1. WEBCAST SCHEDULEWEBCAST SCHEDULE
Today’s event will run one-hour long. Here are the expectedToday’s event will run one-hour long. Here are the expected
times for each segment of the Webcast:times for each segment of the Webcast:
:00 – :05: Moderator introduces the speaker and discusses the:00 – :05: Moderator introduces the speaker and discusses the
details of the Webcast.details of the Webcast.
:05- :35: Speaker delivers a PowerPoint presentation on the:05- :35: Speaker delivers a PowerPoint presentation on the
Webcast topic.Webcast topic.
:35- :60: Moderator and speaker engage in a Q&A on the topic.:35- :60: Moderator and speaker engage in a Q&A on the topic.
2. TECHNICAL FAQsTECHNICAL FAQs
Here are answers to the most common technical problems users encounter during aHere are answers to the most common technical problems users encounter during a
Webcast:Webcast:
Q: Why can’t I hear the audio part of the webcast?Q: Why can’t I hear the audio part of the webcast?
A: Try increasing the volume on your computer.A: Try increasing the volume on your computer.
Q: I just entered the webcast and do not see the slide that the speaker is referring to. WhatQ: I just entered the webcast and do not see the slide that the speaker is referring to. What
should I do?should I do?
A: The slides are constantly being pushed to your screen. You should refresh (hit F5) toA: The slides are constantly being pushed to your screen. You should refresh (hit F5) to
view the latest slide.view the latest slide.
Q. I can’t view some of the detail on the slides. How do I enlarge the slides for a better view?Q. I can’t view some of the detail on the slides. How do I enlarge the slides for a better view?
A: Click the “Enlarge slide” link in the upper right corner of your presentation. This willA: Click the “Enlarge slide” link in the upper right corner of your presentation. This will
open a new browser with a full view of the current slide.open a new browser with a full view of the current slide.
You can also visit the Broadcast Help page for more information or to test your browserYou can also visit the Broadcast Help page for more information or to test your browser
compatibility. Click here: http://audience.broadcast.yahoo.comcompatibility. Click here: http://audience.broadcast.yahoo.com
If you still have technical questions or problems, send an e-mail toIf you still have technical questions or problems, send an e-mail to
WebcastHelp@TechTarget.comWebcastHelp@TechTarget.com. A technical support person will respond to you within. A technical support person will respond to you within
24 hours.24 hours.
3. TechTarget
Virtual Private Networks onVirtual Private Networks on
Windows 2000 andWindows 2000 and
Windows 2003 ServerWindows 2003 Server
Bill BoswellBill Boswell
Windows Consulting GroupWindows Consulting Group
4. Slide PresentationSlide Presentation
Prepared ByPrepared By
Mark WallaMark Walla
Secure Logistix CorpSecure Logistix Corp
Robert WilliamsRobert Williams
Secure Logistix CorpSecure Logistix Corp
5. VPN Webcast ExpectationsVPN Webcast Expectations
Technical overview of VPN technology … this isTechnical overview of VPN technology … this is
not intended to troubleshoot VPNsnot intended to troubleshoot VPNs
Provide tutorial on Virtual Private Networks basicsProvide tutorial on Virtual Private Networks basics
DefinitionsDefinitions
ProtocolsProtocols
ConfigurationConfiguration
ArchitectureArchitecture
Go through VPN implementation with theGo through VPN implementation with the
Windows 2003 Server familyWindows 2003 Server family
Participants should have working knowledge ofParticipants should have working knowledge of
computing networks and the Windows platformcomputing networks and the Windows platform
6. VPN DefinitionVPN Definition
A Virtual Private Network is a connectionA Virtual Private Network is a connection
between two communication endpointsbetween two communication endpoints
