2TP is an Internet Engineering Task Force (IETF) standard, which was developed in a cooperative effort by Microsoft, Cisco Systems, Ascend, 3Com, and other networking industry leaders. It combines features of Cisco’s Layer 2 Forwarding (L2F) protocol with Microsoft’s PPTP implemen- tation. L2TP can utilize IPSec to provide end-to-end security (see the section on IPSec for more information). Using PPTP with Windows 2000 PPTP is installed with the Routing and Remote Access Service (RRAS). It is configured by default for five PPTP ports. You can enable PPTP ports with the Routing and Remote Access wizard. The PPTP ports will be displayed as WAN miniports in the RRAS console, as shown in Figure 6.39. You can view the status of each VPN port, and refresh or reset it by double-clicking on the port name to display the status sheet and clicking on the appropriate button. www.syngress.com Figure 6.39 PPTP ports in the Routing and Remote Access (RRAS) console. 115_MC_intsec_06 12/12/00 3:16 PM Page 241 242 Chapter 6 • Microsoft RAS and VPN for Windows 2000 How to Configure a PPTP Device To configure a port device, right-click on Ports in the left panel of the con- sole and select Properties. A dialog box similar to Figure 6.40 is displayed. Highlight the RRAS device you wish to configure and then click the Configure button. You will see a dialog box like the one in Figure 6.41. www.syngress.com Figure 6.40 Configuring the properties of a PPTP port device. Figure 6.41 Using the WAN miniport (PPTP) configuration dialog box. 115_MC_intsec_06 12/12/00 3:16 PM Page 242 Microsoft RAS and VPN for Windows 2000 • Chapter 6 243 In the device configuration dialog box, you can set up the port to be used for inbound RAS connections and/or inbound and outbound demand-dial routing connections. NOTE A device can be physical, representing hardware (such as a modem), or virtual, representing software (such as the PPTP protocol). A device can create physical or logical point-to-point connections, and the device pro- vides a port, or communication channel, which supports a point-to-point connection. A standard modem is a single port device. PPTP and L2TP are virtual multiport devices. You can set up to 1000 ports for PPTP and L2TP devices (five is the default number of ports). TIP When you change the number of ports on the PPTP or L2TP WAN mini- port device, the computer must be rebooted before the change will take effect. Using L2TP with Windows 2000 Layer 2 Tunneling Protocol (L2TP) over IPSec gives administrators a way to provide end-to-end security for a VPN connection. L2TP doesn’t rely on vendor-specific encryption methods to create a completely secured virtual networking connection. How to Configure L2TP To enable the server to be a VPN server for L2TP clients, you must first install Routing and Remote Access (RRAS) if you haven’t already. 1. Open the RRAS console: Start | Programs | Administrative Tools | Routing and Remote Access. 2. In the left pane of the console tree, right-click the server you want to enable, and click Configure and Enable Routing and Remote Access. This will start the wizard, which will guide you through the process. www.syngress.com 115_MC_intsec_06 12/12/00 3:16 PM Page 243 244 Chapter 6 • Microsoft RAS and VPN for Windows 2000 3. After the service is installed and started, configure the properties of the server by right-clicking on the server name and selecting Properties. You will see a properties sheet similar to the one in Figure 6.42. 4. On the General tab, be sure that the Remote access server check box is selected. 5. On the Security tab, under Authentication Provider, you can con- firm the credentials of RRAS clients by using either Windows 2000 security (Windows Authentication) or a RADIUS server (see Fig- ure 6.43). If RADIUS is selected, you need to configure RADIUS server settings for your RADIUS server or RADIUS proxy. 6. In the Accounting Provider drop-down box, choose Windows or RADIUS accounting. You can then record remote access client activity for analysis or accounting purposes. 7. Click the Authentication Methods button, and choose the authenti- cation methods that are supported by the RRAS server to authenti- cate the credentials of remote access clients, as shown in Figure 6.44. www.syngress.com Figure 6.42 The RRAS properties sheet for the selected remote access server. 115_MC_intsec_06 12/12/00 3:16 PM Page 244 Microsoft RAS and VPN for Windows 2000 • Chapter 6 245 www.syngress.com Figure 6.43 Choose either Windows Authentication or RADIUS as your authentication provider. Figure 6.44 Select the authentication method that will be used by the RRAS clients. 