VPN1 VPN tunnel in C#.NET

Generator QR Code in C#.NET VPN1 VPN tunnel

Figure 7-10 A demand-dial network Table 7-6

IP Address 207.209.68.50 208.147.66.50 Demand-Dial Interface Name DD_Tailspin DD_Wingtip User Account Name in User Credentials DD_Wingtip DD_Tailspin

7-33

4. When you set up each VPN server, use the interface name and the user account name as listed in the table. Notice that the demand-dial interface name matches the user account on the opposite VPN server. In this example, VPN1 will have a user account in its account database named DD_Wingtip. If VPN1 initiates the call, it will use this account for PPP authentication.

VPN routers can be placed behind a firewall or outside the firewall directly on the Internet. In each case, you must consider the security of the VPN router and the configuration of the firewall. Refer to Lesson 2 in this chapter for information about VPN servers and firewalls.

Demand-dial routing provides a secure method of transferring data between two networks. Authentication, authorization, accounting, and encryption choices are the same as those for remote access VPNs. There are, however, some configuration choices for the demand-dial interface. Follow these guidelines to design a secure demand-dial routing infrastructure:

These guidelines include:

Do not make the VPN router computer a DHCP client on either the internal or external interface. Where possible, dedicate the VPN router to demand dial-connections rather than allowing remote access connections. By default, both types of connec tions are allowed. You can prevent remote access connections by clearing the Remote Access Server check box on the General tab of the VPN Servers Prop erties dialog box. These guidelines include: If multiple connections with remote sites are required, use a separate remote access network interface (which can be done via a configuration choice in the remote access server console) and user account for each demand-dial con nection required. This will help you monitor connections. This will result in fewer people knowing the password for an individual demand-dial user account. If you need to remove access for a specific location, you can do so by simply removing that site s interface. Because no one at that site knows the password for any other interface, nobody can reconnect without your inter vention. To manage multiple demand-dial interface user accounts, create a Windows group for these accounts and use remote access policies to manage the con nections.

7-34

7

VPN protocols These guidelines include:

Use L2TP/IPSec where possible, as it provides stronger security. L2TP/IPSec can be used behind a NAT router in a site-to-site configuration if both VPN routers are using Windows Server 2003. Provide both L2TP/IPSec and PPTP if you must support VPN routers that do not support L2TP/IPSec, or for routers for which certificate services are not available. Use the strongest encryption possible for each interface. Do not use operating systems as VPN routers that cannot use the highest strength encryption. These guidelines include: Use a local account for the user credentials (which is the default), and use a long, strong password. Schedule a periodic manual change of the password, and coordinate this with the administrator of the other VPN router. Where possible, use EAP for the authentication mechanism. EAP/MS-CHAPv2 does not require client computers to have a computer cer tificate. (Users use passwords as usual.) However, VPN servers still require a computer certificate. This requirement can provide a solution that is more secure and is also achievable in a network where certificate services are not available. EAP/TLS also requires both machine and user certificates. Although the num ber of certificates is small in a single demand-dial scenario, the number can get quickly out of hand if multiple sites must connect. You must weigh the increased security against the efforts required in correctly implementing, managing, and protecting a public key infrastructure. Do not use operating systems as VPN routers that cannot use at least MSCHAPv2 authentication. Where possible, separate VPN purposes use one computer for a demanddial VPN router and another for remote access VPNs. This separation is espe cially important if you must support remote access clients that cannot use the authentication and encryption protocols that meet the security level required for VPN routers. If you must mix remote access clients with demand-dial con nections, you might have to reduce the security. Because each VPN router represents a very large amount of data and numerous connections, you must ensure the highest level of protection is configured.

Encryption These guidelines include: