`
`The Building Blocks of PPTP
`
`As mentioned earlier, PPTP depends on PPP for much of its basic functionality, as well as GRE for
`packet encapsulation. PPTP defines a number of tunnel types, based on the endpoints and control of
`authorization and authentication. For some of these tunnels, PPTP depends on RADIUS as a system for
`dynamic authentication of users. Also, to provide some form of data integrity, PPTP can use either PPP’s
`encryption or MPPE, although these systems do not offer the robustness associated with IPSec.
`
`Previous [Table of Contents ‘Next
`
`109
`
`109
`
`
`
`Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, Inc.
`ISBN: 0471295264 Pub Date: 09l01l98
`
`‘Previous Table of Contents |Next
`
`PPP and PPTP
`
`PPP has become the most common protocol for dial—up access to the Internet and other TCP/[P networks
`during the past few years. Working at Layer2 of the OSI protocol stack, the Data Link layer, PPP
`includes methods for encapsulating Various types of datagrams for transfers over serial links. The PPP
`specifications also define two sets of protocols: a Link Control Protocol (LCP) for establishing,
`configuring, and testing the connection and a series of Network Control Protocols (NCPS) for
`establishing and configuring different network-layer protocols.
`
`PPP encapsulates 1P, IPX, and NETBEUI packets between PPP frames and sends the encapsulated
`packets by creating a point—to-point link between the sending and receiving computers {see Figure 6.2).
`To establish communications over a link, each end of the PPP link must first send LCP packets to
`configure and test the data link.
`
`When a PPP link has been established, the user is usually authenticated. This is an optional phase in
`PPP, but one that '5 likely to always be included by an ISP and certainly should be an integral part of
`any VPN. Authentication must take place prior to starting the network—layer protocol phase. In PPP,
`authentication can be accomplished via either PAP or CHAP (see Chapter 4, “Security: Threats and
`Solutions”).
`
`.,
`
`..n-.
`
`.
`
`FIGU E 6.2 D_ial-up networking using PPP.
`
`Recall that in PAP, passwords are sent across the link in plaintext, and there is no protection from
`playback or trial-and—error attacks. CHAP is a more robust method of authentication, using a three-way
`handshake. CHAP protects against playback attacks by using a variable challenge value that is unique
`and unpredictable. Because CHAP can issue a challenge any time during and after the establishment of
`the link, the repeated challenges can limit the time of exposure to any single attack.
`
`In an effort to accommodate better, more robust methods of authentication within PPP, the IETF has
`defined the PPP Extensible Authentication Protocol {EAP) in RFC 2284. EAP is a general protocol for
`PPP authentication that supports multiple authentication mechanisms. EAP does not select a specific
`authentication mechanism at the Link Control Phase, but rather postpones this until the Authentication
`
`110
`
`
`
`Phase, enabling the authenticator to request more information before determining the specific
`authentication mechanism. This also permits the use of a back-end server that actually implements the
`various mechanisms while the PPP authenticator merely passes through the authentication exchange. By
`using EAP, you can integrate some of the systems we mentioned in Chapter 4, like one—time passwords
`and secure tokens, into the use of PPP; EAP also makes integration of PPP with RADIUS easier.
`
`After the link has been established and Various options negotiated as required by the LCP, PPP sends
`NCP packets to choose and configure one or more network-layer protocols. After each of the selected
`network-layer protocols has been configured, datagrams from each of the selected network-layer
`protocols can be sent over the link.
`
`PPTP depends on the PPP protocol to create the dial—up connection between the client and a
`network-access server. PPTP expects PPP to perform the following functions:
`
`Establish and end the physical connection
`
`Authenticate the users
`
`Create PPP datagrams
`
`After PPP has established the connection, PPTP takes over the role of encapsulating the PPP packets for
`transmission over a tunnel (see Figure 6.3).
`
`In order to take advantage of the link created by PPP, the PPTP protocol defines two different types of
`packets—-—control packets and data packetsfland assigns them to two different channels. PPTP then
`separates the control and data channels into a control stream that runs over TCP and a datastream that
`runs in an IP envelope, using GRE. A single TCP connection is created between the PPTP client and the
`PPTP server. This connection is used to exchange control messages.
