Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, Inc.
`ISBN: 0471295264 Pub Date: 09i01!98
`
`‘Previous Table of Contents |Next
`
`Because compulsory tunnels are created without the user’s consent, they may be transparent to the end
`user. The client~side endpoint of a compulsory tunnel typically resides on a remote access server. All
`traffic originating from the end user’s computer is forwarded over the PPTP tunnel by the RAS. Access
`to other services outside the intranet would be controlled by the network administrators. PPTP enables
`multiple connections to be carried over a single tunnel.
`
`Because a compulsory tunnel has predetermined endpoints and the user cannot access other parts of the
`Internet, these tunnels offer better access control than voluntary tunnels. If it’s corporate policy that
`employees cannot access the public Internet, for example, a compulsory tunnel would keep them out of
`the public Internet while still allowing them to use the Internet to access your VPN.
`
`Another advantage to a compulsory tunnel is that multiple connections can be carried over a single
`tunnel. This feature reduces the network bandwidth required for transmitting multiple sessions, because
`the control overhead for a single compulsory tunnel carrying multiple sessions is less that that for
`multiple voluntary tunnels, each carrying traffic for a single session. One disadvantage of compulsory
`tunnels is that the initial link of the connection (i.e., the PPP link between the end user’s computer and
`the RAS) is outside the tunnel and, therefore, is more vulnerable to attack.
`
`Static compulsory tunnels typically require either dedicated equipment or manual configuration. These
`dedicated, or automatic, tunnels might require the user to call a special telephone number to make the
`connection. On the other hand, in realm-based, or manual, tunneling schemes, the RAS examines a
`portion of the user’s name, called a realm, to decide where to tunnel the traffic associated with that user.
`
`"FIGURE
`
`\'/ioluntary and compulsory tunnels.
`
`However, setup and maintenance of static tunnels increases the demands on network management. A
`more flexible approach would be to dynamically choose the tunnel destination on a per-user basis when
`the user connects to the RAS. These dynamic tunnels can be set up in PPTP by linking the system to a
`RADIUS server to obtain session configuration data on the fly.
`
`Static tunneling requires the dedication of a network access server (NAS) to the purpose. In the case of
`
`Petitioner Apple Inc. - Ex. 1006, p. 113
`
`

`
`an ISP, this restriction would be undesirable because it requires the ISP to dedicate an NAS to tunneling
`service for a given corporate customer, rather than enabling them to use existing network access servers
`deployed in the field. As a result, static tunneling is likely to be costly for deployment of a global service.
`
`Realm-based tunneling assumes that all users within a given realm want to be treated the same way,
`limiting a corporation’s flexibility in managing the account rights of their users. For example,
`MegaGlobal Corp. may desire to provide Jim with an account that allows access to both the Internet and
`the intranet, with .Iim’s intranet access provided by a tunnel server located in the engineering department.
`However, MegaGlobal Corp. may want to provide Sam with an account that provides only access to the
`intranet, with Sanfs intranet access provided by a tunnel network server located in the sales department.
`Situations like these cannot be accommodated with realm-based tunneling.
`
`Using RADIUS to provision compulsory tunnels has several advantages. For instance, tunnels can be
`defined and audited on the basis of authenticated users, authentication and accounting can be based on
`telephone numbers; and other authentication methods, such as tokens or smart cards, can be
`accommodated. When deployed in concert with roaming, user-based tunneling offers corporations the
`capability to provide their users with access to the corporate intranet on a global basis.
`
`RADIUS
`
`The RADIUS client/server model uses a network access server to manage user connections. Although the
`NAS functions as a server for providing network access, it also functions as a client for RADIUS. The
`NAS is responsible for accepting user connection requests, getting user ID and password information,
`and passing the information securely to the RADIUS server. The RADIUS server returns authentication
`status, i.e., approved or denied, as well as any configuration data required for the NAS to provide
`services to the end user.
`
`Roaming
`
`Various [SP5 have started to form strategic alliances—for example, the Stentor Alliance between MCI,
`British Telecom, and Bell Canada—that allow the partners to tunnel traffic across one another°s
`networks. These agreements make it easier for your mobile workers to tunnel traffic to your corporate
`sites regardless of their location. If their work takes them to areas not serviced by your ISP, then they
`can call one of the partner ISPs in the area to use the VPN.
`
`RADIUS creates a single, centrally located database of users and available services, a feature particularly
`important for networks that include large modem banks and more than one remote communications
`server. With RADIUS, the user information is kept in one location, the RADIUS server, which manages
`the authentication of the user and access to services from one location. Because any device that supports
`RADIUS can be a RADIUS client (see Figure 6.6), a remote user will gain access to the same services
`from any communications server communicating with the RADIUS server.
`
`RADIUS supports the use of proxy servers, which store user information for authentication purposes and
`can be used for accounting and authorization, but they do not allow the user data (passwords and so on)
`to be changed. A proxy server depends on periodic updates of the user database from a master RADIUS
`server (see Figure 6.6). When corporations are looking to outsource their VPN to an ISP, they probably
`will arrange to have an ISP authenticate users of its PPTP server based on corporate-defined user data. In
`such cases, the corporation would maintain a RADIUS server and set user information on it, and the ISP
`
`Petitioner Apple Inc. - Ex. 1006, p. 114
`
`

