|
Posted: Monday, September 13, 1999
Special Related Article
 |
Windows 2000-Based Virtual Private Networking: Supporting VPN Interoperability
Many vendors diverged from industry standards and implemented VPNs that don't work together. Windows 2000 was designed with IETF standards to support interoperability in multi-vendor environments and to provide customers with an open solution. This paper will explain the interoperability issues and provide customers and vendors with recommendations towards ensuring an open interoperable remote access and networking environment. |
Contents
The native virtual private networking (VPN) technologies in the Windows NT® 4.0 operating system are the most popular on the market today. The Windows® 2000 operating system improves on this pioneering effort by integrating directories for simpler, more scalable management, and by supporting more VPN standards for secure user authentication and data encryption. Through enhanced client-server and server-server VPN management and security, and broader protocol support, Windows 2000 allows organizations to optimize their communications infrastructure to create exceptional remote access solutions.
The key to any remote access solution is security. Windows 2000 provides secure authentication, authorization, and data encryption for Windows-based VPN communications using standards-based technologies.
Authentication
Authentication is a confirmation process ensuring that remote users are authorized to access the network. Windows 2000 provides several technologies to achieve this goal:
 | Pre-shared keys. This method uses a shared, secret key that is previously agreed upon by two systems. This can be automatically managed through Microsoft® Point-to-Point Encryption (MPPE), or manually configured using Internet Protocol Security (IPSec).
| Kerberos V5 security protocol. This Internet standard security protocol is the default authentication technology in Windows 2000. Kerberos provides a high level of password encryption across a network. Windows 2000 operating systems support any Kerberos V5 clients that are also members of a trusted domain.
| Public key certificates.
Windows 2000 supports public key certificates and their management
through Internet Key Exchange services (IKE). This solution requires managing
certificates or contracting out to a trusted certificate authority (CA) that
distributes X.509 Version 3 certificates. | | |
Windows 2000 enhances these forms of authentication by supporting second factor forms of authentication using the Extensible Authentication Protocol (EAP). These second factor forms of authentication require two pieces of information to gain access: the user's password and an additional credential such as a certificate, smart card, token card, or biometrics profile (for example, a fingerprint or eye scan).
Authorization
Windows 2000 simplifies the authorization process by integrating the security and directory infrastructure to file, print, and other network resources and services. Authorization to network resources is a simple matter of sharing out the resource and then allocating permissions to the appropriate users or groups of users defined within the Active DirectoryTM service. Simple hierarchical rules of inheritance govern access to the shared resources.
Data encryption
To better secure network data, Windows 2000 supports IPSec data encryption schemes such as:
| Standard 40- and 56-bit encryption.
| Data Encryption Standard (DES) and 3DES with two 56-bit keys.
| 128/40-bit encryption algorithm using RSA Data
Security's (RSA RC4) public/private key algorithm with Microsoft
Point-to-Point Encryption (MPPE). |
| |
The MPPE-based VPN solution is also compatible with Windows 2000 network address translation (NAT) packet filtering services, which shield internal network addresses from potential external risks.
Because of its business-critical nature, remote access should be available from any location at any time. With Windows 2000 Advanced Server, customers can cluster groups of VPN servers together to provide greater availability. Remote service can be incrementally deployed in a manner that is transparent to the installed client base. These services complement the fail-over and power redundancy hardware efforts of Windows 2000 hardware vendor solutions. The result is a highly available and reliable network access solution on an open platform.
Windows 2000 increases the performance of VPNs by supporting a combination of hardware and software technologies and features. Windows 2000 hardware integration supports:
| Multiple processors.
| Multi-link services.
| High bandwidth media.
| Interfaces for offloading TCP/IP address management to network adapters.
| Interfaces for offloading encryption to network
adapters. |
| | | |
Windows 2000 software services provide:
| Enhanced TCP/IP stack.
| Network traffic compression.
| Standards-based Quality of Service network traffic prioritization.
| Load balancing services in a clustered
environment. |
| | |
The combination of these hardware and software services ensures that Windows 2000 VPN solutions provide high performance network access.
Windows 2000 supports industry-standard VPNs with improved Point-to-Point Tunneling Protocol (PPTP) and Level 2 Tunneling Protocol (L2TP), as well as user authentication and data encryption using L2TP with IPSec. Integrating L2TP with IPSec encryption provides a very secure, end-to-end, standards-based solution for remote networking clients. This adherence to Internet standards allows greater interoperability across standards-compliant systems, providing user authenticity, privacy, and data integrity. Support of user-based authentication distinguishes Windows 2000 from less interoperable and less secure solutions that rely on proprietary user authentication schemes and/or machine-based authentication techniques.
To simplify VPN management, Windows 2000 provides both client and server administrative tools for improved remote access implementations.
Windows 2000-based clients can be automatically
configured and managed using the Connection Manager Administration Kit (CMAK). Using CMAK to create a customizable deployment module that is then distributed among users, administrators can provide simple and secure local dial-up and/or VPN connections for all corporate users. Access permissions are centrally stored in Active Directory, and policies are easily applied through the Internet Authentication Service (IAS). These scalable, policy-based management services are also extended to non-Windows-based systems for enhanced interoperability through Remote Authentication Dial-In User Service (RADIUS) support.
Windows 2000 simplifies managing more sophisticated certificate-based security systems by supporting automated certificate and key management using the Internet Key Exchange protocol (IKE) for IPSec. Windows 2000 can even eliminate the need for manual certificate installation by allowing Kerberos tickets for IPSec-encrypted communications. For most VPN implementations Windows 2000 provides automated key management services by using pre-shared keys with MPPE, resulting in simple yet effective 128-bit communications between connection endpoints.
Windows 2000 provides organizations with a secure, highly available, high performance VPN solution. This solution provides integrated client-server standards support and administrative tools that facilitate management and ensure interoperability. The result is a comprehensive VPN solution for connecting individual and remote offices across the Internet, thereby increasing employee productivity, reducing operational expenses, and allowing new forms of business partnering.
Communications and Networking Services
 Communications Planning and Deployment Resources
Communications Technical Resources
|