`
`Data packets contain the normal user data, that is, the datagram from the selected network-layer protocol.
`Control packets are sent as periodic inquiries about link status and manage signals between a PPTP client
`and the network server. Control packets also are used to send basic device management and
`configuration information between tunnel endpoints. The control messages establish, maintain, and end
`the PPTP tunnel.
`
`The control channel required for setting up a tunnel connects the PPTP client to the PPTP server. As
`we’ll see in more detail later, the client can either be software on the remote user’s computer or at the
`ISP’s network access server. The location of the client determines the nature of the tunnel and the control
`
`that both the remote user and [SP have over the tunnel.
`
`After the PPTP tunnel is established, user data is transmitted between the client and PPTP server. Data is
`transmitted in IP datagrams containing PPP packets. The IP datagrams are created using a modified
`version of the Generic Routing Encapsulation (GRE) protocol; the modified version includes information
`on the host’s Call ID, which can be used to control access rights, and an acknowledgment capability,
`which is used to monitor the rate at which data packets are transmitted over the tunnel for a given
`
`111
`
`
`
`session.
`
`The GRE header is used to encapsulate the PPP packet within the IP datagram (see Figure 6.4). The
`payload packet is essentially the original PPP packet sent by the client, missing only framing elements
`that are specific to the media. Because PPTP operates as a Layer2 protocol, it must include a media
`header in the packet description to indicate how the tunnel is being transmitted. Depending on your ISP’s
`infrastructure, this method might be by Ethernet, frame relay, or PPP links.
`
`PPTP also includes a rate—controI mechanism that limits the amount of data in—flight. This mechanism
`minimizes the need for retransmissions because of dropped packets.
`
`Tunnels
`
`PPTP enables users and ISPS to create a variety of different tunnel types based on the capabilities of the
`end user’s computer and the lSP’s support for PPTP. The end user’s computer determines where the
`termination point of the tunnel is located+-either on his computer if it’s running a PPTP client or at the
`ISP’s remote access server (RAS) if his computer supports only PPP and not PPTP. In the second case,
`the ISP’s access server has to support PPTP for this to Work; no special ISP requirements are required if
`the end user has a PPTP client.
`
`i EBEEE
`FIGURE 6.4 PPTP/GRE packet encapsulation.
`
`This dichotomy of end-user software capabilities and ISP support has resulted in a division of tunnels
`into classes, voluntary and compulsory. Voluntary tunnels are created at the request of the user for a
`specific use (see Figure 6.5). Compulsory tunnels are created automatically without any action from the
`user, and more importantly, without allowing the user any choice in the matter. Within the compulsory
`category are two subclasses: static and dynamic. The static tunnels can be subdivided again, into
`realm-based and automatic classes.
`
`Voluntary tunnels are just that, set up at the request of the end user. When using a voluntary tunnel, the
`end user can simultaneously open a secure tunnel through the Internet and access other Internet hosts via
`basic TCP/IP protocols without tunneling. The client-side endpoint of a Voluntary tunnel resides on the
`user’s computer. Voluntary tunnels are often used to provide privacy and data integrity for intranet traffic
`being sent over the Internet.
`
`]Previous Table of Contents |NeXt
`
`112
`
`
`
`Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, Inc.
`ISBN: 0471295264 Pub Date: 09i01!98
`
`‘Previous Table of Contents |Next
`
`Because compulsory tunnels are created without the user’s consent, they may be transparent to the end
`user. The client—side endpoint of a compulsory tunnel typically resides on a remote access server. All
`traffic originating from the end user’s computer is forwarded over the PPTP tunnel by the RAS. Access
`to other services outside the intranet would be controlled by the network administrators. PPTP enables
`multiple connections to be carried over a single tunnel.
`
`Because a compulsory tunnel has predetermined endpoints and the user cannot access other parts of the
`Internet, these tunnels offer better access control than voluntary tunnels. If it’s corporate policy that
`employees cannot access the public Internet, for example, a compulsory tunnel would keep them out of
`the public Internet while still allowing them to use the Internet to access your VPN.