115_MC_intsec_06 12/12/00 3:16 PM Page 245 246 Chapter 6 • Microsoft RAS and VPN for Windows 2000 TIP Microsoft remote access clients generally will use MS-CHAP authentica- tion. If you want to enable smart card support, you need to use EAP authentication. 8. On the IP tab, verify that the Enable IP routing and Allow IP-based remote access and demand-dial connections check boxes are both checked, as shown in Figure 6.45. 9. Configure the L2TP ports for remote access. In the RRAS console, right-click on Ports and select Properties. Select the L2TP ports as shown in Figure 6.46. 10. Click on the Configure button and you will see the dialog box dis- played in Figure 6.47. You can also configure remote access policies to control access to the VPN server. www.syngress.com Figure 6.45 Enable IP routing and allow IP-based remote access and demand-dial connections. 115_MC_intsec_06 12/12/00 3:16 PM Page 246 Microsoft RAS and VPN for Windows 2000 • Chapter 6 247 How L2TP Security Differs from that of PPTP L2TP is similar to PPTP in many ways. They both support multiprotocol VPN links and can be used to create secure tunnels through the Internet or another public network to connect to a private network that also has a connection to the internetwork. L2TP can be used over IPSec to provide for greater security, including end-to-end encryption, whereas Microsoft’s PPTP connections are dependent upon MPPE for encryption. L2TP is derived from L2F, a Cisco Systems tunneling protocol. With L2TP over IPSec, encapsulation involves two layers: L2TP encap- sulation and IPSec encapsulation. First L2TP wraps its header and a User www.syngress.com Figure 6.46 Select the WAN Miniport (L2TP) for configuration. Figure 6.47 Configuring the L2TP ports to allow remote access and/or demand-dial connections. 115_MC_intsec_06 12/12/00 3:16 PM Page 247 248 Chapter 6 • Microsoft RAS and VPN for Windows 2000 Datagram Protocol (UDP) header around a PPP frame. Then IPSec wraps an ESP (Encapsulating Security Payload) header and trailer around the package, and adds an IPSec authentication trailer. Finally an IP header is added, which contains the addresses of the source (VPN client) and desti- nation (VPN server) computers. IPSec encrypts all the data inside the IPSec ESP header and authentication trailer, including the PPP, UDP, and L2TP headers. Data authentication is available for L2TP over IPSec connections, unlike for PPTP connections. This is accomplished by the use of a crypto- graphic checksum based on an encryption key known only to the sender and the receiver. This is known as the Authentication Header (AH). Interoperability with Non-Microsoft VPN Clients A Windows 2000 VPN server can accept client connections from non- Microsoft clients, if the clients meet the following requirements: ■ The clients must use PPTP or L2TP tunneling protocol. ■ For PPTP connections, the client must support MPPE. ■ For L2TP connections, the client must support IPSec. If these requirements are met, the non-Microsoft clients will be able to make a secure VPN connection. You do not have to make any special config- uration changes on the VPN server to allow non-Microsoft clients to connect. Possible Security Risks Several of the preceding sections detail security services available to you in Windows 2000. You should also know about some of the potential security issues you face, and what impact they can have on your network. For this reason, there are several things that you should make sure you do to help protect your VPN: ■ Make sure that Windows 2000 is set up with the latest patches, hot fixes, and service packs. As of this writing, Service Pack 1 for Windows 2000 has been released. ■ Make sure that you disable all inbound and outbound traffic on your firewall to TCP and UDP ports 135, 137, 139, and UDP port 138. This will keep anyone from snooping around on your network to see what services are available (user names, computer names, etc.). This solution will only truly protect you from outside users. Users internal to your network can still snoop around your net- work as much as they want. www.syngress.com 115_MC_intsec_06 12/12/00 3:16 PM Page 248 Microsoft RAS and VPN for Windows 2000 • Chapter 6 249 Summary In this chapter, we have discussed some of the new security features avail- able in Windows 2000. Kerberos, EAP, and RADIUS, add a lot to the flexi- bility of the security model in Windows 2000. The most important thing to remember about the direction of Windows 2000 is the movement toward industry standards. By embracing industry standards, Microsoft will be able to