that ensures privacy and authenticationthat ensures privacy and authentication
VPN connections between offices createsVPN connections between offices creates
a tunnel through which users can accessa tunnel through which users can access
resources securely without dedicatedresources securely without dedicated
point-to-point WAN linkspoint-to-point WAN links
7. VPN ConfigurationsVPN Configurations
Two general VPN configurations:Two general VPN configurations:
Site-to-SiteSite-to-Site
RRAS servers acts as demand-dial VPN routersRRAS servers acts as demand-dial VPN routers
Example: Branch office with Internet accessExample: Branch office with Internet access
connects via VPN to corporate networkconnects via VPN to corporate network
Remote accessRemote access
RRAS server acts as endpoint for clientRRAS server acts as endpoint for client
connectionsconnections
Example: XP laptop connects through Internet toExample: XP laptop connects through Internet to
main office from hotel roommain office from hotel room
10. AuthenticationAuthentication
VPNs use standard PPP for initialVPNs use standard PPP for initial
authenticationauthentication
Password-based authentication to RRASPassword-based authentication to RRAS
serverserver
X.509 certificates used to establish secureX.509 certificates used to establish secure
connection for IP Security (IPSec)connection for IP Security (IPSec)
Protocol selection dependent on client andProtocol selection dependent on client and
serverserver
Windows servers support all InternetWindows servers support all Internet
standardsstandards
12. PPP Authentication ProtocolsPPP Authentication Protocols
Password AuthenticationPassword Authentication
Protocol (PAP)Protocol (PAP)
Sends password in clear textSends password in clear text
Shiva Password AuthenticationShiva Password Authentication
Sends encrypted password - canSends encrypted password - can
be compromisedbe compromised
Challenge HandshakeChallenge Handshake
Authentication ProtocolAuthentication Protocol
(CHAP(CHAP))
Uses MD-5 hash of user’s plainUses MD-5 hash of user’s plain
text password and challenge.text password and challenge.
Requires reversible password.Requires reversible password.
Microsoft ChallengeMicrosoft Challenge
Handshake AuthenticationHandshake Authentication
Protocol (MS-CHAPProtocol (MS-CHAP))
One-way authentication (One-way authentication (notnot
mutual) between client and server.mutual) between client and server.
Challenge hashed with user’sChallenge hashed with user’s
Windows password hashWindows password hash
MS-CHAP Version 2MS-CHAP Version 2
Stronger version of MS-CHAP thatStronger version of MS-CHAP that
uses longer challenge, salteduses longer challenge, salted
response, mutual authentication,response, mutual authentication,
and a more secure passwordand a more secure password
change mechanismchange mechanism
Extensible AuthenticationExtensible Authentication
Protocol (EAPProtocol (EAP))
Allows for additional protocolsAllows for additional protocols
within PPP authenticationwithin PPP authentication
IEEE 802.1X SupportIEEE 802.1X Support
EAP module that supportsEAP module that supports
certificate-based authenticationcertificate-based authentication
using RADIUSusing RADIUS
13. VPN Uses Encrypted TunnelVPN Uses Encrypted Tunnel
Encrypted data encapsulated in additionalEncrypted data encapsulated in additional
protocolprotocol
Forms impenetrable pipe between endpointsForms impenetrable pipe between endpoints
TCP and IP headers included in encryptedTCP and IP headers included in encrypted
payload to prevent eavesdroppingpayload to prevent eavesdropping
Only IP address of tunnel endpoints requiredOnly IP address of tunnel endpoints required
to route packetsto route packets
Window uses MPPE, L2TP and IPSec toWindow uses MPPE, L2TP and IPSec to
encrypt data within VPNencrypt data within VPN
14. Point to Point Tunneling ProtocolPoint to Point Tunneling Protocol
