VPN 70-680 Study Guide - Configure Remote Connections

advertisement
VPN 70-680 Study Guide - Configure Remote Connections
http://www.mcmcse.com/microsoft/guides/70-680/remote_connections.shtml
:: Return to Main Menu ::
Introduction to VPNs:
A VPN is a network that uses a public
telecommunication infrastructure, such as the Internet,
to provide remote offices or individual users with
secure access to their organization's network. A VPN
works by using the shared public infrastructure while
maintaining privacy through security procedures and
tunneling protocols such as the Layer Two Tunneling
Protocol (L2TP) or PPTP. In effect, the protocols, by
encrypting data at the sending end and decrypting it at
the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not
properly encrypted.
Although not every edition of Windows 7 supports DirectAccess, every edition of Windows 7 supports
VPN using the PPTP, L2TP/IPsec, SSTP, and IKEv2 protocols which are discussed below:




Point-to-Point Tunneling Protocol (PPTP) - Based on PPP, the Point to Point Tunneling
Protocol (PPTP) provides for the secure transfer of data from a remote client to a private
server by creating a multi-protocol Virtual Private Network(VPN) which encapsulates PPP
packets into IP datagrams. PPTP is considered to have weak encryption and authentication,
therefore, IPsec is typically preferred.
Layer 2 Tunneling Protocol (L2TP) / IP security (IPsec): - L2TP is the next-generation
tunneling protocol partially based on PPTP. To provide encryption, L2TP acts as a data link
layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over
an existing network (usually the Internet). It is common to carry Point-to-Point Protocol (PPP)
sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication
by itself. IPsec is often used to secure L2TP packets by providing confidentiality,
authentication and integrity. The combination of these two protocols is generally known as
L2TP/IPsec. IPSec ensures confidentiality, integrity, and authenticity of data communications
across a public network. IPSEC is made of two different protocols: AH and ESP. AH
(Authentication header) is responsible for authenticity and integrity, while ESP (Encapsulating
Security payload) encrypts the payload.
Secure Socket Tunneling Protocol (SSTP) - A tunneling protocol that uses the HTTPS
protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block
PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the
Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for
strong authentication methods, such as EAPTLS. SSL provides transport-level security with
enhanced key negotiation, encryption, and integrity checking.
Internet Key Exchange (IKEv2) - IKEv2 is a tunneling protocol that uses the IPsec Tunnel
Mode protocol over UDP port 500. An IKEv2 VPN is useful when the client moves from one
wireless hotspot to another or when it switches from a wireless to a wired connection. The use
of IKEv2 and IPsec provide strong authentication and encryption methods. Windows 7 is the
first Microsoft operating system to support this protocol.
By default, the VPN type is set to Automatic. You can configure a connection to use a specific VPN
protocol, but if you do this, Windows 7 does not try to use other VPN protocols if the protocol you
select is not available. When a VPN connection type is set to Automatic, Windows 7 attempts to make
a connection using the most secure protocol.
VPN Authentication Protocols:
Remote access in Windows 7 supports the authentication protocols listed in the following table. They
are listed in order of increasing security.
Protocol
Description
PAP
This protocol uses plaintext passwords. Typically used if the remote access client and remote access
server cannot negotiate a more secure form of validation. PAP is the least secure authentication protocol.
It does not protect against replay attacks, remote client impersonation, or remote server impersonation.
PAP is not enabled by default for Windows 7 and is not supported by remote access servers running
Windows Server 2008.
CHAP
CHAP uses a 3-way handshake in which the authentication agent sends the client program a key to be
used to encrypt the user name and password. CHAP uses the Message Digest 5 (MD5) hashing scheme to
encrypt the response. CHAP is an improvement over PAP, in that the password is not sent over the PPP
link. CHAP requires a plaintext version of the password to validate the challenge response. CHAP does not
protect against remote server impersonation. Although remote access servers running Windows Server
2008 do not support this protocol, it is enabled by default for Windows 7 VPN connections for legacy VPN
connections.
MS-CHAP
v2
Supports two-way mutual authentication. The remote access client receives verification that the remote
access server that it is dialing in to has access to the user’s password. MS-CHAP v2 provides stronger
security than CHAP.
EAP-MSCHAPv2
Allows for arbitrary authentication of a remote access connection through the use of authentication
schemes, known as EAP types. EAP offers the strongest security by providing the most flexibility in
authentication variations. This protocol requires the installation of a computer certificate on the VPN
server.
Just like the VPN protocols, by default, Windows first tries to use the most secure authentication
protocol that is enabled, and then falls back to less secure protocols if the more secure ones are
unavailable.
Configuring a VPN Connection:
When configuring a VPN, you need to know the IP address or fully qualified domain name (FQDN) of
the remote access server to which you are connecting. The steps for creating the VPN connection to a
Windows Server 2008 computer are as follows:
1. Open the Control Panel, select Network and Internet then Network and Sharing Center.
2. Click Set up a new connection.
3. Click Connect to a workplace and then click Next.
4. Select Use my Internet connection (VPN).
5. Enter the hostname or IP Address for the VPN Server and enter a name for the connection.
You can also configure the option to use a smart card for authentication, allow other people to
use your VPN connection, and instruct the wizard not to connect you to the VPN now.
6. Next, you will need to enter a username and password to connect to the network.
Click Create to finish the wizard.
Once the connection is created, you can modify additional settings such as the authentication
protocols and sharing by following these steps:
1. In the Network and Sharing Center, click Connect to a network.
2. From the list of networks, right click on your VPN and click Properties.
VPN Reconnect:
In previous versions of Windows, when Internet connectivity is lost, the VPN connection is also lost.
This means that if the user was working with an application or had a document open when the
interruption occurred, the user's work would be lost. In Windows 7, VPN Reconnect uses IKEv2
technology to provide seamless and consistent VPN connectivity, automatically re-establishing a VPN
when users temporarily lose their Internet connections. Users who connect using wireless mobile
broadband will benefit most from this capability.
Only VPN servers running Windows Server 2008 R2 support IKEv2. You can configure VPN Reconnect
with a maximum timeout of 8 hours. After the period specified in the Network Outage Time setting has
expired, the user must reconnect manually.
NAP Remediation:
NAP enforces health requirements by monitoring and assessing the health of client computers when
they attempt to connect or communicate on a network. Client computers that are not in compliance
with the health policy can be provided with restricted network access until their configuration is
updated and brought into compliance with policy. Typical problems might include having Windows
Firewall turned off, missing or out-of-date virus protection, uninstalled security updates, etc.
On NAP client computers running Windows 7, NAP is integrated into Action Center. If a NAP client
computer is determined to be noncompliant with network health polices, you can obtain more
information by reviewing the Network Access Protection category under Security. NAP client
computers that are compliant with health requirements and computers that are not running the NAP
Agent service do not display NAP information in Action Center.
With regard to VPN connections, achieving compliance often requires access to a remediation network.
A remediation network hosts necessary services that can allow the client to achieve compliance.
Noncompliant clients can communicate with hosts on the remediation network but not other hosts on
the internal corporate network. A remediation network might include a Windows Server Update
Services (WSUS) server, Antivirus signature server, System Center component server, etc.
Download