`
`would have a proxy RADIUS server that receives updates from the corporate server.
`
`For RADIUS to control the setup of a tunnel, it has to store certain attributes about the tunnel. These
`attributes include the tunnel protocol to be used (ie, PPTP or L2TP), the address of the desired tunnel
`server, and the tunnel transport medium to be used. In order to take further advantage of RADIUS’
`capabilities—namely, its capability to track network usage—a few more items are needed—the address
`of the tunnel client (the NAS) and a unique identifier for the tunneled connection.
`
`[Previous [Table of Contents ‘Next
`
`Petitioner Apple Inc. — EX. 1006, p. 115
`
`Petitioner Apple Inc. - Ex. 1006, p. 115
`
`

`
`Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, Inc.
`ISBN: 0471295264 Pub Date: 09i01!98
`
`‘Previous Table of Contents |Next
`
`When combining dynamic tunneling with RADIUS, at least three possible options are available for user
`authentication and authorization:
`
`1. Authenticate and receive authorization once, at the RAS end of the tunnel.
`
`2. Authenticate and receive authorization info once, at the RAS end of the tunnel and somehow
`
`forward the RADIUS reply to the remote end of the tunnel.
`
`3. Authenticate on both ends of the tunnel.
`
`IFIGIJRE 6.6 Interactions among a RADIUS server, proxy server, and clients.
`
`The first model is a poor trust model because it requires the ISP alone to control access to the network,
`and the second is an adequate trust model but doesn’t scale well, due to the way RADIUS authenticates
`replies. The third option is robust and works well if a RADIUS proxy server is used, which also supports
`the use of a single user name and password at both ends.
`
`Let’s look at the chain of events for creating a tunnel when using RADIUS this way (see Figure 6.7).
`First, the remote user dials into the remote access server and enters his password as part of the PPP
`authentication sequence (step 1 in the figure). The remote access server, acting as a RADIUS client, then
`uses RADIUS to check the password and receives tunnel information from the local RADIUS proxy
`server; this information would include attributes specifying which PPTP server is to be the endpoint of
`the tunnel that will be used for this particular user (steps 2 to 5). The remote access server will open the
`tunneled connection, creating a tunnel if necessary. Recall that trafficfiom more than one user can be
`transmitted in the same compulsorjy tunnel at the same time. The PPTP server would reauthenticate the
`user (step 6), checking the password against the same RADIUS server that was used in the initial
`exchange (steps 7 and 8). Upon authentication, the PPTP server will accept tunneled packets from the
`remote user and forward the packets to the appropriate destination on the corporate network.
`
`'
`
`.
`
`I 1'
`
`_g_
`N - »--.+;_,.
`FIGURE 6.7 RADIUS authentication for dynamic tunnels.
`
`Authentication and Encryption
`
`Petitioner Apple Inc. - Ex. 1006, p. 116
`
`

