Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp. 2006

Ramnish SinghRamnish SinghIT AdvisorIT AdvisorMicrosoft CorporationMicrosoft Corporation

Secure Remote AccessSecure Remote AccessChallenges, Choices, Best PracticesChallenges, Choices, Best Practices


Design Goals:Design Goals: Client Remote AccessClient Remote Access

Transmitted data is encrypted between endpoints.Transmitted data is encrypted between endpoints.Intercepted data on Internet should be unreadable.Intercepted data on Internet should be unreadable.Information altered or spoofed by hacker is rejected.Information altered or spoofed by hacker is rejected.Client and server can verify each other’s identity.Client and server can verify each other’s identity.Client and server connection cannot be hijacked.Client and server connection cannot be hijacked.Remote access services availability.Remote access services availability.Services can be managed with existing infrastructure Services can be managed with existing infrastructure tools and technologies.tools and technologies.Open, non-proprietary standards are built into design.Open, non-proprietary standards are built into design.


Design Goals: Site-to-Site VPNsDesign Goals: Site-to-Site VPNsTransmitted data is encrypted between endpoints.Transmitted data is encrypted between endpoints.Intercepted data on Internet should be unreadable.Intercepted data on Internet should be unreadable.Information altered or spoofed by hacker is rejected.Information altered or spoofed by hacker is rejected.Site-to-Site end points can verify each other’s identity.Site-to-Site end points can verify each other’s identity.Site-to-Site connection cannot be hijacked.Site-to-Site connection cannot be hijacked.Remote access services availability.Remote access services availability.Routes are available across the entire network, LAN, and VPN from all endpoints.Routes are available across the entire network, LAN, and VPN from all endpoints.Services can be managed with existing infrastructure tools and technologies.Services can be managed with existing infrastructure tools and technologies.


Design Options for Remote AccessDesign Options for Remote Access

Remote Client AccessRemote Client AccessOption 1: Dial-up Remote AccessOption 1: Dial-up Remote Access

Option 2: VPN Remote AccessOption 2: VPN Remote Access

Site-to-Site AccessSite-to-Site AccessOption 1: Dial-up Remote AccessOption 1: Dial-up Remote Access

Option 2: Fixed LinksOption 2: Fixed Links

Option 3: VPN Site-to-Site AccessOption 3: VPN Site-to-Site Access

`

Internet

VPN Client

VPN/IAS Server

ISP

`

` Intranet

VPN Connection

Tunnel

Internet

`

`

Tunnel

`

`

VPN Connection

Dedicated or Dial-upLink to ISP

DedicatedLink to ISP

CorporateHub

BranchOffice

VPN-capable Server

VPN-capable Server

`


VPN TechnologiesVPN Technologies


What Is a Virtual Private Network?What Is a Virtual Private Network?


VPN TechnologiesVPN TechnologiesOption 1: Server-based VPNsOption 1: Server-based VPNs

AdvantagesAdvantages

Capitalize on current investmentsCapitalize on current investments

Standard Windows toolsStandard Windows tools

Option 2: Hardware-based VPNsOption 2: Hardware-based VPNs


High network throughputHigh network throughput

Secure remote administrationSecure remote administration

Highly configurableHighly configurable

Option 3: Third-party Managed VPN ServicesOption 3: Third-party Managed VPN Services


Low costLow cost

Outsourced installation and supportOutsourced installation and support

AvailabilityAvailability

DisadvantagesDisadvantages

Patch management requirementPatch management requirement

Consolidation risk to VPN serverConsolidation risk to VPN server


ExpensiveExpensive

Proprietary client softwareProprietary client software

Requirement of specialized skillsRequirement of specialized skills


Loss of controlLoss of control

Loss of flexibilityLoss of flexibility


VPN Design ProcessVPN Design ProcessDevicesDevices

Hardware-based VPN deviceHardware-based VPN deviceWindows Server 2003Windows Server 2003

