Windows Foundation

VPNs the Easy Way

Whoever said virtual private networks are difficult to set up and the potential weak link in your security hasn't looked closely at Microsoft's VPN solution.

In these times of economic downturns and companies searching for ways to reduce costs, doubtless some organizations will look harder at providing telecommuting options to employees. What we mean by telecommuting is that an employee can obtain access to the corporate private network, including all of the accoutrements therein such as e-mail, intranet/portal and applications that he or she would be able to access as a normally connected Ethernet or wireless client.

A strong telecommuting environment makes sense for corporations for many reasons:

  • Employees who frequently travel are able to access e-mail, work files, the intranet and applications in real time.
  • Employees who really don't need to have a cubicle at the downtown office can work from home via collaboration tools and can communicate almost as effectively as any other employee. (Though there's nothing like the occasional face-to-face meeting to get teams headed in the right direction. But then there's nothing saying the company can't require a mandatory biweekly team meeting in which all the members are physically required to be present.)
  • Vendors, contractors or other businesspersons who frequently do business with the company can be granted access (the limitation of which is determined by policy stakeholders) to the internal network to facilitate more seamless business-to-business transactions.
  • The intranet and Internet sites of a company can be linked together so that intranet information can be attained from the corporate DMZ. This way, even if someone doesn't necessarily need to gain access to the entire private network, as long as he has a valid login he can access (at least portions of) the company's intranet. This would be handy for example for an employee using a wireless device and periodically needing to upload batch information to a database, but not needing to be logged in all the time such as a telecommuting employee might need to be.

But the implications of a telecommuting environment can be scary. You have all those intrusion and virus threats to think about, not to mention the possibility of someone who isn't an employee hacking into the private network using a real employee's login and password. These are real and serious concerns that have served in the past to drive some technology managers to say "We will never allow remote access into our private network. It's just too risky!"

I believe that these arguments are invalidated due to a fundamental error in logic. Yes, your network is at risk when you begin offering a method whereby non-internally-connected users can access the private network. However, I see the risks being mitigated and nullified by good quality administration at all levels. If you're going to offer telecommuting services to your employees (you should) then you need to also be concerned with the fundamental administrative considerations, some of which are described here:

  • Your DMZ, Web and perimeter (intrusion detection, firewall, Web-filtering) servers need to be exhaustively monitored and proactively protected with the latest and greatest in security patches and lockdowns. Most firewalls today perform a function called "stately inspection." What this means is that the software examines every packet header that's directed at a certain port to validate that it is a legitimate packet for that port. The idea is that you temporarily open the "port door," examine the header, say yes or no, then close the door again. This activity prevents guys with port sniffers from figuring out if you've got a bunch of ports standing open at the perimeter, just waiting—inviting—them to come on in and hunker down for awhile.
  • Strong password policies need to be in place. If, for example, you have a baseball nut for an employee and this employee isn't likely to be one give to strong security for her personal working environment, she's likely to have a password of baseball1 or dugout or…you get the idea. Intrusion specialists who know people that work within a company really don't have a hard time figuring this kind of thing out.
Hide in Plain Sight
I once worked with a server administrator who had to get onto a server right away in order to solve some difficulties associated with a financial application. Unfortunately, this server was one that the administrator did not have to often directly administer and the folks that did had forgotten the administrative password! This administrator was able to look around the area in which this server [an AS/400 box] was sitting, and judging by the pictures on the wall, successfully got on within 45 seconds! It amazed me and taught me a lesson about people's lives and the passwords they keep.

So, it's to your benefit to implement and enforce strong passwords. For example, you shouldn't allow the idea of what I call "faux-strong passwords" such as password1, password2, password3. While these passwords are mildly strong, i.e. password breaking software might take 15 seconds instead of three to crack the password, it's really not buying you anything in the long run. What you want is a combination of capital and lowercase letters, numbers, and characters in order to facilitate a really great password scheme. This is called strong password protection. (The best password I ever saw of this ilk was also profound in its hidden meaning: Mi$cr3ant.)

You should also insist on at least eight characters in a password. Remember that someone who has a password of doggie11 isn't likely to stand up under password cracking software very long, so you must couple a password length requirement with strong passwords.

