vpn

VPN: From a MS Windows point of view

Virtual Private Network - connection between two communication endpoints that ensures privacy and authentication.

- Created when a tunnel coupled with encryption occurs between a central network (such as FSU) and it's branch office or dial-in users.
- Establishes a WAN between sites and allows users to logon to the network from one location and access resources.
- Cheaper because there is no need for leasing dedicated circuits or making long-distance phone calls

VPNs are composed of three components and all have to work properly in order to have a true VPN:

Authentication - designed to guarantee the identity of users and servers. Users provide password and certificate, Servers provide certificate
- Authentication Protocols:
  - PAP (clear text)
  - SPAP (resends encrypted password. Susceptible for replay)
  - CHAP (uses MD5)
  - MS-CHAP (One-way, RSA's MD4/DES)
  - MS-CHAP v2 (each authentication session uses different key)
  - EAP (uses MD5, similar to CHAP but EAP format)
  - EAP-TSL (used with smart cards)
Encryption - "black pipe" between tunneling endpoints. Packets are encrypted and encapsulated (info such as IP address) within the tunnel protocol.
- Windows 2000 primary uses IPSec and MPPE
- Encryption Protocols:
  - MPPE (requires authentication with MS-CHAP or EAP) Interestingly, provides 40-bit encryption for international, but 128-bit in US & CA.
  - ESP (40, 56, 128-bit encryption)
Tunneling - two endpoints communicating by a tunneling protocol.
- One end encapsulates the incoming traffic and routes it to the other end.
- Encapsulation can occur at layer 2 or layer 3 protocol defined by OSI.
- Layer 2 encapsulates data link layer info, and layer 3 encapsulates packets from the network layer up.
- Tunneling protocols:
  - PPTP - is a de facto industry standard tunneling protocol first supported in Windows NT 4.0.
    - It leverages the authentication, compression, and encryption mechanisms of PPP
    - Encapsulation - A PPP frame (an IP datagram, an IPX datagram, or a NetBEUI frame) is wrapped with a Generic Routing Encapsulation (GRE) header and an IP header. In the IP header is the source and destination IP address that correspond to the VPN client and VPN server.
    - Encryption - The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys generated from the MS-CHAP or EAP-TLS authentication process. Virtual private networking clients must use either the MS-CHAP or EAP-TLS authentication protocol in order for the payloads of PPP frames to be encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously encrypted PPP frame.
  - L2TP is an RFC-based tunneling protocol destined to become the industry standard
    - Unlike PPTP, L2TP in Windows 2000 does not utilize Microsoft Point-to-Point Encryption (MPPE) to encrypt PPP datagrams
    - L2TP relies on Internet Protocol security (IPSec) for encryption services
    - The combination of L2TP and IPSec is known as L2TP over IPSec and provides the primary VPN services of encapsulation and encryption of private data.
    - Encapsulation - consists of two layers:
      - L2TP encapsulation - A PPP frame (an IP datagram, an IPX datagram, or a NetBEUI frame) is wrapped with a L2TP header and a UDP header.
      - IPSec encapsulation - the resulting L2TP message is then wrapped with an IPSec Encapsulating Security Payload (ESP) header and trailer, an IPSec Authentication trailer that provides message integrity and authentication, and a final IP header.
        
        In the IP header is the source and destination IP address that corresponds to the VPN client and VPN server.

VPN Configurations

Router-to-Router - Example: branch router is connected to a corporate intranet
Remote Access - Example: dial-in client establishes a connection at the time of the call
- Let's take a look at a "live" MS VPN server using the remote access configuration