Copyright Microsoft Corp. Ramnish Singh Ramnish Singh IT Advisor IT Advisor Microsoft Corporation Microsoft Corporation Secure Remote Access Secure Remote Access Challenges, Choices, Best Practices Challenges, Choices, Best Practices
Dec 23, 2015
Copyright Microsoft Corp. 2006
Ramnish SinghRamnish SinghIT AdvisorIT AdvisorMicrosoft CorporationMicrosoft Corporation
Secure Remote AccessSecure Remote AccessChallenges, Choices, Best PracticesChallenges, Choices, Best Practices
Copyright Microsoft Corp. 2006
Design Goals:Design Goals: Client Remote AccessClient Remote Access
Transmitted data is encrypted between endpoints.Transmitted data is encrypted between endpoints.Intercepted data on Internet should be unreadable.Intercepted data on Internet should be unreadable.Information altered or spoofed by hacker is rejected.Information altered or spoofed by hacker is rejected.Client and server can verify each other’s identity.Client and server can verify each other’s identity.Client and server connection cannot be hijacked.Client and server connection cannot be hijacked.Remote access services availability.Remote access services availability.Services can be managed with existing infrastructure Services can be managed with existing infrastructure tools and technologies.tools and technologies.Open, non-proprietary standards are built into design.Open, non-proprietary standards are built into design.
Copyright Microsoft Corp. 2006
Design Goals: Site-to-Site VPNsDesign Goals: Site-to-Site VPNsTransmitted data is encrypted between endpoints.Transmitted data is encrypted between endpoints.Intercepted data on Internet should be unreadable.Intercepted data on Internet should be unreadable.Information altered or spoofed by hacker is rejected.Information altered or spoofed by hacker is rejected.Site-to-Site end points can verify each other’s identity.Site-to-Site end points can verify each other’s identity.Site-to-Site connection cannot be hijacked.Site-to-Site connection cannot be hijacked.Remote access services availability.Remote access services availability.Routes are available across the entire network, LAN, and VPN from all endpoints.Routes are available across the entire network, LAN, and VPN from all endpoints.Services can be managed with existing infrastructure tools and technologies.Services can be managed with existing infrastructure tools and technologies.
Copyright Microsoft Corp. 2006
Design Options for Remote AccessDesign Options for Remote Access
Remote Client AccessRemote Client AccessOption 1: Dial-up Remote AccessOption 1: Dial-up Remote Access
Option 2: VPN Remote AccessOption 2: VPN Remote Access
Site-to-Site AccessSite-to-Site AccessOption 1: Dial-up Remote AccessOption 1: Dial-up Remote Access
Option 2: Fixed LinksOption 2: Fixed Links
Option 3: VPN Site-to-Site AccessOption 3: VPN Site-to-Site Access
`
Internet
VPN Client
VPN/IAS Server
ISP
`
` Intranet
VPN Connection
Tunnel
Internet
`
`
Tunnel
`
`
VPN Connection
Dedicated or Dial-upLink to ISP
DedicatedLink to ISP
CorporateHub
BranchOffice
VPN-capable Server
VPN-capable Server
`
Copyright Microsoft Corp. 2006
VPN TechnologiesVPN Technologies
Copyright Microsoft Corp. 2006
What Is a Virtual Private Network?What Is a Virtual Private Network?
