July 22, 1999
Web posted at: 5:26 p.m. EDT (2126 GMT)

by Jeff Farley

From...

(IDG) -- By now, nearly everyone is familiar with the concept of a LAN, and the Internet has escaped the notice of only the most devout Luddites. Virtual private networks (VPNs) merge these two technologies together to connect remote LANs into a single, secure wide area network (WAN) -- your own private Internet, if you will. Before the advent of the Net, WANs were very expensive because they used dedicated long-distance lines to connect remote offices together. But now, using the software that comes with Windows NT and 98, every company can afford to set up a WAN and benefit from the computer world's new level of interconnection.

Not only do VPNs cost less than old style WANs, they also are inherently secure. Setting one up is relatively easy, and the potential benefits are huge. This article will show you how to get a VPN up and running, so you can start enjoying some of the advantages of wide-area connectivity.

Wide-area networking the old way

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Windows Tech Edge home page
Make your PC work harder with these tips
Reviews & in-depth info at IDG.net
		IDG.net's personal news page
		IDG.net's products pages
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletters
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

Like everything else in this world, nothing is free. WANs are assured of a secure connection because the network traffic travels over privately owned lines. Because VPNs use the Internet for long-distance connections, security is a major concern. The Internet is an unsecured channel and could have its traffic monitored by unauthorized users at any point. This is the reason the Point-to-Point Tunneling Protocol (PPTP), was invented. As the network packets leave one LAN, they are encrypted and sent to the target LAN. At the receiving end, the packets are then decrypted and forwarded to their final destination. Obviously, both ends of the VPN need to use and understand the PPTP protocol in order for the communication to work.

If you are using NT, it is easy to set up a VPN because Microsoft has included everything you need to establish and maintain one on the NT Server CD-ROMs. Before installing a VPN, however, you need to decide which type meets your needs. Essentially, there are two types of VPN. The first connects two LANs together. This is the most common form of a VPN and usually the first type implemented. The second form allows remote PCs to participate in a LAN. Employees working at home or on the road can connect to the office LAN and work as if they were at their desks in the office. This is similar to an RAS connection, but does not require a bank of server-side modems or long-distance telephone calls.

Installing a VPN for a WAN connection

After all the devices are added, you must configure the way in which each of the connections will be used. Initially, RAS is set up to act as a server for multiple dial-up clients. Since VPN will be used to link one or more LANs together, you need to reconfigure how the port is used. Clicking the Configure button takes you to the Configure Port Usage dialog box. By default, the Receive Calls Only radio button is checked. This is the correct setting for exposing your network to dial-up users, but not for our current purposes. To link two LANs together, select the Dial Out And Receive Calls button instead. This will allow the two-way communication necessary in a WAN. Repeat this process for every VPN port you have installed.

The next stop is the Network Configuration dialog box. Initially, RAS will allow both TCP/IP and NetBEUI protocols over the VPN connection. If your network uses NetWare, be sure to check the button that enables IPX as well. If it is important that remote users browse your network, leave the NetBEUI button checked. This is especially true if your network does not use WINS or DNS to resolve computer addresses.

It is very important that the Require Microsoft Encrypted Authentication button is checked. This will force connecting users to log on to the domain before accessing the network. Besides giving their username and passwords, users also need specific permission to dial in to the server. This permission is granted in User Manager. When looking at a user's properties, click on the Dialup button. It is here that you grant dial-in permission.

Once the server reboots, only one other step remains. Whether your network is protected behind a firewall or by a proxy server, an opening must be created to allow the VPN traffic flow. All VPN communication travels through port 1723. Typically, a proxy server and most firewalls disable this port. If you are using a proxy server, open the PPTP port by adding the predefined filter PPTP Receive to the list of open ports. This can be done via the Security button on the WinProxy properties page. If you are using a firewall, please consult your documentation for information on opening port 1723.

Troubleshooting tips

• If the connection from one VPN server to the other does not work:

  • The IP addresses may not be correct
  • The port may not be configured for Dial Out/Receive
  • The port may not support one or more required protocols
  • The firewall may still be blocking PPTP access
  • There may be no trust relationship, or a user account may be missing on the remote LAN

• If the connection does not work from a LAN machine to the remote VPN server:

  • Check the routing tables
  • The LAN user may not have logon credentials on the remote LAN

Installing a VPN for remote PC connection

• The number of VPN ports should relate to the number of concurrent remote connections. This number is typically larger than the number needed for LAN-to-LAN connections.

• The VPN ports need to be configured as Receive Calls Only.

Installing the client side of the connection can be trickier, due to the different operating systems that can exist on various clients. If the client machine is running as either an NT Server or NT Workstation, the setup is essentially the same procedure outlined under WAN connectivity. The only difference is in the RAS device setup. Configure the RAS devices to Dial Out instead of Receive Calls. Use the Configure Port Usage dialog box to make this change on any VPN devices you have installed.

If you plan to use a Windows 9x machine to participate in the VPN, the procedure is a little different. Both Windows 95 and 98 use Dial-up Networking (DUN) to access remote networks. It may seem strange, but you will need to have two dial-up adapters installed in order to make the connection. One adapter connects you to the Internet through your ISP; the other is used to connect to the VPN server. Installation is easy. You will need to install DUN version 1.3 to get both the PPTP protocol and the VPN adapter. Once you this is installed, locate the Dial-up Networking folder and click on Make A New Connection. The first screen will ask which device to use in the connection. Choose Microsoft VPN Adapter and click Next.

The following screen asks for the IP address of the VPN server. Type in the necessary address and click Next. If all has gone well, you are ready to test out the connection. First, connect to your ISP as you normally would. When you are online, use the new adapter to connect to the VPN server. If the RAS server is properly secured, you will be prompted for your network username and password. Use the same username and password that you would enter when logging on to the domain. Now you are connected to your LAN and can work as if you were at your desk.

A slight limitation

The first method forces you to dial into your LAN just to connect to the Internet. There is also a performance penalty, since each packet is encrypted before it is sent to you, effectively reducing the bandwidth. The other method forces you to decide between browsing on the Web or working remotely on your LAN. Every time you want to work on the LAN, you will have to establish the VPN connection. When you want to resume normal Internet access, you must close the VPN connection. Which of these methods is most acceptable to you depends on your connectivity needs.

Security

In the Network Configuration dialog box (see Figure 3), there is a checkbox marked Require Data Encryption. Checking this box encrypts each packet before the VPN encryption is applied. Now a hacker has to break two levels of encryption before viewing your data. This task can be made more difficult on the attacker by using longer key lengths. By default, Windows NT and 98 use 56-bit keys to encrypt the data. If all parties in the VPN connection are using the US-only version of Windows, the key length is expanded to 128 bits. This is virtually unbreakable with today's technology.

Although the data can be considered safe at this point, the connection is still vulnerable to a denial of service (DoS) attack. In the case of a LAN-to-LAN connection, this can be prevented by setting an IP filter on the PPTP port. Configure your proxy server to allow only the remote server's IP to connect to the VPN port. Now you have eliminated the possibility of a DoS attack and greatly reduced the chances of your data being exposed.

The WAN is no longer limited to large corporations. VPN has leveraged the ubiquitous Internet to provide a low cost WAN to every group, regardless of size. With the software provided by Microsoft and the knowledge gained here, nothing should prevent you from expanding the power of your LAN through the Internet.

Jeff Farley is senior engineer at Palo Verde Software and codesigner of NtSpectre, a security tool for Windows NT.