enter into markets that it was previously locked out of because of proprietary network models. AD comes a long way from the Domain models of NT4 by using LDAP as its foundation. Windows 2000 adds a lot of security features into the default configura- tion, especially when compared to Windows NT 4.0. EAP is an open stan- dard that allows vendors to integrate proprietary security software or equipment into Windows 2000. RADIUS allows Windows 2000 to offload AAA functions from the network servers by providing a dedicated authenti- cation interface on separate network equipment. IPSec, although a powerful security feature included with Windows 2000, has some drawbacks. Remember that the RFC did not include mech- anisms suitable for remote access. This makes it difficult to deploy a multi- vendor solution without care for interoperability. Microsoft has embedded significant support for IPSec, which can be set up through the MMC. VPN support allows clients to tunnel over a dial-up connection to a spe- cific destination, such as a corporate network, using protocols like PPTP and L2TP. This tunneling feature creates a virtual private network between the client and server. IPSec can be used to tunnel client connections at Layer 3 when PPTP and L2TP are not options. FAQs Q: Why can’t I use L2TP/IPSec when running NAT? A: You cannot use IPSec on the inside of a NAT network. NAT (Network Address Translation) allows an intranet to use IP addresses assigned to Private Networks to work on the Internet. A Private IP Address is not recognized as valid by Internet routers, and therefore cannot be used for direct Internet communications. A server running a Network Address Translator will map intranet client’s IP addresses to a request, and then forward the request to the destination using its valid Internet address. The destination Internet Host responds to the NAT server by sending the requested information to its IP address. The NAT server then inserts the intranet client’s IP address into the destination header, and forwards this response to the client. www.syngress.com 115_MC_intsec_06 12/12/00 3:16 PM Page 249 250 Chapter 6 • Microsoft RAS and VPN for Windows 2000 Incoming packets are sent to a single IP address, which NAT maps to a private IP address. When using ESP, or AH, or both, IPSec must be able to access the Security Parameters Index associated with each internal connection. The problem is, when NAT changes the destination IP address of the packet, this changes the SPI, which invalidates the information in the Auth trailer. IPSec interprets this as a breach, and the packet is dropped. Q: Can I use IPSec to secure communications with my Win 9x machines? A: No. At this time, only Windows 2000 clients and servers can participate in IPSec secured communications. Microsoft source material suggests that Windows CE may support IPSec in the future, but there are no plans to support other down-level clients. Q: Does my VPN server require a dedicated connection to the Internet? A: Your VPN server requires a dedicated IP address. In most instances, this means your VPN server needs to be connected to the Internet at all times. A small number of ISPs support “on demand” routing, which will cause the ISP to dial up your VPN server when incoming requests are received for its IP address. However, to ensure highest availability, it is best to have a dedicated connection. Remember that the VPN clients will dial-in to your server using its IP address, and therefore that IP address must be constant. Q: Is there a way to force the use of strong authentication and encryption for VPN users and a different set of authentication and encryption con- straints for dial-up users? A: Yes—you can do this by setting remote access policies. With remote access policies, you can grant or deny authorization based on the type of connection being requested (dial-up networking or virtual private network connection). Q: Is there a way for me to monitor the IPSec connections to my server? A: Yes. Microsoft provides a tool called ipsecmon.exe. You can start this tool from the run command. Figure 6.48 shows the ipsecmon window. The IP Security Monitor allows you to assess when failures take place in negotiating security associations, when bad Security Parameters Index packets are passed, and many other statistics. The Oakley Main Modes number indicates the number of Master Keys exchanged, and the Oakley Quick Modes number indicates the number of session keys. The Options button allows you to configure the update interval of the displayed statistics. www.syngress.com 115_MC_intsec_06 12/12/00 3:16 PM Page 250 [...]