Communication protocolCommunication protocolPPTP (Point to Point Tunneling Protocol)PPTP (Point to Point Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)

Authentication protocolAuthentication protocolMS-CHAP v2MS-CHAP v2Extensible authentication protocol and transport layer protocolExtensible authentication protocol and transport layer protocol

End-to-end encryption levelEnd-to-end encryption levelStrongStrongStrongestStrongest


Other Design ChallengesOther Design ChallengesVPN solution consolidationVPN solution consolidation

Dedicated devices for each solutionDedicated devices for each solutionConsolidate on a single device or on a clusterConsolidate on a single device or on a cluster

Placement of VPN devicesPlacement of VPN devicesIn front of the firewallIn front of the firewallBehind the firewallBehind the firewallNext to the firewallNext to the firewallVPN consolidated firewallVPN consolidated firewall

Load balancing the solutionLoad balancing the solutionRound-robin DNSRound-robin DNSHardware-based load balancingHardware-based load balancingSoftware-based load balancingSoftware-based load balancing


Client Remote Access DesignClient Remote Access Design


Selecting VPN DevicesSelecting VPN DevicesOption 1: Hardware-based VPN DeviceOption 1: Hardware-based VPN Device

AdvantagesAdvantagesDedicated solutionDedicated solutionScalable solutionScalable solutionReliabilityReliability

Option 2: Windows Server 2003 ServerOption 2: Windows Server 2003 Server

AdvantagesAdvantagesCommon platformCommon platformConsolidation potentialConsolidation potentialProven technologyProven technology

DisadvantagesDisadvantagesProprietary software (may be)Proprietary software (may be)Higher costHigher costSupport overheadSupport overhead

DisadvantagesDisadvantagesPatch managementPatch managementVPN dependenciesVPN dependencies


Selecting VPN ProtocolsSelecting VPN ProtocolsOption 1: Point to Point Tunneling Protocol (PPTP)Option 1: Point to Point Tunneling Protocol (PPTP)

AdvantagesAdvantagesClient supportClient supportFirewall supportFirewall supportProvides data confidentialityProvides data confidentialityLow encryption overheadLow encryption overhead

Option 2: Layer 2 Tunneling Protocol (L2TP)Option 2: Layer 2 Tunneling Protocol (L2TP)

AdvantagesAdvantagesOrigin, integrity, replay, Origin, integrity, replay,

and confidentiality protectionand confidentiality protectionStrong authenticationStrong authenticationWindows client supportWindows client support

DisadvantagesDisadvantagesNo data integrity checkNo data integrity checkRequires MS-CHAP v2Requires MS-CHAP v2

DisadvantagesDisadvantagesEncryption overheadEncryption overheadRequires certificate Requires certificate

infrastructure or infrastructure or pre-shared keypre-shared key


Selecting VPN Authentication ProtocolSelecting VPN Authentication Protocol

Option 1: MS-CHAP v2Option 1: MS-CHAP v2

Password-based authentication protocols. Password-based authentication protocols. Used in absence of certificates or smart cards.Used in absence of certificates or smart cards.

Option 2: EAP-TLS (Certificates or Smart Cards)Option 2: EAP-TLS (Certificates or Smart Cards)

Designed for use with a certificate infrastructure and either certificates or Designed for use with a certificate infrastructure and either certificates or smart cards. smart cards. Strongest authentication method since it does not rely on passwords.Strongest authentication method since it does not rely on passwords.