Copyright Microsoft Corp. 2006
VPN TechnologiesVPN TechnologiesOption 1: Server-based VPNsOption 1: Server-based VPNs
AdvantagesAdvantages
Capitalize on current investmentsCapitalize on current investments
Standard Windows toolsStandard Windows tools
Option 2: Hardware-based VPNsOption 2: Hardware-based VPNs
AdvantagesAdvantages
High network throughputHigh network throughput
Secure remote administrationSecure remote administration
Highly configurableHighly configurable
Option 3: Third-party Managed VPN ServicesOption 3: Third-party Managed VPN Services
AdvantagesAdvantages
Low costLow cost
Outsourced installation and supportOutsourced installation and support
AvailabilityAvailability
DisadvantagesDisadvantages
Patch management requirementPatch management requirement
Consolidation risk to VPN serverConsolidation risk to VPN server
DisadvantagesDisadvantages
ExpensiveExpensive
Proprietary client softwareProprietary client software
Requirement of specialized skillsRequirement of specialized skills
DisadvantagesDisadvantages
Loss of controlLoss of control
Loss of flexibilityLoss of flexibility
Copyright Microsoft Corp. 2006
VPN Design ProcessVPN Design ProcessDevicesDevices
Hardware-based VPN deviceHardware-based VPN deviceWindows Server 2003Windows Server 2003
Communication protocolCommunication protocolPPTP (Point to Point Tunneling Protocol)PPTP (Point to Point Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)
Authentication protocolAuthentication protocolMS-CHAP v2MS-CHAP v2Extensible authentication protocol and transport layer protocolExtensible authentication protocol and transport layer protocol
End-to-end encryption levelEnd-to-end encryption levelStrongStrongStrongestStrongest
Copyright Microsoft Corp. 2006
Other Design ChallengesOther Design ChallengesVPN solution consolidationVPN solution consolidation
Dedicated devices for each solutionDedicated devices for each solutionConsolidate on a single device or on a clusterConsolidate on a single device or on a cluster
Placement of VPN devicesPlacement of VPN devicesIn front of the firewallIn front of the firewallBehind the firewallBehind the firewallNext to the firewallNext to the firewallVPN consolidated firewallVPN consolidated firewall
Load balancing the solutionLoad balancing the solutionRound-robin DNSRound-robin DNSHardware-based load balancingHardware-based load balancingSoftware-based load balancingSoftware-based load balancing
Copyright Microsoft Corp. 2006
Client Remote Access DesignClient Remote Access Design
Copyright Microsoft Corp. 2006
Selecting VPN DevicesSelecting VPN DevicesOption 1: Hardware-based VPN DeviceOption 1: Hardware-based VPN Device
AdvantagesAdvantagesDedicated solutionDedicated solutionScalable solutionScalable solutionReliabilityReliability
Option 2: Windows Server 2003 ServerOption 2: Windows Server 2003 Server
AdvantagesAdvantagesCommon platformCommon platformConsolidation potentialConsolidation potentialProven technologyProven technology
DisadvantagesDisadvantagesProprietary software (may be)Proprietary software (may be)Higher costHigher costSupport overheadSupport overhead
DisadvantagesDisadvantagesPatch managementPatch managementVPN dependenciesVPN dependencies
Copyright Microsoft Corp. 2006
Selecting VPN ProtocolsSelecting VPN ProtocolsOption 1: Point to Point Tunneling Protocol (PPTP)Option 1: Point to Point Tunneling Protocol (PPTP)
AdvantagesAdvantagesClient supportClient supportFirewall supportFirewall supportProvides data confidentialityProvides data confidentialityLow encryption overheadLow encryption overhead
Option 2: Layer 2 Tunneling Protocol (L2TP)Option 2: Layer 2 Tunneling Protocol (L2TP)
AdvantagesAdvantagesOrigin, integrity, replay, Origin, integrity, replay,
and confidentiality protectionand confidentiality protectionStrong authenticationStrong authenticationWindows client supportWindows client support
DisadvantagesDisadvantagesNo data integrity checkNo data integrity checkRequires MS-CHAP v2Requires MS-CHAP v2
DisadvantagesDisadvantagesEncryption overheadEncryption overheadRequires certificate Requires certificate
infrastructure or infrastructure or pre-shared keypre-shared key
Copyright Microsoft Corp. 2006
Selecting VPN Authentication ProtocolSelecting VPN Authentication Protocol
Option 1: MS-CHAP v2Option 1: MS-CHAP v2
Password-based authentication protocols. Password-based authentication protocols. Used in absence of certificates or smart cards.Used in absence of certificates or smart cards.