... Are More Important www.syngress.com 115_MC_intsec_07 12/12/00 3: 06 PM Page 263 Securing Your Network with Microsoft Proxy Server 2.0 • Chapter 7 Figure 7 .6 The Web Proxy Properties page, Permissions tab Figure 7.7 The Caching tab of the Web Proxy Service Properties page www.syngress.com 263 115_MC_intsec_07 264 12/12/00 3: 06 PM Page 264 Chapter 7 • Securing Your Network with Microsoft Proxy Server... Routing tab of the Web Proxy Service page Figure 7.9 Using Proxy Server Routing for Fault Tolerance Clients Array Proxy Server A Backup Internet Primary route to external network Proxy Server B Proxy Server C www.syngress.com 265 115_MC_intsec_07 266 12/12/00 3: 06 PM Page 266 Chapter 7 • Securing Your Network with Microsoft Proxy Server 2.0 The fifth tab is the Publishing tab (see Figure 7.10) Web publishing... button to see other options (Figure 7. 16) Figure 7. 16 Configure Proxy settings www.syngress.com 273 115_MC_intsec_07 274 12/12/00 3: 06 PM Page 274 Chapter 7 • Securing Your Network with Microsoft Proxy Server 2.0 NOTE Older versions of Internet Explorer may require a different path to Internet Options Internet Options may need to be accessed by choosing the View | Internet Options | Connection tab To...115_MC_intsec_ 06 12/12/00 3: 16 PM Page 251 Microsoft RAS and VPN for Windows 2000 • Chapter 6 Figure 6. 48 Main screen from the IP Security Monitor Q: My VPN clients cannot access network resources beyond my VPN server What might be causing this? A: There are several reasons... communications and works with both Microsoft Internet Explorer as well as Netscape Navigator Permissions can be applied to secure communication through the proxy server for File Transfer Protocol (FTP)-Read, Gopher, Secure (Secure Sockets Layer), and WWW protocols Transmission Control Protocol/ Internet Protocol (TCP/IP) is used as the protocol of choice, and Internetwork Packet Exchange/Sequenced Packet... for access to the Internet or other external network, Auto Dial must be configured before packet filtering can be enabled In addition, packet filtering can be applied only to the external interface Dynamic filtering is used to configure security and filter access when you need ports to be opened and closed when transmission occurs If www.syngress.com 269 115_MC_intsec_07 270 12/12/00 3: 06 PM Page 270 Chapter... Chapter 7 Users that employ Netscape Navigator or Internet Explorer can be configured manually or automatically as Web Proxy clients To configure a client that uses Internet Explorer as the default browser, start Internet Explorer and click on Tools | Internet Options | Connection tab, then select LAN settings to see the screens in Figures 7.15 and 7. 16 Figure 7.15 The Automatic Configuration screen Click... www.syngress.com 261 115_MC_intsec_07 262 12/12/00 3: 06 PM Page 262 Chapter 7 • Securing Your Network with Microsoft Proxy Server 2.0 SOCKS), define dialing hours, and configure the RAS phone book entry The last option in this area is the plug-ins button and allows the configuration of add-on components Figure 7.5 The Service tab The second tab on the Web Proxy Service properties page is Permissions Each... W3filename.LOG s The WinSock Proxy service log is called WSfilename.LOG s The SOCKS Proxy service log is called SPfilename.LOG s The packet filters log is called PFfilename.LOG www.syngress.com 267 115_MC_intsec_07 268 12/12/00 3: 06 PM Page 268 Chapter 7 • Securing Your Network with Microsoft Proxy Server 2.0 The filename is in the form of yymmxx, where yy is the year, mm is the month, and xx is the day, week, or month... done twice, once when the information leaves the network for the Internet, and once on its return This is necessary since the Internet is solely a TCP/IP-based network Winsock Proxy is compatible with Windows Sockets applications and operates with them as if they had a straight connection to the Internet Winsock Proxy service does not cache Internet addresses or support routing like the Web Proxy service . connec- tions as well. www.syngress.com Figure 6. 48 Main screen from the IP Security Monitor. 115_MC_intsec_ 06 12/12/00 3: 16 PM Page 251 115_MC_intsec_ 06 12/12/00 3: 16 PM Page 252 Securing Your Network. User www.syngress.com Figure 6. 46 Select the WAN Miniport (L2TP) for configuration. Figure 6. 47 Configuring the L2TP ports to allow remote access and/or demand-dial connections. 115_MC_intsec_ 06 12/12/00 3: 16 PM Page. access and demand-dial connections. 115_MC_intsec_ 06 12/12/00 3: 16 PM Page 2 46 Microsoft RAS and VPN for Windows 2000 • Chapter 6 247 How L2TP Security Differs from that of PPTP L2TP is similar