Selecting VPN Authentication MethodSelecting VPN Authentication Method

Option 1: Windows AuthenticationOption 1: Windows Authentication

AdvantageAdvantageExisting infrastructureExisting infrastructure

Option 2: Internet Authentication Service (IAS)Option 2: Internet Authentication Service (IAS)

AdvantagesAdvantagesIncreased securityIncreased securityLoggingLoggingApply policiesApply policies

DisadvantageDisadvantageManagement is not scalableManagement is not scalable

DisadvantageDisadvantageIncreased management costsIncreased management costs


Site-to-Site VPN DesignSite-to-Site VPN Design


Selecting Site-to-Site VPN DevicesSelecting Site-to-Site VPN DevicesOption 1: Hardware-based VPN DevicesOption 1: Hardware-based VPN Devices

AdvantagesAdvantagesDedicated solutionDedicated solutionScalable solutionScalable solutionReliabilityReliabilityEasy to installEasy to install

Option 2: Hardware-based VPN Device at Branch Office Option 2: Hardware-based VPN Device at Branch Office and Windows Server 2003 at Corporate Officeand Windows Server 2003 at Corporate Office

AdvantagesAdvantagesSimple deploymentSimple deploymentEase of installationEase of installationScalability & ManagementScalability & Management

DisadvantagesDisadvantagesProprietary software (may be) Proprietary software (may be) Vendor restrictionsVendor restrictionsAdditional licensing costsAdditional licensing costs

DisadvantagesDisadvantagesSupport costsSupport costs


Selecting Site-to-Site VPN DevicesSelecting Site-to-Site VPN Devices

Option 3: Windows Server 2003 to Connect Branch and Option 3: Windows Server 2003 to Connect Branch and Corporate OfficesCorporate Offices

AdvantagesAdvantagesCommon platformCommon platformConsolidation potentialConsolidation potentialProven technologyProven technologyHardware reuseHardware reuseNo additional costsNo additional costs

DisadvantagesDisadvantagesPatch managementPatch managementVPN dependenciesVPN dependencies


Selecting Site-to-Site VPN Selecting Site-to-Site VPN Communication ProtocolsCommunication Protocols

Option 1: Layer Two Tunneling Protocol / Internet Option 1: Layer Two Tunneling Protocol / Internet Protocol SecurityProtocol Security

AdvantagesAdvantagesOrigin, integrity, replay, Origin, integrity, replay,

and confidentiality protectionand confidentiality protectionStrong authenticationStrong authentication

Option 2: Pure Internet Protocol Security TunnelOption 2: Pure Internet Protocol Security Tunnel

AdvantagesAdvantagesInteroperabilityInteroperabilityProvides for Provides for

gateway-to-gatewaygateway-to-gateway tunnelingtunneling

DisadvantageDisadvantageEncryption OverheadEncryption Overhead

DisadvantagesDisadvantagesMay not support May not support

user-based authenticationuser-based authenticationPotential vulnerabilitiesPotential vulnerabilities


Site-to-Site Authentication ProtocolsSite-to-Site Authentication Protocols

Option 1: Certificate-based AuthenticationOption 1: Certificate-based Authentication

AdvantagesAdvantagesDevices uniquely certifiedDevices uniquely certifiedFlexible deploymentFlexible deployment

Option 2: Internet Protocol Security with Shared SecretOption 2: Internet Protocol Security with Shared Secret

AdvantageAdvantageStandards-based Standards-based

interoperabilityinteroperability

DisadvantageDisadvantageMaintenance OverheadMaintenance Overhead

DisadvantagesDisadvantagesShared secret vulnerabilityShared secret vulnerabilityPassword update overheadPassword update overheadWeak authenticationWeak authentication


Other Design ChallengesOther Design Challenges


VPN Solution ConsolidationVPN Solution ConsolidationOption 1: Dedicated Devices for Each SolutionOption 1: Dedicated Devices for Each Solution

AdvantagesAdvantagesLimited impact on availabilityLimited impact on availabilityIndependent managementIndependent managementAppropriate cost allocationAppropriate cost allocation

Option 2: Consolidate Solutions on Single Device or ClusterOption 2: Consolidate Solutions on Single Device or Cluster

AdvantagesAdvantagesCost savingsCost savingsLoad balancedLoad balanced

DisadvantageDisadvantageHigher CostsHigher Costs

DisadvantageDisadvantageOne service affects otherOne service affects other


Placement of VPN DevicesPlacement of VPN DevicesOption 1: VPN Server in Front of the FirewallOption 1: VPN Server in Front of the Firewall