`
`Remote PPTP clients are authenticated by the same PPP authentication methods used for any RAS client
`dialing directly to a RAS server. Microsoft’s implementation of RRAS supports CHAP, MS-CHAP, and
`PAP authentication schemes. MS-CHAP uses the MD4 hash for creating the challenge token from the
`user’s password.
`
`PAP and CHAP do have definite disadvantages when secure authentication is desired. Both PAP and
`CHAP rely on a secret password that must be stored on the remote user’s computer and the local
`computer. If either computer comes under the control of a network attacker, then the secret password is
`compromised. Also, with CHAP or PAP authentication, you cannot assign different network access
`privileges to different remote users who use the same remote host. Because one set of privileges is
`assigned to a specific computer, everybody who uses that computer will have the same set of privileges.
`
`In Microsoft’s implementation of PPTP, data is encrypted via Microsoft Po£nr—to-Point Encryption
`(MPPE), which is based on the RSA RC4 standard (see Figure 6.8). The Compre.s's1'on Control Protocol
`(CCP) used by PPP is used to negotiate encryption. MS—CHAP is used to validate the end user in a
`Windows NT domain, and an encryption key for the session is derived from the hashed user password
`stored on both the client and server. (A MD4 hash is used.) A 40-bit session key normally is used for
`encryption, but U.S. users can install a software upgrade to use a 128-bit key. Because MPPE encrypts
`PPP packets on the client workstation before they enter a PPTP tunnel, the packets are protected
`throughout the link from the workstation to the PPTP server at the corporate site. Changes in session
`keys can be negotiated to occur for every packet or after a preset number of packets.
`
`2'.
`'-_-
`D
`l H---_il-'3:-.1-‘I
`-n
`.
`;
`,
`-4:
`l
`.~—'-=..""'
`""—'."‘.
`FITSTJRE 6.8 Packet encryption in PPTP.
`
`LAN-to-LAN Tunneling
`
`The original focus of PPTP was the creation of dial-in VPNS (i.e., to provide secure dial-in access to
`corporate LANS via the Internet). LAN-to-LAN tunnels were not supported at first. It wasn’t until
`Microsoft introduced their Routing and Remote Access Server for NT Server 4.0 that NT Servers were
`able to support LAN-to-LAN tunnels. Since then, other vendors also have released compatible PPTP
`servers that also support LAN—to—LAN tunneling.
`
`As implemented in Microsoft's RRAS, LAN-to-LAN tunneling occurs between two PPTP servers, much
`like IPSec’s use of security gateways to connect two LANS. However, because the PPTP architecture
`does not make use of a key management system, authentication and encryption are controlled via CHAP,
`or via MS—CHAP. In effect, one site’s RRAS, running PPTP, is defined as a user, with an appropriate
`password, at the other site’s RRAS and vice versa (see Figure 6.9). To create a tunnel between the two
`sites, the PPTP server at one site is authenticated by the other PPTP server using the stored passwords,
`much as we described the process earlier for a dial-in user. One site’s PPTP server thus looks like a PPTP
`client to the other server, and vice versa, so a voluntary tunnel is created between the two sites.
`
`Because this tunnel can encapsulate any supported network-layer protocol (i.e., IP, NETBEUI, IPX),
`users at one site will have access to resources at the other site based on their access rights, defined for
`that protocol. This means that some fonn of collaboration between site managers is needed to ensure that
`
`Petitioner Apple Inc. - Ex. 1006, p. 117
`
`

`
`users at a site have the proper access rights to resources at other sites. In Windows NT, for example, each
`site can have its own security domain and the sites would establish a trust relationship between the
`domains in order to allow users to access a site’s resources.
`
`Using PPTP
`
`Because a major focus of PPTP is to provide secure dial-in access to private corporate resources, the
`components of a PPTP VPN are organized a bit differently from those of an IPSec VPN (see Chapter 5,
`“Using IPSec to Build a VPN”). The most important components are those that define the endpoints of a
`PPTP tunnel. Because one of these endpoints can be your lSP’s equipment, this configuration can cut
`down on the software needed for your mobile clients but requires collaboration between you and your
`ISP for authentication of users.
`
`5--~13--at--_—';--— 9-~~§
`i
`EFIICTJRE 6.9 Til-\N—to—LAN PPTP tunnels.
`
`In general, a PPTP VPN requires three items: a network access server, a PPTP server, and a PPTP client.
`Although the PPTP server should be installed on your premises and maintained by your staff, the
`network access server should be the responsibility of your ISP. In fact, if you choose to install PPTP
`client software on your remote hosts, the ISP doesn’l even need to provide any PPTP-specific support.
`
`Figure 6.10 illustrates few differences between the structure of an IPSec VPN and a PPTP VPN. One
`significant difference is that PPTP enables you to outsource some of the PPTP functions to the ISP. At a
`corporate site, a PPTP server acts like a security gateway, tying authentication to RADIUS or Windows
`NT domains. A PPTP client on a user’s laptop or desktop computer performs many of the same functions
`as IPSec client software, although there are no key exchanges.
`
`--
`is
`FIGURE 6.10 Comparing IPSec and PPTP architectures.
`
`Previous [Table of Contents ‘Next
`
`Petitioner Apple Inc. - Ex. 1006, p. 118
`
`