Option 2: EAP-TLS (Certificates or Smart Cards)Option 2: EAP-TLS (Certificates or Smart Cards)
Designed for use with a certificate infrastructure and either certificates or Designed for use with a certificate infrastructure and either certificates or smart cards. smart cards. Strongest authentication method since it does not rely on passwords.Strongest authentication method since it does not rely on passwords.
Copyright Microsoft Corp. 2006
Selecting VPN Authentication MethodSelecting VPN Authentication Method
Option 1: Windows AuthenticationOption 1: Windows Authentication
AdvantageAdvantageExisting infrastructureExisting infrastructure
Option 2: Internet Authentication Service (IAS)Option 2: Internet Authentication Service (IAS)
AdvantagesAdvantagesIncreased securityIncreased securityLoggingLoggingApply policiesApply policies
DisadvantageDisadvantageManagement is not scalableManagement is not scalable
DisadvantageDisadvantageIncreased management costsIncreased management costs
Copyright Microsoft Corp. 2006
Site-to-Site VPN DesignSite-to-Site VPN Design
Copyright Microsoft Corp. 2006
Selecting Site-to-Site VPN DevicesSelecting Site-to-Site VPN DevicesOption 1: Hardware-based VPN DevicesOption 1: Hardware-based VPN Devices
AdvantagesAdvantagesDedicated solutionDedicated solutionScalable solutionScalable solutionReliabilityReliabilityEasy to installEasy to install
Option 2: Hardware-based VPN Device at Branch Office Option 2: Hardware-based VPN Device at Branch Office and Windows Server 2003 at Corporate Officeand Windows Server 2003 at Corporate Office
AdvantagesAdvantagesSimple deploymentSimple deploymentEase of installationEase of installationScalability & ManagementScalability & Management
DisadvantagesDisadvantagesProprietary software (may be) Proprietary software (may be) Vendor restrictionsVendor restrictionsAdditional licensing costsAdditional licensing costs
DisadvantagesDisadvantagesSupport costsSupport costs
Copyright Microsoft Corp. 2006
Selecting Site-to-Site VPN DevicesSelecting Site-to-Site VPN Devices
Option 3: Windows Server 2003 to Connect Branch and Option 3: Windows Server 2003 to Connect Branch and Corporate OfficesCorporate Offices
AdvantagesAdvantagesCommon platformCommon platformConsolidation potentialConsolidation potentialProven technologyProven technologyHardware reuseHardware reuseNo additional costsNo additional costs
DisadvantagesDisadvantagesPatch managementPatch managementVPN dependenciesVPN dependencies
Copyright Microsoft Corp. 2006
Selecting Site-to-Site VPN Selecting Site-to-Site VPN Communication ProtocolsCommunication Protocols
Option 1: Layer Two Tunneling Protocol / Internet Option 1: Layer Two Tunneling Protocol / Internet Protocol SecurityProtocol Security
AdvantagesAdvantagesOrigin, integrity, replay, Origin, integrity, replay,
and confidentiality protectionand confidentiality protectionStrong authenticationStrong authentication
Option 2: Pure Internet Protocol Security TunnelOption 2: Pure Internet Protocol Security Tunnel
AdvantagesAdvantagesInteroperabilityInteroperabilityProvides for Provides for
gateway-to-gatewaygateway-to-gateway tunnelingtunneling
DisadvantageDisadvantageEncryption OverheadEncryption Overhead
DisadvantagesDisadvantagesMay not support May not support
user-based authenticationuser-based authenticationPotential vulnerabilitiesPotential vulnerabilities
Copyright Microsoft Corp. 2006
Site-to-Site Authentication ProtocolsSite-to-Site Authentication Protocols
Option 1: Certificate-based AuthenticationOption 1: Certificate-based Authentication
AdvantagesAdvantagesDevices uniquely certifiedDevices uniquely certifiedFlexible deploymentFlexible deployment
Option 2: Internet Protocol Security with Shared SecretOption 2: Internet Protocol Security with Shared Secret