Administrators must pay very careful daily attention to the Microsoft security Web site (http://www.microsoft.com/security) as well as to the Web sites of their firewall, anti-virus, intrusion detection and Web-filtering software vendors. You should have a test lab that roughly mimics your production environment and be prepared to test and quickly implement security patches as they are rolled out. Note: I know security and perimeter administrators that also pay attention to the common hacker Web sites in order to glean information regarding the next new thing in hacking as well as to the International Computer Security Associate (ICSA) Web site (http://www.icsalabs.com/index.shtml) for information on computer security topics.

If you're being challenged by higher-ups that there is a fear-factor regarding the allowance of telecommuting, then you should go to the table prepared to defend the allegations by stipulating how you intend to carefully and completely manage the new environment.

Telecommuting Methods
There are some really great telecommuting methods—all of which fall under the high-security scrutiny (say that three times fast) banner:

  • Dial-in—This technology, supported in Windows 2000 Server software by what is called Routing and Remote Access (RRAS) allows you to set up a dial-up infrastructure in which your clients can use dial-up software (bundled with Windows) on their local PCs to access the network. RRAS has the ability to provide you with good quality encryption and security for those dialing in. Note that just because you have RRAS available on your Windows 2000 server, you still must provide the telecommuting infrastructure, i.e. the modems that will answer the calls. Setting this infrastructure up can be time-consuming and require the assistance of other folks in your company to get it going.
  • Virtual-private network (VPN)—The idea here isn't necessarily how the client gets to the private network (i.e. over the Web or through dial-up) as much as how secure the client is at connection time. We'll talk more about VPNs in the next section of this article.
  • Wireless access—Clients with a wireless device (i.e. blackberry, Ricochet (http://www.richochet.com), 802.11 et al.) may need to get onto the private network. Generally this accomplished either by allowing the user to set up a VPN connection through the Internet or by setting up a Wireless Access Point (WAP) for entry to the private network. Client encryption (the heftier the better) is advisable in a wireless environment. (See my February column "Hi-Wireless Act" for more info.)

Virtual Private Networking
The idea behind a VPN is that your clients tunnel through the Internet, using ordinary TCP/IP protocols, but encapsulate the data within the packets in encrypted format. A VPN connection is a point-to-point connection that allows your users to access your private network in secure fashion utilizing widely available connection software. There are four security elements that you'll be concerned with when you consider a VPN solution for your telecommuting needs:

  • Authorization—Will the user be utilizing ordinary logon username and password or will he or she be granted a certificate through your company's certificate authority (CA). Windows 2000 uses a new security standard called IPSec that can be utilized over VPN connections. Today you have the capability of setting up a CA within your Windows 2000 network. Note that the setup of a CA, depending on the size of the organization can be a large rigorous project in and of itself. Further, managing the CA hierarchy will be something that someone has to pay attention to on a daily basis.
  • Tunneling protocol—In the Windows 2000 world, there are two tunneling protocols—two methods whereby the data can be burrowed in the TCP/IP packets—Point to Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP, the most recent of the two). Certain clients (i.e. pre- or non-Windows 2000) may not be able to utilize L2TP, so in a disparate client environment, your choice may be the earlier PPTP. Understanding the client pool will allow you to make a good decision regarding the tunneling protocol in use. You may recognize that you need to use both, in which case the architecture of your VPN solution gets more complicated and may require additional hardware and time to implement.
  • Encryption strength—You'll have to decide if you want your clients to connect with 56-, 64- or 128-bit encryption. There's a trade-off here: Larger encryption strength means eminently less hackable, but requires more CPU time, both locally and at the server. This notion comes heavily into play in the wireless arena where your users are already probably slowed by the diminished bandwidth of wireless protocols such as 802.11. I.e., a 100MB Ethernet-attached client won't see as much performance degradation using 128-bit encryption as a Tablet PC user will connecting at 11MB (or slower). (With each encryption level is an associated encryption algorithm. Note that the algorithm in use, while possibly technically interesting, isn't really important to you.)
  • Connection method—In the Microsoft camp you can use an RRAS server and Windows 2000 Connection Manager (see http://www.microsoft.com/technet/treeview/default.asp?
    url=/technet/itsolutions/network/deploy/depovg/vpndeply.asp
    for more info) or Microsoft Internet Security and Acceleration (ISA) Server (http://www.microsoft.com/isaserver) to facilitate your VPN. You can also use third-party VPN software or hardware solutions to implement your VPN. Additionally, some ISPs offer VPN hosting for companies, so this is a viable, though more costly, option as well.