`
`Another advantage to a compulsory tunnel is that multiple connections can be carried over a single
`tunnel. This feature reduces the network bandwidth required for transmitting multiple sessions, because
`the control overhead for a single compulsory tunnel carrying multiple sessions is less that that for
`multiple voluntary tunnels, each carrying traffic for a single session. One disadvantage of compulsory
`tunnels is that the initial link of the connection (i.e., the PPP link between the end user’s computer and
`the RAS) is outside the tunnel and, therefore, is more vulnerable to attack.
`
`Static compulsory tunnels typically require either dedicated equipment or manual configuration. These
`dedicated, or automatic, tunnels might require the user to call a special telephone number to make the
`connection. On the other hand, in realm-based, or manual, tunneling schemes, the RAS examines a
`portion of the user’s name, called a realm, to decide where to tunnel the traffic associated with that user.
`
`"FIGURE
`
`\;’ioluntary and compulsory tunnels.
`
`However, setup and maintenance of static tunnels increases the demands on network management. A
`more flexible approach would be to dynamically choose the tunnel destination on a per-user basis when
`the user connects to the RAS. These dynamic tunnels can be set up in PPTP by linking the system to a
`RADIUS server to obtain session configuration data on the fly.
`
`Static tunneling requires the dedication of a network access server (NAS) to the purpose. In the case of
`
`113
`
`
`
`an ISP, this restriction would be undesirable because it requires the ISP to dedicate an NAS to tunneling
`service for a given corporate customer, rather than enabling them to use existing network access servers
`deployed in the field. As a result, static tunneling is likely to be costly for deployment of a global service.
`
`Realm-based tunneling assumes that all users within a given realm want to be treated the same way,
`limiting a corporation’s flexibility in managing the account rights of their users. For example,
`MegaGlobal Corp. may desire to provide Jim with an account that allows access to both the Internet and
`the intranet, with .Iim’s intranet access provided by a tunnel server located in the engineering department.
`However, MegaGlobal Corp. may want to provide Sam with an account that provides only access to the
`intranet, with Sam’s intranet access provided by a tunnel network server located in the sales department.
`Situations like these cannot be accommodated with realm-based tunneling.
`
`Using RADIUS to provision compulsory tunnels has several advantages. For instance, tunnels can be
`defined and audited on the basis of authenticated users, authentication and accounting can be based on
`telephone numbers; and other authentication methods, such as tokens or smart cards, can be
`accommodated. When deployed in concert with roaming, user-based tunneling offers corporations the
`capability to provide their users with access to the corporate intranet on a global basis.
`
`RADIUS
`
`The RADIUS client/server model uses a network access server to manage user connections. Although the
`NAS functions as a server for providing network access, it also functions as a client for RADIUS. The
`NAS is responsible for accepting user connection requests, getting user ID and password information,
`and passing the information securely to the RADIUS server. The RADIUS server returns authentication
`status, i.e., approved or denied, as well as any configuration data required for the NAS to provide
`services to the end user.
`
`Roaming
`
`Various [SP5 have started to form strategic alliances—for example, the Stentor Alliance between MCI,
`British Telecom, and Bell Canada—that allow the partners to tunnel traffic across one another°s
`networks. These agreements make it easier for your mobile workers to tunnel traffic to your corporate
`sites regardless of their location. If their work takes them to areas not serviced by your ISP, then they
`can call one of the partner ISPs in the area to use the VPN.
`
`RADIUS creates a single, centrally located database of users and available services, a feature particularly
`important for networks that include large modem banks and more than one remote communications
`server. With RADIUS, the user information is kept in one location, the RADIUS server, which manages
`the authentication of the user and access to services from one location. Because any device that supports
`RADIUS can be a RADIUS client (see Figure 6.6), a remote user will gain access to the same services
`from any communications server communicating with the RADIUS server.
`
`RADIUS supports the use of proxy servers, which store user information for authentication purposes and
`can be used for accounting and authorization, but they do not allow the user data (passwords and so on)
`to be changed. A proxy server depends on periodic updates of the user database from a master RADIUS
`server (see Figure 6.6). When corporations are looking to outsource their VPN to an ISP, they probably
`will arrange to have an ISP authenticate users of its PPTP server based on corporate-defined user data. In
`such cases, the corporation would maintain a RADIUS server and set user information on it, and the ISP
`
`114
`
`
`
`would have a proxy RADIUS server that receives updates from the corporate server.