AdvantageAdvantageStandards-based Standards-based
interoperabilityinteroperability
DisadvantageDisadvantageMaintenance OverheadMaintenance Overhead
DisadvantagesDisadvantagesShared secret vulnerabilityShared secret vulnerabilityPassword update overheadPassword update overheadWeak authenticationWeak authentication
Copyright Microsoft Corp. 2006
Other Design ChallengesOther Design Challenges
Copyright Microsoft Corp. 2006
VPN Solution ConsolidationVPN Solution ConsolidationOption 1: Dedicated Devices for Each SolutionOption 1: Dedicated Devices for Each Solution
AdvantagesAdvantagesLimited impact on availabilityLimited impact on availabilityIndependent managementIndependent managementAppropriate cost allocationAppropriate cost allocation
Option 2: Consolidate Solutions on Single Device or ClusterOption 2: Consolidate Solutions on Single Device or Cluster
AdvantagesAdvantagesCost savingsCost savingsLoad balancedLoad balanced
DisadvantageDisadvantageHigher CostsHigher Costs
DisadvantageDisadvantageOne service affects otherOne service affects other
Copyright Microsoft Corp. 2006
Placement of VPN DevicesPlacement of VPN DevicesOption 1: VPN Server in Front of the FirewallOption 1: VPN Server in Front of the Firewall
AdvantagesAdvantagesSeparate VPN serviceSeparate VPN serviceSimple configurationSimple configurationNo bandwidth restrictionsNo bandwidth restrictionsFirewall security policy canFirewall security policy can
be applied to clientsbe applied to clients
`
`
`
`Internet
VPN Connection
Tunnel
VPN Server VPN Client
Firewall
DisadvantagesDisadvantagesVPN not protected by firewallVPN not protected by firewallMultiple connection loggingMultiple connection logging
Copyright Microsoft Corp. 2006
Placement of VPN Devices Placement of VPN Devices (cont’d)…(cont’d)…
Option 2: VPN Server Behind the FirewallOption 2: VPN Server Behind the Firewall
AdvantagesAdvantagesVPN can use firewall VPN can use firewall
filtering and loggingfiltering and loggingVPN-specific VPN-specific
IP address not requiredIP address not requiredVPN securityVPN security
DisadvantagesDisadvantagesFirewall rulesFirewall rulesBandwidth limitationsBandwidth limitations
`
`
`
Internet
VPN Server
VPN Client
VPN Connection
Tunnel
`
Web Server
PerimeterNetwork
Firewall
Copyright Microsoft Corp. 2006
Placement of VPN Devices Placement of VPN Devices (cont’d)…(cont’d)…
Option 3: VPN Server and Firewall Side by Side on the Option 3: VPN Server and Firewall Side by Side on the Same Internet Segment.Same Internet Segment.
AdvantagesAdvantagesSeparate VPN serviceSeparate VPN serviceSimple configurationSimple configurationIndependent managementIndependent managementFirewall licensingFirewall licensing
DisadvantagesDisadvantagesBandwidth limitationsBandwidth limitationsVPN not protected by firewallVPN not protected by firewall
`
`
`Internet
Tunnel
`
VPN Client
Web Server
VPN Connection
VPN Server
Firewall
Copyright Microsoft Corp. 2006
Placement of VPN Devices Placement of VPN Devices (cont’d)…(cont’d)…
Option 4: VPN Consolidated Firewall DesignOption 4: VPN Consolidated Firewall Design
AdvantagesAdvantagesCost-effectiveCost-effectiveManageableManageable
DisadvantagesDisadvantagesPotential service conflictsPotential service conflictsDelegation restrictionsDelegation restrictions
`
`
`
Internet
Tunnel
`
VPN ClientWeb Server
VPN Connection
Firewall/VPN
Copyright Microsoft Corp. 2006
Best PracticesBest Practices
Copyright Microsoft Corp. 2006
AvailabilityAvailabilityTwo ISPs should be used at sites to connect to Internet.Two ISPs should be used at sites to connect to Internet.
At least two VPN servers should be used at sites.At least two VPN servers should be used at sites.