In terms of connection method, my preference is for ISA server. We have it running where I work and I'm very happy with the way that it operates—its connection speed and reliability, as well as the security and ease of administration that it affords my perimeter admin. The thing I like most about ISA is that it brings to the table a vast array of preconfigured security options that are turned on via a wizard. ISA provides for stately packet inspection and interfaces with Active Directory. Other ISA servers can be put into an array for downstream operations in large environments. Additionally, it uses the Real Secure intrusion detection (ID, http://www.iss.net) for a basic ID shell plus you have the ability to snap in the full Real Secure client to provide a robust ID gateway for your ISA box. ISA will also work with Web-filtering software. ISA comes with preconfigured snap-ins for PPTP or L2TP clients accessing the private network and makes the admin's job quick and easy (once she understands the ISA interface and underlying operation, of course). Smaller shops will find that ISA Server is a great way to set up a firewall, ID and VPN host all in one box. Add anti-virus and Web-filtering software and you've got a convenient one-box perimeter.

I also like the fact that ISA server can play in the sandbox with Microsoft SharePoint Portal Server meaning that, with some configuration work, you can provide a hearty extranet environment for both your telecommuting users and B2B'ers.

That being said, I also think that Microsoft's RRAS software is sufficiently mature enough to allow you to provide a very secure and robust VPN environment, though you'll have to go through considerably more configuration than if you had an ISA server and you'll have to think about other choices if you're interested in ID, Web-filtering and firewall. The choice between the two would boil down to the cost of the ISA software that, while affordable, still increases the cost of the telecommuting project.

You should also note that there are some "soft" components to setting up a VPN solution that you might overlook:

  • End-user training—You'll have to provide some sort of instructions whereby at-home users can figure out how to connect using their VPN software. Keep in mind that the network connection software varies by OS versions (i.e. Windows 95 connects differently than Windows XP, while Mac clients are completely different from Windows, etc.) so you're going to have to be prepared to cope with almost all client connectivity scenarios. Where I work we created little instruction booklets, complete with screenshots, that users can print out and take home with them to configure their VPN client software.
  • Name-server and NAT configurations—Because your VPN server will live on the DMZ, you'll have to be able to successfully resolve its name both outside and inside the private network as well as be able to use network address translation (NAT) to mask internal IP addresses. This is yet another reason why I prefer ISA server because it NATs out-of-box. An RRAS solution requires you to also configure your Windows 2000 server as a router for NATing, thus incorporating increased complexity and processing cycles. Note that if you already have a well-established perimeter, these things are already there so you don't have to worry about it.
  • Allowance of Internet surfing—By setting up a dial-up VPN solution, you may inadvertently give your telecommuters a nice little surprise you hadn't thought about—the Internet for free. If your users dial in and connect as VPN clients, they have a valid IP address thus allowing them to pull up their browser and access the Internet on your company's dime. This may or may not be acceptable, depending on how your management staff views it. It's possible to configure ISA server so that this is not allowed.

Keeping the Connection Alive
Setting up a VPN isn't hard to do, but there's a lot of technical meat to it and you'll need to devote some time for "discovery"—i.e. what all the wrong methods are so that you employ the right ones. I recommend setting up a VPN lab so that you can set up and try all this stuff out first before you deploy it in production. A hack is not a nice way of finding out about a hole in your deployment.

Additionally, you have to be sure that someone in the organization is extremely protocol-knowledgeable relative to the protocols in use on your VPN so that you have a security heartbeat going at all times. Remember that the hacks involved in the telecommuting arena are stealthy and involve things like discovering usernames and passwords, spoofing routers, denial-of-service (DOS, the most popular method today, simply because it's the easiest to implement quickly) attacks and port sniffing. If someone's able to access your private network with a legitimate username and password, they have all the time in the world to surf around to see what kind of goodies they can steal. I would also recommend that, if someone's not already hooked up, you designate a person to get involved with the International Computer Security Association (ICSA) labs (http://www.icsalabs.com/index.shtml) so that he or she is familiar with the complete context of computer security.

comments powered by Disqus
Most   Popular