`
`"“'“"'“":§ Building and Managing Virtual Private Networks
`by Dave Kosiur
`Wiley Computer Publishing, John Wiley & Sons, inc.
`ISBN: 0471295264 Pub Date: 09i01l98
`
`{Previous Table of Contents |Next
`
`PPTP Servers
`
`A PPTP server has two primary roles: it acts as the endpoint for PPTP tunnels, and it forwards packets to
`and from the tunnel that it terminates onto the private LAN. The PPTP server forwards packets to a
`destination computer by processing the PPTP packet to obtain the private network computer name or
`address information in the encapsulated PPP packet.
`
`PPTP servers also can filter packets, using PPTPfilrerfng. With PPTP filtering, you can set the server to
`restrict who can connect to either the local network or to the Internet. In systems like Windows NT 4.0
`and RRAS, the combination of PPTP filtering with IP address filtering enables you to create a functional
`firewall for your network.
`
`Setting up a PPTP server at your corporate site brings with it a few restrictions, especially if the PPTP
`server is to be placed on the private (i.e., corporate) side of the firewall. PPTP has been designed so that
`only one TCP/IP port number can be used for passing data through a f1rewall——port number 1723. This
`lack of configurability of the port number can make your firewall more susceptible to attacks. Also, if
`you have firewalls configured to filter traffic by protocol, you will need to set them to allow GRE to pass
`through.
`
`A related device is the tunnel switch. Tunnel switches are relatively new devices, initially introduced by
`3Com in early 1998. A tunnel switch is a combined tunnel terminator and tunnel initiator. The purpose of
`a tunnel switch is to extend tunnels from one network to another—extending a tunnel incoming from
`your ISP’s network to your corporate network, for example (see Figure 6.1 1).
`
`Tunnel switches can be used at a firewall to improve the management of remote access to private
`network resources. Because the tunnel switch terminates the incoming tunnel, it can examine the
`incoming packets for protocols carried by the PPP frames or for the remote user’s name. The switch can
`use that information to create tunnels into the corporate network based on the information carried in the
`incoming packets.
`
`PPTP Client Software
`
`As pointed out frequently in this chapter, if the ISP equipment supports PPTP, no additional software or
`hardware is required on the client end; only a standard PPP connection is necessary. On the other hand, if
`the ISP does not support PPTP, a Windows NT client (or similar software) can still utilize PPTP and
`create the secure connection, first by dialing the ISP and establishing a PPP connection, then by dialing
`once again through a virtual PPTP port set up on the client side.
`
`Petitioner Apple Inc. - Ex. 1006, p. 119
`
`