At least two VPN servers and two ISPs should be used at the branch office At least two VPN servers and two ISPs should be used at the branch office site if the availability requirement is high.site if the availability requirement is high.
All network devices, such as routers, switches, and firewalls, placed All network devices, such as routers, switches, and firewalls, placed between two VPN endpoint servers should provide for redundancy.between two VPN endpoint servers should provide for redundancy.
Copyright Microsoft Corp. 2006
SecuritySecurity
IPSec 168‑bit Triple DES (3DES)
MPPE 128‑bit encryptionStrongest
IPSec 56‑bit DESMPPE 56‑bit data encryption
Strong
IPSec 56‑bit DESMPPE 40‑bit data encryption
Basic
No encryption requiredNo encryption requiredNo Encryption
L2TP Encryption RequiredPPTP Encryption RequiredEncryption Level
Encryption Levels and Encryption Support
RADIUS Accounting1813/UDP
RADIUS Authentication1812/UDP
NAT Transversal4500/UDP
For ESP trafficIP Protocol 50
IPSec500/UDP
PPTP1723/TCP
GRE for PPTP47/TCP
Protocol Server Port
Ports and Protocols Allowed Through the VPN Server
Copyright Microsoft Corp. 2006
Remote Access Services Design Remote Access Services Design for Centralized Data Centerfor Centralized Data Center
Copyright Microsoft Corp. 2006
`
Internet
Internal
Remote AccessRemote Client
Client VPN
Perimeter
Internet
Key
Firewall
Load-balancing CSM
Layer 3 Routing
Layer 2 Switching
Load-balancing Software
Issuing/InterCA
IAS/Radius
Internal DFS
Root DFS
ProxyService
NetworkServices
InternalDNS
InternalWINS
Internal Aggregation Switch
Management
Perimeter Domain
Controllers
Backup Service
Core Switch
ProxyService
VPN Server
Access Switch B
Border Router B
Access Switch A
Border Router A
Border
Root / Intermediate CAs
Root Domain Controllers
Internal Domain Controllers
Border Router
Print Services
ISP
1
ISP 2
Internal Infrastructure
Internal Infrastructure
Internal Link
Perimeter Front Outbound
Copyright Microsoft Corp. 2006
Remote Access
Perimeter
Internal
Internal Data and Middleware
Border
Public
Internal Aggregation Switch
Perimeter Front End Outbound
Border Router
Perimeter Outbound
Internal Link
Border Router A
Proxy Service VPN Service
Access Switch A Access Switch B
Border Router B
Middleware Web Services
Internal Applications
Internal Front End Web
InternalBack End
Internal Infrastructure
X2
Multi-Services Internal WINSInternal DNS Internal Proxy
Internal DFS Root DFS IAS/RadiusPrint ServicesRoot /
Intermediate CAsIssuing CA
X2
Core Switch
Virtual Private
Network
Internal Infrastructure
Internet throughISP1
Internet Internet throughISP2
Root Domain Controllers
Internal Domain Controllers
Client VPN
VPNPool
Internal Data Back End
Read-only Database
Public Database
Database Management
Internal Database
`
Remote Clients
Internal Data Front End
Layer 3 switching / Routing
Key
X2 Redundant device not shown for simplicity
Firewall
Load-balancing CSM
Load-balancing Software
Layer 2 Switching Layer 3 Switching / Routing
Copyright Microsoft Corp. 2006
Remote Access
Perimeter
Internal
Internal Data and Middleware
Border
Public
Internal Aggregation Switch
Perimeter Front End Outbound
Border Router
Perimeter Outbound
Internal Link
Border Router A
Proxy Service VPN Service
Access Switch A Access Switch B
Border Router B
Middleware Web Services
Internal Applications
Internal Front End Web
InternalBack End
Internal Infrastructure
X2
Multi-Services Internal WINSInternal DNS Internal Proxy
Internal DFS Root DFS IAS/RadiusPrint ServicesRoot /
Intermediate CAsIssuing CA
X2
Core Switch
Virtual Private