`
`For RADIUS to control the setup of a tunnel, it has to store certain attributes about the tunnel. These
`attributes include the tunnel protocol to be used (i.e., PPTP or L2TP), the address of the desired tunnel
`server, and the tunnel transport medium to be used. In order to take further advantage of RADIUS’
`capabilities—namely, its capability to track network usage—a few more items are needed—the address
`of the tunnel client (the NAS) and a unique identifier for the tunneled connection.
`
`[Previous [Table of Contents |Next
`
`115
`
`115
`
`
`
`Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, inc.
`ISBN: 0471295264 Pub Date: 09i01!98
`
`‘Previous Table of Contents |Next
`
`When combining dynamic tunneling with RADIUS, at least three possible options are available for user
`authentication and authorization:
`
`1. Authenticate and receive authorization once, at the RAS end of the tunnel.
`
`2. Authenticate and receive authorization info once, at the RAS end of the tunnel and somehow
`
`forward the RADIUS reply to the remote end of the tunnel.
`
`3. Authenticate on both ends of the tunnel.
`
`IFIGIJRE 6.6 Interactions among a RADIUS server, proxy server, and clients.
`
`The first model is a poor trust model because it requires the ISP alone to control access to the network,
`and the second is an adequate trust model but doesn’t scale well, due to the way RADIUS authenticates
`replies. The third option is robust and works well if a RADIUS proxy server is used, which also supports
`the use of a single user name and password at both ends.
`
`Let’s look at the chain of events for creating a tunnel when using RADIUS this way (see Figure 6.7).
`First, the remote user dials into the remote access server and enters his password as part of the PPP
`authentication sequence (step 1 in the figure). The remote access server, acting as a RADIUS client, then
`uses RADIUS to check the password and receives tunnel information from the local RADIUS proxy
`server; this information would include attributes specifying which PPTP server is to be the endpoint of
`the tunnel that will be used for this particular user (steps 2 to 5). The remote access server will open the
`tunneled connection, creating a tunnel if necessary. Recall that traffic from more than one user can be
`transmitted in the same compulsorjy tunnel at the same time. The PPTP server would reauthenticate the
`user (step 6), checking the password against the same RADIUS server that was used in the initial
`exchange (steps 7 and 8). Upon authentication, the PPTP server will accept tunneled packets from the
`remote user and forward the packets to the appropriate destination on the corporate network.
`6-»:
`
`.‘.___,.£__
`‘
`l'~"ICiURlE 6,7 RADIUS authentication for dynamic tunnels.
`
`Authentication and Encryption
`
`116
`
`
`
`Remote PPTP clients are authenticated by the same PPP authentication methods used for any RAS client
`dialing directly to a RAS server. Microsoft’s implementation of RRAS supports CHAP, MS-CHAP, and
`PAP authentication schemes. MS-CHAP uses the MD4 hash for creating the challenge token from the
`user’s password.
`
`PAP and CHAP do have definite disadvantages when secure authentication is desired. Both PAP and
`CHAP rely on a secret password that must be stored on the remote user’s computer and the local
`computer. If either computer comes under the control of a network attacker, then the secret password is
`compromised. Also, with CHAP or PAP authentication, you cannot assign different network access
`privileges to different remote users who use the same remote host. Because one set of privileges is
`assigned to a specific computer, everybody who uses that computer will have the same set of privileges.
`
`In Microsoft’s implementation of PPTP, data is encrypted via Microsoft Po£nr—to-Point Encryption
`(MPPE), which is based on the RSA RC4 standard (see Figure 6.8). The Compre.s's1'on Control Protocol
`(CCP) used by PPP is used to negotiate encryption. MS—CHAP is used to validate the end user in a
`Windows NT domain, and an encryption key for the session is derived from the hashed user password
`stored on both the client and server. (A MD4 hash is used.) A 40-bit session key normally is used for
`encryption, but U.S. users can install a software upgrade to use a 128-bit key. Because MPPE encrypts
`PPP packets on the client workstation before they enter a PPTP tunnel, the packets are protected
`throughout the link from the workstation to the PPTP server at the corporate site. Changes in session
`keys can be negotiated to occur for every packet or after a preset number of packets.
`u...