Uses standard PPP authenticationUses standard PPP authentication
Authentication occurs prior to forming tunnelAuthentication occurs prior to forming tunnel
Makes PPTP subject to Man-in-the-Middle exploitsMakes PPTP subject to Man-in-the-Middle exploits
Encapsulates PPP frame inside Generic RoutingEncapsulates PPP frame inside Generic Routing
Encapsulation (GRE) datagramEncapsulation (GRE) datagram
IP Type 47 (0x2f)IP Type 47 (0x2f)
Sometimes not supported through ISP firewallSometimes not supported through ISP firewall
Establishes connection and sends control trafficEstablishes connection and sends control traffic
over TCP Port 1723over TCP Port 1723
Standard PPP controls piggybacked on GREStandard PPP controls piggybacked on GRE
GRE datagrams not signedGRE datagrams not signed
16. PPTP EncryptionPPTP Encryption
PPTP usesPPTP uses MicrosoftMicrosoft
Point-to-Point EncryptionPoint-to-Point Encryption
(MPPE) to encrypt GRE(MPPE) to encrypt GRE
payloadpayload
RC4 Streaming encryptionRC4 Streaming encryption
with 128-bit keywith 128-bit key
RRAS server has copy ofRRAS server has copy of
user PW hashuser PW hash
Obtains via secure channelObtains via secure channel
from domain controllerfrom domain controller
MPPE keys based onMPPE keys based on
user passwordsuser passwords
PW hashed using MD4PW hashed using MD4
First 16 bytes of PW hashFirst 16 bytes of PW hash
are hashed to produceare hashed to produce
PwHashHashPwHashHash
PwHashHash hashed withPwHashHash hashed with
challenge to form masterchallenge to form master
keykey
Send and Receive keysSend and Receive keys
generated from master keygenerated from master key
18. Layer 2 Tunneling ProtocolLayer 2 Tunneling Protocol
Works at Layer 2 (Data Link)Works at Layer 2 (Data Link)
rather than at the applicationrather than at the application
layerlayer
Encap entire PPP frame (L2)Encap entire PPP frame (L2)
within datagramwithin datagram
Datagram protocol depends onDatagram protocol depends on
L2TP implementationL2TP implementation
Windows uses IPSecWindows uses IPSec
Encapsulating SecurityEncapsulating Security
Payload (ESP)Payload (ESP)
IP Protocol 50IP Protocol 50
ESP uses variety of algorithmsESP uses variety of algorithms
W2K3 uses 3DES by defaultW2K3 uses 3DES by default
and AES if FIPS140 selectedand AES if FIPS140 selected
in Group Policyin Group Policy
IPSec Handles Key ExchangeIPSec Handles Key Exchange
Internet Security AssociationInternet Security Association
and Key Managementand Key Management
Protocol (ISAKMP)Protocol (ISAKMP)
Endpoints exchange sessionEndpoints exchange session
keys encrypted with publickeys encrypted with public
key of partnerkey of partner
Occurs over UDP Port 500Occurs over UDP Port 500
Superior to PPTP -Superior to PPTP -
Authentication occurs insideAuthentication occurs inside
encrypted tunnel – no MIMencrypted tunnel – no MIM
exploit possibleexploit possible
IPSec also offers data integrityIPSec also offers data integrity
Each L2TP datagram digitallyEach L2TP datagram digitally
signed within IPSecsigned within IPSec
Authentication Header (AH)Authentication Header (AH)
22. L2TP Requires CertificatesL2TP Requires Certificates
Deploy Windows PKIDeploy Windows PKI
Refer to most current MSFT white papersRefer to most current MSFT white papers
Use W2K3 CA to get maximum featuresUse W2K3 CA to get maximum features
Can also use for EFS, S/MIME, SSLCan also use for EFS, S/MIME, SSL
Configure group policy for autoenrollmentConfigure group policy for autoenrollment
Feature available on W2K and W2K3Feature available on W2K and W2K3
Avoids manually obtaining ComputerAvoids manually obtaining Computer
certificatescertificates
23. IPSEC TunnelingIPSEC Tunneling
L2TP not firewall friendlyL2TP not firewall friendly
TCP headers encrypted in ESP payloadTCP headers encrypted in ESP payload
Standard IPSec suffers from same problemStandard IPSec suffers from same problem
W2K3 and XP support IPSec tunnelW2K3 and XP support IPSec tunnel
