Your own private Internet
July 22, 1999
(IDG) -- By now, nearly everyone is familiar with the concept of a LAN, and the Internet has escaped the notice of only the most devout Luddites. Virtual private networks (VPNs) merge these two technologies together to connect remote LANs into a single, secure wide area network (WAN) -- your own private Internet, if you will. Before the advent of the Net, WANs were very expensive because they used dedicated long-distance lines to connect remote offices together. But now, using the software that comes with Windows NT and 98, every company can afford to set up a WAN and benefit from the computer world's new level of interconnection.
Not only do VPNs cost less than old style WANs, they also are inherently secure. Setting one up is relatively easy, and the potential benefits are huge. This article will show you how to get a VPN up and running, so you can start enjoying some of the advantages of wide-area connectivity.
Wide-area networking the old wayIn the days before the Internet, a large corporation would connect its regional offices by using dedicated long-distance lines to reach across geographic boundaries and connect branches together into one giant network. WANs were so expensive that only large corporations could undertake the financial burden of keeping long-distance lines connected 24 hours a day, 7 days a week. All this changed with the proliferation of the Internet. With funding from the National Science Foundation, the Internet can connect every PC in the US coast-to-coast, with no long-distance charges. VPNs use the Internet to deliver the same kind of connectivity that was previously available only through WANs. Now smaller, regional corporations can receive the benefits of a WAN at a fraction of the cost.
Like everything else in this world, nothing is free. WANs are assured of a secure connection because the network traffic travels over privately owned lines. Because VPNs use the Internet for long-distance connections, security is a major concern. The Internet is an unsecured channel and could have its traffic monitored by unauthorized users at any point. This is the reason the Point-to-Point Tunneling Protocol (PPTP), was invented. As the network packets leave one LAN, they are encrypted and sent to the target LAN. At the receiving end, the packets are then decrypted and forwarded to their final destination. Obviously, both ends of the VPN need to use and understand the PPTP protocol in order for the communication to work.
If you are using NT, it is easy to set up a VPN because Microsoft has included everything you need to establish and maintain one on the NT Server CD-ROMs. Before installing a VPN, however, you need to decide which type meets your needs. Essentially, there are two types of VPN. The first connects two LANs together. This is the most common form of a VPN and usually the first type implemented. The second form allows remote PCs to participate in a LAN. Employees working at home or on the road can connect to the office LAN and work as if they were at their desks in the office. This is similar to an RAS connection, but does not require a bank of server-side modems or long-distance telephone calls.
Installing a VPN for a WAN connectionTo start with, both sides of the WAN connection must have an NT server designated as the VPN server, and each of these servers will need PPTP installed on it. If the protocol is not already on the machine, it can be installed from the Windows NT Server CD-ROM. Installing PPTP will also install RAS Server on the machine. Immediately upon installation, a dialog box appears, asking for the number of virtual private networks to install. This figure represents the number of concurrent connections the server will be able handle. Enter in the number of remote LANs that you are connecting together. Next, the Add RAS Device dialog box will pop up. Clicking OK will add a VPN port into the RAS server. Repeat this process until all VPN connections appear in the Remote Access Setup window.
After all the devices are added, you must configure the way in which each of the connections will be used. Initially, RAS is set up to act as a server for multiple dial-up clients. Since VPN will be used to link one or more LANs together, you need to reconfigure how the port is used. Clicking the Configure button takes you to the Configure Port Usage dialog box. By default, the Receive Calls Only radio button is checked. This is the correct setting for exposing your network to dial-up users, but not for our current purposes. To link two LANs together, select the Dial Out And Receive Calls button instead. This will allow the two-way communication necessary in a WAN. Repeat this process for every VPN port you have installed.
The next stop is the Network Configuration dialog box. Initially, RAS will allow both TCP/IP and NetBEUI protocols over the VPN connection. If your network uses NetWare, be sure to check the button that enables IPX as well. If it is important that remote users browse your network, leave the NetBEUI button checked. This is especially true if your network does not use WINS or DNS to resolve computer addresses.
It is very important that the Require Microsoft Encrypted Authentication button is checked. This will force connecting users to log on to the domain before accessing the network. Besides giving their username and passwords, users also need specific permission to dial in to the server. This permission is granted in User Manager. When looking at a user's properties, click on the Dialup button. It is here that you grant dial-in permission.