AdvantagesAdvantagesSeparate VPN serviceSeparate VPN serviceSimple configurationSimple configurationNo bandwidth restrictionsNo bandwidth restrictionsFirewall security policy canFirewall security policy can

be applied to clientsbe applied to clients

`

`

`

`Internet

VPN Connection

Tunnel

VPN Server VPN Client

Firewall

DisadvantagesDisadvantagesVPN not protected by firewallVPN not protected by firewallMultiple connection loggingMultiple connection logging


Placement of VPN Devices Placement of VPN Devices (cont’d)…(cont’d)…

Option 2: VPN Server Behind the FirewallOption 2: VPN Server Behind the Firewall

AdvantagesAdvantagesVPN can use firewall VPN can use firewall

filtering and loggingfiltering and loggingVPN-specific VPN-specific

IP address not requiredIP address not requiredVPN securityVPN security

DisadvantagesDisadvantagesFirewall rulesFirewall rulesBandwidth limitationsBandwidth limitations

`

`

`

Internet

VPN Server

VPN Client

VPN Connection

Tunnel

`

Web Server

PerimeterNetwork

Firewall



Option 3: VPN Server and Firewall Side by Side on the Option 3: VPN Server and Firewall Side by Side on the Same Internet Segment.Same Internet Segment.

AdvantagesAdvantagesSeparate VPN serviceSeparate VPN serviceSimple configurationSimple configurationIndependent managementIndependent managementFirewall licensingFirewall licensing

DisadvantagesDisadvantagesBandwidth limitationsBandwidth limitationsVPN not protected by firewallVPN not protected by firewall

`

`

`Internet

Tunnel

`

VPN Client

Web Server

VPN Connection

VPN Server

Firewall



Option 4: VPN Consolidated Firewall DesignOption 4: VPN Consolidated Firewall Design

AdvantagesAdvantagesCost-effectiveCost-effectiveManageableManageable

DisadvantagesDisadvantagesPotential service conflictsPotential service conflictsDelegation restrictionsDelegation restrictions

`

`

`

Internet

Tunnel

`

VPN ClientWeb Server

VPN Connection

Firewall/VPN


Best PracticesBest Practices


AvailabilityAvailabilityTwo ISPs should be used at sites to connect to Internet.Two ISPs should be used at sites to connect to Internet.

At least two VPN servers should be used at sites.At least two VPN servers should be used at sites.

At least two VPN servers and two ISPs should be used at the branch office At least two VPN servers and two ISPs should be used at the branch office site if the availability requirement is high.site if the availability requirement is high.

All network devices, such as routers, switches, and firewalls, placed All network devices, such as routers, switches, and firewalls, placed between two VPN endpoint servers should provide for redundancy.between two VPN endpoint servers should provide for redundancy.


SecuritySecurity

IPSec 168‑bit Triple DES (3DES)

MPPE 128‑bit encryptionStrongest

IPSec 56‑bit DESMPPE 56‑bit data encryption

Strong

IPSec 56‑bit DESMPPE 40‑bit data encryption

Basic

No encryption requiredNo encryption requiredNo Encryption

L2TP Encryption RequiredPPTP Encryption RequiredEncryption Level

Encryption Levels and Encryption Support

RADIUS Accounting1813/UDP

RADIUS Authentication1812/UDP

NAT Transversal4500/UDP

For ESP trafficIP Protocol 50

IPSec500/UDP

PPTP1723/TCP

GRE for PPTP47/TCP

Protocol Server Port

Ports and Protocols Allowed Through the VPN Server


Remote Access Services Design Remote Access Services Design for Centralized Data Centerfor Centralized Data Center