`
`H-‘ti "5.’-‘.5
`
`D_.D
`
`'
`
`FITETJRE 6.8 Packet encryption in PPTP.
`
`LAN-to-LAN Tunneling
`
`The original focus of PPTP was the creation of dial-in VPNS (i.e., to provide secure dial-in access to
`corporate LANS via the Internet). LAN-to-LAN tunnels were not supported at first. It wasn’t until
`Microsoft introduced their Routing and Remote Access Server for NT Server 4.0 that NT Servers were
`able to support LAN-to-LAN tunnels. Since then, other vendors also have released compatible PPTP
`servers that also support LAN—to—LAN tunneling.
`
`As implemented in Microsoft's RRAS, LAN-to-LAN tunneling occurs between two PPTP servers, much
`like IPSec’s use of security gateways to connect two LANS. However, because the PPTP architecture
`does not make use of a key management system, authentication and encryption are controlled via CHAP,
`or via MS—CHAP. In effect, one site’s RRAS, running PPTP, is defined as a user, with an appropriate
`password, at the other site’s RRAS and vice versa (see Figure 6.9). To create a tunnel between the two
`sites, the PPTP server at one site is authenticated by the other PPTP server using the stored passwords,
`much as we described the process earlier for a dial-in user. One site’s PPTP server thus looks like a PPTP
`client to the other server, and vice versa, so a voluntary tunnel is created between the two sites.
`
`Because this tunnel can encapsulate any supported network-layer protocol (i.e., IP, NETBEUI, IPX),
`users at one site will have access to resources at the other site based on their access rights, defined for
`that protocol. This means that some fonn of collaboration between site managers is needed to ensure that
`
`117
`
`
`
`users at a site have the proper access rights to resources at other sites. In Windows NT, for example, each
`site can have its own security domain and the sites would establish a trust relationship between the
`domains in order to allow users to access a site’s resources.
`
`Using PPTP
`
`Because a major focus of PPTP is to provide secure dial-in access to private corporate resources, the
`components of a PPTP VPN are organized a bit differently from those of an IPSec VPN (see Chapter 5,
`“Using IPSec to Build a VPN”). The most important components are those that define the endpoints of a
`PPTP tunnel. Because one of these endpoints can be your lSP’s equipment, this configuration can cut
`down on the software needed for your mobile clients but requires collaboration between you and your
`ISP for authentication of users.
`
`5--~13--at--_—';--— 9-"? I
`l
`IFIICTJRE 6.9 T4;-\N—to—LAN PPTP tunnels.
`
`In general, a PPTP VPN requires three items: a network access server, a PPTP server, and a PPTP client.
`Although the PPTP server should be installed on your premises and maintained by your staff, the
`network access server should be the responsibility of your ISP. In fact, if you choose to install PPTP
`client software on your remote hosts, the ISP doesn’l even need to provide any PPTP-specific support.
`
`Figure 6.10 illustrates few differences between the structure of an IPSec VPN and a PPTP VPN. One
`significant difference is that PPTP enables you to outsource some of the PPTP functions to the ISP. At a
`corporate site, a PPTP server acts like a security gateway, tying authentication to RADIUS or Windows
`NT domains. A PPTP client on a user’s laptop or desktop computer performs many of the same functions
`as IPSec client software, although there are no key exchanges.
`
`is
`IFIIGIURE 6.10 Comparing IPSec and PPTP architectures.
`
`|Previous [Table of Contents ‘Next
`
`118
`
`
`
`Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, inc.
`
`‘ ISBN: 0471295264 Pub Date: o9ro1r93
`
`{Previous Table of Contents |Next
`
`PPTP Servers
`
`A PPTP server has two primary roles: it acts as the endpoint for PPTP tunnels, and it forwards packets to
`and from the tunnel that it terminates onto the private LAN. The PPTP server forwards packets to a
`destination computer by processing the PPTP packet to obtain the private network computer name or
`address information in the encapsulated PPP packet.
`
`PPTP servers also can filter packets, using PPTPfilrer:'ng. With PPTP filtering, you can set the server to
`restrict who can connect to either the local network or to the Internet. In systems like Windows NT 4.0
`and RRAS, the combination of PPTP filtering with IP address filtering enables you to create a functional
`firewall for your network.