`
`._.I.
`._.__ __
`
`_
`
`FIGUEI 6.1l Example of the use of tunnel switches.
`
`PPTP clients already exist from Microsoft for computers running Windows NT, Windows95, and
`Windows 98. Network Telesystems also offers PPTP clients for other popular computers, including the
`Macintosh and computers running Windows 3.1. When selecting a PPTP client, compare its functionality
`to that of your PPTP server. Not all client software will necessarily support MS-CHAP for instance,
`which means they won’t be able to take advantage ofMicrosoft’s encryption in RRAS.
`
`Network Access Servers
`
`Unlike an IPSec VPN, there are many cases in which a PPTP VPN’s design depends on the protocol
`support offered by the ISP. This support is particularly important if your mobile workers can use a PPP
`client but do not have PPTP clients installed.
`
`Because ISPS can offer PPTP services without adding PPTP support to their access servers, this approach
`would require that all clients use a PPTP client on their computers. This approach has its advantages
`because it enables clients to use more than one ISP if the geographic coverage of a primary ISP isn’t
`adequate. Also recall that remote hosts with a PPTP client can set up voluntary tunnels in the PPTP
`scheme of things; if you want to control employee access to lntemet resources, then you’ll have to resort
`to compulsory tunnels, which require the support of your ISP.
`
`lt’s unlikely that you’ll have any control over the PPTP hardware that your ISP uses, but you should be
`aware of its capabilities so that you can take the hardware’s limitations into account in the design of your
`VPN.
`
`Network access servers, which are also known as remote access servers or access concentrators, provide
`software—based line access management and billing capabilities and run on platforms that offer
`robustness and fault tolerance at [SF POPS. ISP network access servers generally are designed and built
`to accommodate a large number of dial-in clients. An ISP that provides PPTP service would have to
`install a PPTP—enabled network access server that supports PPP clients on a number of platforms,
`including Windows, Macintosh, and Unix.
`
`In such cases, the ISP server acts as a PPTP client and connects to the PPTP server at the corporate
`network. The ISP access server thus becomes one of the endpoints for a compulsory PPTP tunnel, with
`the network server at the corporate site being the other endpoint.
`
`The network access server would choose a tunnel that has not only the appropriate endpoint but also the
`appropriate level of performance and service. Network access servers can make tunneling choices based
`on calling number, called number, static port mappings, text-based “terminal server” login, user names
`(from PAP or CHAP authentication), user-name parsing through DNS, lookups to RADIUS or
`TACACS+, ISDN call type, or command-line tunnel requests.
`
`Early versions of PPTP devices and software were designed to work with Microsoft’s version of PPTP
`and for remote access only. For instance, it wasn’t until the second quarter of 1998 that products other
`than Windows NT 4.0 could be used as PPTP servers. LAN-to-LAN PPTP tunneling wasn’t supported
`
`Petitioner Apple Inc. - Ex. 1006, p. 120
`
`

`
`until Microsoft released their Routing and Remote Access Server (RRAS) in late 1997.
`
`A few vendors already support PPTP (see Table 6.1 for a partial list), with most of the initial equipment
`designed for ISPS. Since Microsoft’s release of RRAS, other vendors also have started providing PPTP
`servers with similar features. If you’re planning to install a PPTP VPN, you’ll need to check the
`interoperability of your equipment with those of the 1SP(s) you plan on using, because some features,
`like MS—CHAP, aren’t supported on all devices and client software.
`
`Sample Deployment
`
`To illustrate the use of PPTP in a VPN, we’l1 create two different scenarios, one strictly for dial-in access
`(see Figure 6.12) and the second for a LAN-to-LAN VPN (see Figure 6.13). For simp1icity’s sake, we’ll
`just have two sites—the corporate headquarters and a branch off1ce—for the second example. In both
`cases, we’ll concentrate on the exchange of data between endpoints and not worry about how the
`information is protected inside the corporate network (using firewalls, for example).
`
`‘Previous [Table of Contents ‘Next
`
`Petitioner Apple Inc. — Ex. 1006, p. 121
`
`Petitioner Apple Inc. - Ex. 1006, p. 121
`
`

`
`Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, Inc.
`ISBN: 0471295264 Pub Date: 09i01!98
`
`‘Previous Table of Contents |Next
`
`TABLE 6.1 Partial List of PPTP Products
`
`Vendor
`
`3Com
`
`Product
`
`AccessBuilder 5000, NETBuiIder II
`
`Ascend Communications
`
`Max TNT
`
`Bay Networks
`
`Checkpoint Software Technologies
`EC] Telematics
`
`Extended Systems
`
`Freegate Corp.
`
`Microcom
`
`Microsoft Corp.
`
`Network Telesystems
`
`Shiva Corp.
`
`Contivity Extranet Switches
`
`Firewall—1
`Dial Access Concentrator
`
`ExtendNet VPN
`
`VPN Remote
`
`Access Integrator 1700
`
`Windows NT Server, RRAS
`
`Tunnel Builder
`
`LanRover Access Switch
`
`US Robotics (now 3Com)
`
`Total Control Enterprise Network Hub
`
`Just as with the IPSec example given in Chapter 5, physical security should include ensuring that all
`hosts reside within the site’s physical parameters and all links to outside systems go through the PPTP
`server and an associated firewall. The connection between the site’s internal networks and the external
`
`network(s) should be in a locked machine room with restricted access, and only authorized individuals
`(network managers, for instance) should have access to the encrypting routers.
`
`” {E
`
`In the scenario diagrammed in Figure 6.12, MegaGlobal Corp. has decided to outsource much of the
`VPN work to its ISP. This means that the ISP providing MegaGlobal Corp.’s Internet connectivity has a
`RADIUS proxy server and PPTP-enabled network access servers. MegaGlobal Corp. still has to maintain
`a master RADIUS server and a PPTP server. Because the ISP is presumed to have PPTP-enabled access
`servers, you don’t have to install special PPTP client software on the computers of your mobile workers.
`
`Petitioner Apple Inc. - Ex. 1006, p. 122
`
`