Figure 3. Network Configuration dialog box
Once the server reboots, only one other step remains. Whether your network is protected behind a firewall or by a proxy server, an opening must be created to allow the VPN traffic flow. All VPN communication travels through port 1723. Typically, a proxy server and most firewalls disable this port. If you are using a proxy server, open the PPTP port by adding the predefined filter PPTP Receive to the list of open ports. This can be done via the Security button on the WinProxy properties page. If you are using a firewall, please consult your documentation for information on opening port 1723.
Troubleshooting tipsOnce these steps have been performed on both sides of the WAN, you are ready to test the connection. Use RAS to connect to the remote server, and vice versa. If it doesn't work the first time, keep the following troubleshooting tips in mind.
Installing a VPN for remote PC connectionFor the server, the setup is the same as the WAN installation, with the following exceptions:
Installing the client side of the connection can be trickier, due to the different operating systems that can exist on various clients. If the client machine is running as either an NT Server or NT Workstation, the setup is essentially the same procedure outlined under WAN connectivity. The only difference is in the RAS device setup. Configure the RAS devices to Dial Out instead of Receive Calls. Use the Configure Port Usage dialog box to make this change on any VPN devices you have installed.
If you plan to use a Windows 9x machine to participate in the VPN, the procedure is a little different. Both Windows 95 and 98 use Dial-up Networking (DUN) to access remote networks. It may seem strange, but you will need to have two dial-up adapters installed in order to make the connection. One adapter connects you to the Internet through your ISP; the other is used to connect to the VPN server. Installation is easy. You will need to install DUN version 1.3 to get both the PPTP protocol and the VPN adapter. Once you this is installed, locate the Dial-up Networking folder and click on Make A New Connection. The first screen will ask which device to use in the connection. Choose Microsoft VPN Adapter and click Next.
The following screen asks for the IP address of the VPN server. Type in the necessary address and click Next. If all has gone well, you are ready to test out the connection. First, connect to your ISP as you normally would. When you are online, use the new adapter to connect to the VPN server. If the RAS server is properly secured, you will be prompted for your network username and password. Use the same username and password that you would enter when logging on to the domain. Now you are connected to your LAN and can work as if you were at your desk.
A slight limitationUnfortunately, the convenience of working remotely comes with one drawback. If Internet access is restricted on your LAN by a firewall or proxy server, your computer will not be able to access the Internet while the VPN connection is in place. This is because your computer believes that it is part of the LAN while connected, and is restricted by the same rules as any workstation at your office. You now face two choices: you can either modify the computer's settings to work behind the firewall, or use the VPN only when you need to connect to the LAN. Both choices have their drawbacks.
The first method forces you to dial into your LAN just to connect to the Internet. There is also a performance penalty, since each packet is encrypted before it is sent to you, effectively reducing the bandwidth. The other method forces you to decide between browsing on the Web or working remotely on your LAN. Every time you want to work on the LAN, you will have to establish the VPN connection. When you want to resume normal Internet access, you must close the VPN connection. Which of these methods is most acceptable to you depends on your connectivity needs.
SecurityAre VPNs safe? The answer is yes, thanks to the various security measures available. Data travelling across the VPN link is encrypted and is immune to casual sniffing attacks. Some potential shortcomings and weaknesses of PPTP have been reported in recent months. These security issues could only be exploited by sophisticated hackers who felt that your data was worth the extra effort. But, in light of these holes, a few extra precautions should be taken to prevent these types of attacks.
In the Network Configuration dialog box (see Figure 3), there is a checkbox marked Require Data Encryption. Checking this box encrypts each packet before the VPN encryption is applied. Now a hacker has to break two levels of encryption before viewing your data. This task can be made more difficult on the attacker by using longer key lengths. By default, Windows NT and 98 use 56-bit keys to encrypt the data. If all parties in the VPN connection are using the US-only version of Windows, the key length is expanded to 128 bits. This is virtually unbreakable with today's technology.
Although the data can be considered safe at this point, the connection is still vulnerable to a denial of service (DoS) attack. In the case of a LAN-to-LAN connection, this can be prevented by setting an IP filter on the PPTP port. Configure your proxy server to allow only the remote server's IP to connect to the VPN port. Now you have eliminated the possibility of a DoS attack and greatly reduced the chances of your data being exposed.
The WAN is no longer limited to large corporations. VPN has leveraged the ubiquitous Internet to provide a low cost WAN to every group, regardless of size. With the software provided by Microsoft and the knowledge gained here, nothing should prevent you from expanding the power of your LAN through the Internet.
Jeff Farley is senior engineer at Palo Verde Software and codesigner of NtSpectre, a security tool for Windows NT.
Getting a grip on desktop management costs
RELATED IDG.net STORIES:
UUNet plots VPN course
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.