`
`Setting up a PPTP server at your corporate site brings with it a few restrictions, especially if the PPTP
`server is to be placed on the private (i.e., corporate) side of the firewall. PPTP has been designed so that
`only one TCP/IP port number can be used for passing data through a f1rewall——port number 1723. This
`lack of configurability of the port number can make your firewall more susceptible to attacks. Also, if
`you have firewalls configured to filter traffic by protocol, you will need to set them to allow GRE to pass
`through.
`
`A related device is the tunnel switch. Tunnel switches are relatively new devices, initially introduced by
`3Com in early 1998. A tunnel switch is a combined tunnel terminator and tunnel initiator. The purpose of
`a tunnel switch is to extend tunnels from one network to another—extending a tunnel incoming from
`your ISP’s network to your corporate network, for example (see Figure 6.1 1).
`
`Tunnel switches can be used at a firewall to improve the management of remote access to private
`network resources. Because the tunnel switch terminates the incoming tunnel, it can examine the
`incoming packets for protocols carried by the PPP frames or for the remote user’s name. The switch can
`use that information to create tunnels into the corporate network based on the information carried in the
`incoming packets.
`
`PPTP Client Software
`
`As pointed out frequently in this chapter, if the ISP equipment supports PPTP, no additional software or
`hardware is required on the client end; only a standard PPP connection is necessary. On the other hand, if
`the ISP does not support PPTP, a Windows NT client (or similar software) can still utilize PPTP and
`create the secure connection, first by dialing the ISP and establishing a PPP connection, then by dialing
`once again through a virtual PPTP port set up on the client side.
`
`119
`
`
`
`._.I.
`' ._.__ __
`
`_
`
`FIGUEI 6.1l Example of the use of tunnel switches.
`
`PPTP clients already exist from Microsoft for computers running Windows NT, Windows95, and
`Windows 98. Network Telesystems also offers PPTP clients for other popular computers, including the
`Macintosh and computers running Windows 3.1. When selecting a PPTP client, compare its functionality
`to that of your PPTP server. Not all client software will necessarily support MS-CHAP for instance,
`which means they won’t be able to take advantage ofMicrosoft’s encryption in RRAS.
`
`Network Access Servers
`
`Unlike an IPSec VPN, there are many cases in which a PPTP VPN’s design depends on the protocol
`support offered by the ISP. This support is particularly important if your mobile workers can use a PPP
`client but do not have PPTP clients installed.
`
`Because ISPS can offer PPTP services without adding PPTP support to their access servers, this approach
`would require that all clients use a PPTP client on their computers. This approach has its advantages
`because it enables clients to use more than one ISP if the geographic coverage of a primary ISP isn’t
`adequate. Also recall that remote hosts with a PPTP client can set up voluntary tunnels in the PPTP
`scheme of things; if you want to control employee access to lntemet resources, then you’ll have to resort
`to compulsory tunnels, which require the support of your ISP.
`
`lt’s unlikely that you’ll have any control over the PPTP hardware that your ISP uses, but you should be
`aware of its capabilities so that you can take the hardware’s limitations into account in the design of your
`VPN.
`
`Network access servers, which are also known as remote access servers or access concentrators, provide
`software—based line access management and billing capabilities and run on platforms that offer
`robustness and fault tolerance at [SF POPS. ISP network access servers generally are designed and built
`to accommodate a large number of dial-in clients. An ISP that provides PPTP service would have to
`install a PPTP—enabled network access server that supports PPP clients on a number of platforms,
`including Windows, Macintosh, and Unix.
`
`In such cases, the ISP server acts as a PPTP client and connects to the PPTP server at the corporate
`network. The ISP access server thus becomes one of the endpoints for a compulsory PPTP tunnel, with
`the network server at the corporate site being the other endpoint.
`
`The network access server would choose a tunnel that has not only the appropriate endpoint but also the
`appropriate level of performance and service. Network access servers can make tunneling choices based
`on calling number, called number, static port mappings, text-based “terminal server” login, user names
`(from PAP or CHAP authentication), user-name parsing through DNS, lookups to RADIUS or
`TACACS+, ISDN call type, or command-line tunnel requests.