`
`Employing a RADIUS server to control authentication and access rights offers you the ability to
`centralize control of access, which can be particularly valuable if you’re working in a multiprotocol
`environment. That's because many RADIUS servers have the capability to exchange information with
`other NOS—based directories, such as Windows NT and Nave}! Directory Services (NDS).
`
`Now let’s take a look at a VPN designed just for LAN-to—LAN connectivity, as in Figure 6.13.
`
`In this example, a Windows NT server is installed at each site to serve as a router and PPTP server. In
`order for the two sites to communicate with each other over a PPTP tunnel, each PPTP server also will
`
`have to be configured to be a PPTP client of the other server. If the two sites connect via on-demand
`dialing, rather than through a permanent network link, the IP address of the [SP3 network access server
`also has to be included in the configuration.
`
`When any branch office traffic destined for the corporate site arrives at the branch office’s PPTP server,
`the server will act as a PPTP client and will create a PPTP tunnel, if one doesn’t already exist, to the
`corporate PPTP server in order to transfer the traffic. If traffic from the corporate site is destined for the
`branch office, the roles are reversed; the corporate PPTP server takes on the role of a PPTP client and
`creates a tunnel to the branch office’s PPTP server.
`
`in‘-i
`FIGURE 6.13 An example PPTP LAN-to-LAN VPN.
`
`As mentioned earlier in this chapter, one of the primary concerns for managing LAN-to-LAN PPTP links
`is ensuring that users at one site have the appropriate access rights at the other sites. This access can be
`achieved in Windows NT either by creating a master domain covering all sites or by letting each site be
`its own domain. In the first case, or any similar situation in which a hierarchy of domains might be used,
`the tunnels will have to carry added traffic as rights are passed between sites to check a user’s traffic.
`This added traffic might be undesirable; also, using a centralized domain increases the risk of losing
`authentication between two branch offices if the main domain is unreachable. If independent domains,
`one for each site, are deployed, then the domain managers will have to establish the appropriate trust
`relations between sites and exchange user rights accordingly.
`
`Applicability of PPTP
`
`As an interim solution for VPNS, PPTP has a lot going for it, especially if you’re running a
`Windows-only shop. PPTP is an interim solution because most vendors are planning to replace PPTP
`with L2TP when the protocols are standardized. As you plan to create a PPTP VPN, it would pay to keep
`an eye on your Vendors’ plans for LZTP.
`
`PPTP is also better suited for handling dial—up access by a limited number of remote users rather than
`LAN-to—LAN VPNS. One problem is the need to coordinate user authentication rights across LANS,
`either via NT domains or RADIUS. Also, the scalability of PPTP servers has often been called into
`question for large numbers of remote users and for large amounts of traffic, such as might be required for
`LAN—to—LAN links.
`
`That said, PPTP can still be a good way for you to become familiar with VPNS. A VPN can still be a
`
`Petitioner Apple Inc. - Ex. 1006, p. 123
`
`