through NATthrough NAT
Can use IPSec Tunnel when L2TP and PPTPCan use IPSec Tunnel when L2TP and PPTP
not available on VPN servers or clientsnot available on VPN servers or clients
Look for NAT-T support in your firewallLook for NAT-T support in your firewall
24. RRAS Server ConfigurationRRAS Server Configuration
Routing and remote access serviceRouting and remote access service
Installed by default but not enabledInstalled by default but not enabled
Configure for VPN to support individual usersConfigure for VPN to support individual users
Configure for VPN and router to support site-to-siteConfigure for VPN and router to support site-to-site
tunnelstunnels
Configure PPTP ports for dial-in accessConfigure PPTP ports for dial-in access
LimitationsLimitations
W2K3 Web Edition only supports one inbound VPNW2K3 Web Edition only supports one inbound VPN
connection at a timeconnection at a time
RRAS server must be domain member or useRRAS server must be domain member or use
RADIUSRADIUS
28. Steps for PPTP ImplementationSteps for PPTP Implementation
Internet connection must support IP protocol 47Internet connection must support IP protocol 47
(GRE)(GRE)
Firewall must allow TCP Port 1723Firewall must allow TCP Port 1723
Configure RRAS ServiceConfigure RRAS Service
Configure for VPNConfigure for VPN
Configure L2TP ports for dial-in accessConfigure L2TP ports for dial-in access
Define Remote Access PolicyDefine Remote Access Policy
Denied by defaultDenied by default
VPN client configurationVPN client configuration
Create New Connection – Specify PPTP in NetworkCreate New Connection – Specify PPTP in Network
29. Steps for L2TP ImplementationSteps for L2TP Implementation
Internet connection must support IP protocol 50Internet connection must support IP protocol 50
(ESP)(ESP)
Firewall must allow TCP Port 500Firewall must allow TCP Port 500
Routing and remote access serviceRouting and remote access service
Configure for VPNConfigure for VPN
Configure L2TP ports for dial-in accessConfigure L2TP ports for dial-in access
Enroll for Computer CertificatesEnroll for Computer Certificates
Configure autoenroll policy in W2K and W2K3Configure autoenroll policy in W2K and W2K3
Define Remote Access PolicyDefine Remote Access Policy
Denied by defaultDenied by default
VPN client configurationVPN client configuration
Create New Connection – Specify L2TP in NetworkCreate New Connection – Specify L2TP in Network
30. Additional InformationAdditional Information
To receive a copy of Chapter 13: VPN andTo receive a copy of Chapter 13: VPN and
IPSec fromIPSec from The Ultimate Windows 2003 ServerThe Ultimate Windows 2003 Server
Administrator’s GuideAdministrator’s Guide (Addison Wesley 2003),(Addison Wesley 2003),
contact Mark or Bob atcontact Mark or Bob at info@securelogistix.cominfo@securelogistix.com
Mark WallaMark Walla
Secure Logistix CorpSecure Logistix Corp
Robert WilliamsRobert Williams
Secure Logistix CorpSecure Logistix Corp
31. Additional QuestionsAdditional Questions
For more details on W2K3 VPNs andFor more details on W2K3 VPNs and
Windows security information in general,Windows security information in general,
contact Bill Boswellcontact Bill Boswell
bboswell@winconsultants.combboswell@winconsultants.com
32. Audience QuestionsAudience Questions
Bill will be taking audience questions on this topic
following the event. You can submit your specific questions
for Bill by clicking the Ask a Question button in the lower
left corner of your presentation screen.
33. FeedbackFeedback
Thank you for your participationThank you for your participation
Did you like this Webcast topic? Would you like us toDid you like this Webcast topic? Would you like us to
host other events similar to this one? Send us yourhost other events similar to this one? Send us your
feedback on this event and ideas for other topics atfeedback on this event and ideas for other topics at
editor@searchWin2000.comeditor@searchWin2000.com..