Network
Internal Infrastructure
Internet throughISP1
Internet Internet throughISP2
Root Domain Controllers
Internal Domain Controllers
Client VPN
VPNPool
Internal Data Back End
Read-only Database
Public Database
Database Management
Internal Database
`
Remote Clients
Internal Data Front End
Layer 3 switching / Routing
Key
X2 Redundant device not shown for simplicity
Firewall
Load-balancing CSM
Load-balancing Software
Layer 2 Switching Layer 3 Switching / Routing
Copyright Microsoft Corp. 2006
Remote Access Services Design Remote Access Services Design for Satellite Branch Officefor Satellite Branch Office
Copyright Microsoft Corp. 2006
`
Internet
Remote AccessRemote Clients
Client VPN
Perimeter
Internet
Core Switch
ProxyService
VPN Server
Access Switch B
Border Router B
Access Switch A
Border Router A
Border
Site-to
-Site V
PN
`
Satellite Branch O
ffice
Perimeter Aggregation Switch
Firewall Service
Middleware
Web Services
Public DNS
Clients
Router/Firewall
ISP
1
ISP 2
Load-balancing CSM
Key
Firewall
Layer 3 Routing
Layer 2 Switching
Load-balancing Software
Load-balancing CSM
Access Switching
Perimeter Back End
Perimeter Front Inbound
Perimeter Front OutboundBorder Router
Copyright Microsoft Corp. 2006
Perimeter
Internal
Internal Data and Middleware
Remote Access
Satellite Branch Office
Public
Internal Aggregation Switch
Perimeter Front End Outbound
Border Router
Perimeter Outbound
Internal Link
Border Router A
Proxy Service VPN Service
Access Switch A Access Switch B
Border Router B
Client VPN
`
ClientsRouter/Firewall Access Switch
Middleware Web Services
Internal Applications
Internal Front End Web
Internal Infrastructure
X2
Multi-Services Internal WINSInternal DNS Internal Proxy
Internal DFS Root DFS IAS/RadiusPrint ServicesRoot /
Intermediate CAsIssuing CA
X2
`
Virtual Private
Network
Internal Infrastructure
Internet throughISP1
Internet Internet throughISP2
Root Domain Controllers
Internal Domain Controllers
Site-to-Site VPN
VPNPool
Read-only Database
Public Database
Database Management
Internal Database
Border
Remote Clients
Key
X2 Redundant device not shown for simplicity
Firewall
Load-balancing CSM
Load-balancing Software
Layer 2 Switching Layer 3 Switching / Routing
Core Switch
InternalBack End
Internal Data Front End
Internal Data Back End
Copyright Microsoft Corp. 2006
Perimeter
Internal
Internal Data and Middleware
Remote Access
Satellite Branch Office
Public
Internal Aggregation Switch
Perimeter Front End Outbound
Border Router
Perimeter Outbound
Internal Link
Border Router A
Proxy Service VPN Service
Access Switch A Access Switch B
Border Router B
Client VPN
`
ClientsRouter/Firewall Access Switch
Middleware Web Services
Internal Applications
Internal Front End Web
Internal Infrastructure
X2
Multi-Services Internal WINSInternal DNS Internal Proxy
Internal DFS Root DFS IAS/RadiusPrint ServicesRoot /
Intermediate CAsIssuing CA
X2
`
Virtual Private
Network
Internal Infrastructure
Internet throughISP1
Internet Internet throughISP2
Root Domain Controllers
Internal Domain Controllers
Site-to-Site VPN
VPNPool
Read-only Database
Public Database
Database Management
Internal Database
Border
Remote Clients
Key
X2 Redundant device not shown for simplicity
Firewall
Load-balancing CSM
Load-balancing Software
Layer 2 Switching Layer 3 Switching / Routing
Core Switch
InternalBack End
Internal Data Front End
Internal Data Back End
Copyright Microsoft Corp. 2006
Questions ?Questions ?
Copyright Microsoft Corp. 2006
© 2006 Microsoft Corporation. All rights reserved.© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.