`
`good cost-reduction measure, even if it’s only focused on remote access costs. (Go back and review
`Chapter 2, “Virtual Private Networks,” if you want to see some numbers.) Plus, if you can find an ISP
`that supports PPTP on its equipment, you can outsource some of your VPN management to the ISP.
`
`If you're not running a Windows-only shop, then you'll have to bite the bullet and perhaps add
`management of an NT server to your list of tasks in order to use PPTP. The dependence of PPTP on
`Windows NT isn’t likely to go away, especially with L2TP around the corner. Analyze this option
`carefully, as the cost savings accompanying an NT server may be more than offset by the support costs,
`if you’re not already familiar with NT.
`
`PPTP’s security features aren’t nearly as robust as those found in IPSec; see www.counterpane.com for
`
`some of the details. On the positive side, that means that security management is less complex for PPTP.
`But, the placement of the PPTP server with respect to any firewalls, as mentioned earlier, raises security
`concerns and opens possible holes for attackers.
`
`PPTP’s shortcomings make it a reasonable solution for remote access and multiprotocol traffic rather
`than LAN-to-LAN VPNS. Its popularity on the Windows NT platform and available clients for other
`popular PC platforms have given it a good headstart for dial-in VPNS. If you need to build a VPN that
`doesn’t suffer from the restrictions of PPTP but aren’t ready (or willing) to deploy IPSec, a better
`solution for VPNS is L2TP (Layer2 Tunneling Protocol), which will be covered in the following chapter.
`
`Summary
`
`We’Ve just covered the details of how PPTP, a popular protocol for dial-up VPNS, works. PPTP systems
`are rather tightly tied to Windows NT, mainly because so many of the PPTP servers are run on NT
`servers. But, PPTP can be configured to support either PPP or PPTP clients, making it easier to support a
`variety of operating systems and clients among your mobile workers. Because it’s based on PPP, PPTP is
`well—suited to handling multiprotocol network traffic, particularly IP, IPX, and NETBEUI protocols.
`
`PPTP’s design also makes it easier to outsource some of the support tasks to an ISP. By using RADIUS
`proxy servers, an ISP can authenticate dial-in users for corporate customers and create secure PPTP
`tunnels from the ISP’s network access servers to your corporate PPTP servers. These PPTP servers then
`remove the PPTP encapsulation and forward the network packets to their appropriate destination on your
`private network.
`
`|Previous lTable of Contents [Next
`
`Petitioner Apple Inc. - Ex. 1006, p. 124
`
`

`
`Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, lnc.
`
`‘ ISBN: 0471295264 Pub Date: o9ro1r93
`
`{Previous Table of Contents |Next
`
`CHAPTER 7
`
`Using L2TP to Build a VPN
`
`Now that we’re turning our attention to the Layer2 Tunneling Protocol (LZTP) in this chapter, we’re
`almost finished with the three-letter and four-letter acronyms that make up the alphabet soup of VPNS.
`
`L2TP should be considered the successor to PPTP; it combines many of the features originally defined in
`PPTP with those created for another protocol, Layer2 Forwarding (L2F) originally designed and
`implemented by Cisco. L2F has seen limited deployment; because L2TP combines the best features of
`the two protocols, it’s been forecast that L2TP will supersede both PPTP and L2F as it becomes a
`standard sometime this year. Many vendors offering support for PPTP in their products either already
`include LZTP support as well or have plans to supersede PPTP with L2TP.
`
`This chapter starts outwith an overview of the architecture of LZTP and moves on to the details of how
`the protocol works, including its use of lPSec for encryption. Then we move on to an overview of the
`types of products you can use to build a VPN using L2TP.
`
`What IS L2TP?
`
`The Layer2 Tunneling Protocol was created as the successor to two tunneling protocols, PPTP and L2F.
`Rather than develop two competing protocols to do essentially the same thing-—-PPTP by Microsoft et al.
`versus L2F by Cisco-——the companies agreed to work together on a single protocol, L2TP, and submit it
`to the IETF for standardization. Because we’ve already devoted a chapter to PPTP, we'll include a few
`words about L2F as background for our discussion of L2TP.
`
`Like PPTP, L2F was designed as a tunneling protocol, using its own definition of an encapsulation
`header for transmitting packets at Layer2. One major difference between PPTP and L2F is that the L2F
`tunneling isn’t dependent on IP and GRE, enabling it to work with other physical media. Because GRE
`isn’t used as the encapsulating protocol, L2F specifications define how L2F packets are handled by
`different media, with an initial focus on [PS UDP.
`
`Paralleiing PPTP’s design, L2F utilized PPP for authentication of the dial-up user, but it also included
`support for TACACS+ and RADIUS for authentication from the beginning. L2F differs from PPTP by
`defining connections within a tunnel, allowing a tunnel to support more than one connection. There are
`also two levels of authentication of the user: first, by the [SP prior to setting up the tunnel; second, when
`the Connection is set up at the corporate gateway.
`
`Petitioner Apple Inc. - Ex. 1006, p. 125
`
`

`
`These L2F features have been carried over to L2TP. Like PPTP, the Layer2 Forwarding Protocol utilizes
`the fimctionality of PPP to provide dial-up access that can be tunneled through the Internet to a
`destination site. However, L2TP defines its own tunneling protocol, based on the work of L2F. Work has
`continue