`

Internet

Internal

Remote AccessRemote Client

Client VPN

Perimeter

Internet

Key

Firewall

Load-balancing CSM

Layer 3 Routing

Layer 2 Switching

Load-balancing Software

Issuing/InterCA

IAS/Radius

Internal DFS

Root DFS

ProxyService

NetworkServices

InternalDNS

InternalWINS

Internal Aggregation Switch

Management

Perimeter Domain

Controllers

Backup Service

Core Switch

ProxyService

VPN Server

Access Switch B

Border Router B

Access Switch A

Border Router A

Border

Root / Intermediate CAs

Root Domain Controllers

Internal Domain Controllers

Border Router

Print Services

ISP

1

ISP 2

Internal Infrastructure


Internal Link

Perimeter Front Outbound


Remote Access

Perimeter

Internal

Internal Data and Middleware

Border

Public


Perimeter Front End Outbound

Border Router

Perimeter Outbound

Internal Link

Border Router A

Proxy Service VPN Service

Access Switch A Access Switch B

Border Router B

Middleware Web Services

Internal Applications

Internal Front End Web

InternalBack End


X2

Multi-Services Internal WINSInternal DNS Internal Proxy

Internal DFS Root DFS IAS/RadiusPrint ServicesRoot /

Intermediate CAsIssuing CA

X2

Core Switch

Virtual Private

Network


Internet throughISP1

Internet Internet throughISP2



Client VPN

VPNPool

Internal Data Back End

Read-only Database

Public Database

Database Management

Internal Database

`

Remote Clients

Internal Data Front End

Layer 3 switching / Routing

Key

X2 Redundant device not shown for simplicity

Firewall

Load-balancing CSM


Layer 2 Switching Layer 3 Switching / Routing


Remote Access

Perimeter

Internal


Border

Public



Border Router

Perimeter Outbound

Internal Link

Border Router A



Border Router B




InternalBack End


X2




X2

Core Switch

Virtual Private

Network






Client VPN

VPNPool


Read-only Database

Public Database

Database Management

Internal Database

`

Remote Clients


Layer 3 switching / Routing

Key


Firewall

Load-balancing CSM




Remote Access Services Design Remote Access Services Design for Satellite Branch Officefor Satellite Branch Office


`

Internet

Remote AccessRemote Clients

Client VPN

Perimeter

Internet

Core Switch

ProxyService

VPN Server

Access Switch B

Border Router B

Access Switch A

Border Router A

Border

Site-to

-Site V

PN

`

Satellite Branch O

ffice

Perimeter Aggregation Switch

Firewall Service

Middleware

Web Services

Public DNS

Clients

Router/Firewall

ISP

1

ISP 2

Load-balancing CSM

Key

Firewall

Layer 3 Routing

Layer 2 Switching


Load-balancing CSM

Access Switching

Perimeter Back End

Perimeter Front Inbound

Perimeter Front OutboundBorder Router


Perimeter

Internal


Remote Access

Satellite Branch Office

Public



Border Router

Perimeter Outbound

Internal Link

Border Router A



Border Router B

Client VPN

`

ClientsRouter/Firewall Access Switch





X2




X2

`

Virtual Private

Network






Site-to-Site VPN

VPNPool

Read-only Database

Public Database

Database Management

Internal Database

Border

Remote Clients

Key


Firewall

Load-balancing CSM



Core Switch

InternalBack End




Perimeter

Internal


Remote Access

Satellite Branch Office

Public



Border Router

Perimeter Outbound

Internal Link

Border Router A



Border Router B

Client VPN

`

ClientsRouter/Firewall Access Switch





X2




X2

`

Virtual Private

Network






Site-to-Site VPN

VPNPool

Read-only Database

Public Database

Database Management

Internal Database

Border

Remote Clients

Key


Firewall

Load-balancing CSM



Core Switch

InternalBack End




Questions ?Questions ?


© 2006 Microsoft Corporation. All rights reserved.© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Documents

vpn site

vpn remote access site

site access slide

site access option

remote access option

copyright microsoft

vpn technologies slide

vpn technologies option