`
`Early versions of PPTP devices and software were designed to work with Microsoft’s version of PPTP
`and for remote access only. For instance, it wasn’t until the second quarter of 1998 that products other
`than Windows NT 4.0 could be used as PPTP servers. LAN-to-LAN PPTP tunneling wasn’t supported
`
`120
`
`
`
`until Microsoft released their Routing and Remote Access Server (RRAS) in late 1997.
`
`A few vendors already support PPTP (see Table 6.1 for a partial list), with most of the initial equipment
`designed for ISPS. Since Microsoft’s release of RRAS, other vendors also have started providing PPTP
`servers with similar features. If you’re planning to install a PPTP VPN, you’ll need to check the
`interoperability of your equipment with those of the lSP(s) you plan on using, because some features,
`like MS—CHAP, aren’t supported on all devices and client software.
`
`Sample Deployment
`
`To illustrate the use of PPTP in a VPN, we’l1 create two different scenarios, one strictly for dial-in access
`(see Figure 6.12) and the second for a LAN-to-LAN VPN (see Figure 6.13). For simp1icity’s sake, we’ll
`just have two sites—the corporate headquarters and a branch office—for the second example. In both
`cases, we’ll concentrate on the exchange of data between endpoints and not worry about how the
`information is protected inside the corporate network (using firewalls, for example).
`
`‘Previous [Table of Contents ‘Next
`
`121
`
`121
`
`
`
`Building and Managing Virtual Private Networks
`by Dave Kosiur
`Networks Wiley Computer Publishing, John Wiley & Sons, Inc.
`ISBN: 0471295264 Pub Date: 09i01!98
`
`‘Previous Table of Contents |Next
`
`TABLE 6.1 Partial List of PPTP Products
`
`Vendor
`
`3Com
`
`Product
`
`AccessBuilder 5000, NETBuilder II
`
`Ascend Communications
`
`Max TNT
`
`Bay Networks
`
`Checkpoint Software Technologies
`EC] Telematics
`
`Extended Systems
`
`Freegate Corp.
`
`Microcom
`
`Microsoft Corp.
`
`Network Telesystems
`
`Shiva Corp.
`
`Contivity Extranet Switches
`
`Firewall—l
`Dial Access Concentrator
`
`ExtendNet VPN
`
`VPN Remote
`
`Access Integrator 1700
`
`Windows NT Server, RRAS
`
`Tunnel Builder
`
`LanRover Access Switch
`
`US Robotics (now 3Com)
`
`Total Control Enterprise Network Hub
`
`Just as with the lPSec example given in Chapter 5, physical security should include ensuring that all
`hosts reside within the site’s physical parameters and all links to outside systems go through the PPTP
`server and an associated firewall. The connection between the site’s internal networks and the external
`
`network(s) should be in a locked machine room with restricted access, and only authorized individuals
`(network managers, for instance) should have access to the encrypting routers.
`
`FIGURE 6:l2 “Sample PPTP dial-in VPN.
`
`In the scenario diagrammed in Figure 6.12, MegaGlobal Corp. has decided to outsource much of the
`VPN work to its ISP. This means that the ISP providing MegaGlobal Corp.’s lntemet connectivity has a
`RADIUS proxy server and PPTP-enabled network access servers. MegaGlobal Corp. still has to maintain
`a master RADIUS server and a PPTP server. Because the ISP is presumed to have PPTP-enabled access
`servers, you don’t have to install special PPTP client software on the computers of your mobile workers.
`
`122
`
`
`
`Employing a RADIUS server to control authentication and access rights offers you the ability to
`centralize control of access, which can be particularly valuable if you’re working in a multiprotocol
`environment. That's because many RADIUS servers have the capability to exchange information with
`other NOS—based directories, such as Windows NT and Nave}! Directory Services (NDS).
`
`Now let’s take a look at a VPN designed just for LAN-to—LAN connectivity, as in Figure 6.13.
`
`In this example, a Windows NT server is installed at each site to serve as a router and PPTP server. In
`order for the two sites to communicate with each other over a PPTP tunnel, each PPTP server also will
`
`have to be configured to be a PPTP client of the other server. If the two sites connect via on-demand
`dialing, rather than through a permanent network link, the IP address of the [SP3 network access server
`also has to be included in the configuration.
`
`When any branch office tra