Accessing networks remotely involves overcoming
several problems when you are managing the remote clients. Most IT
administrators usually list these problems as
There are others, of course,
but the problems in the preceding list are the main issues of concern
for the exam.
Remote Client Access
Connections
In discussing remote
access connections, the following sections cover both bandwidth and
types of connections. Windows Vista–supported remote access connections
can be broken down into four general categories of connections:
These categories are also
found one way or another through a myriad of wizards that are available
for creating remote access connections. One type of remote access
connection not listed here but slowly gaining ground is wireless
broadband connections. At this time Windows Vista does not support
out-of-the-box use of wireless broadband connections. Third-party
software is needed to bring support to Windows Vista. Serial Line
Internet Protocol (SLIP) has been dropped. The following sections
discuss support that Windows Vista inherently supports.
Dial-up
The dial-up connection
type has seen better days. Dial-up over an analog modem connection has
seen a small bump in performance over the past few years with the
introduction of the V.92 protocol. This was just an upgrade to the V.90
protocol, and support for it is included in Windows Vista.
There is not much else here to
worry about because it appears that even Microsoft is leaving this
service behind as far as the exams are concerned.
Windows Vista supports dial-up
as most previous Windows operating systems have. Support for
Point-to-Point Protocol (PPP) over dial-up and the usual list of
Microsoft authentication and encryption services is included, with one
notable exception: MS-CHAPv1. This service has been dropped from Windows
Vista. The other security protocols supported by Windows Vista for
dial-up are
These services and protocols are discussed
later. Bandwidth Allocation Protocol (BAP), which measures the bandwidth
utilized on a PPP connection and uses a threshold to determine if
another dial-up link should be connected to increase the overall
throughput of the connection, has also been dropped.
Integrated Services
Digital Network (ISDN) connections for dial-up are still supported in
Windows Vista.
Wireless
The previous discussions
on wireless connections hit on just about every topic necessary for your
purposes concerning this connection type. Wireless connections for
remote access involve using a wireless local area network connection and
then extending that connection using some type of broadband router to
connect to the Internet. Wireless connections were covered previously,
and issues relating to remote access connections are the same. The only
difference is any added overhead of a VPN connection being initiated
through a wireless connection. VPNs are discussed shortly.
Broadband (PPPoE)
Windows Vista now
supports Point-to-Point Protocol over Ethernet (PPPoE) connections with
supported network adapters. You are able to also use IPv6 over PPPoE
connections.
Broadband connections using
PPPoE are typically used over established Asynchronous Transfer Mode
(ATM) circuit connections with a service provider using Digital
Subscriber Line (DSL) services, although cable is also supported. A
Windows Vista client is able to authenticate the PPPoE connection using
an ordinary Ethernet adapter connected to a DSL modem. The DSL modem
initially creates the ATM virtual circuit.
Virtual Private Network
(VPN)
Windows Vista clients support
the use of Virtual Private Network (VPN) connections using Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) with IP
Security (IPSec).
PPTP is still supported and
should be used only when environments include a mix of legacy operating
system clients. If all the operating systems on the desktops are Windows
2000, Windows XP, or Windows Vista, the choice for the most secure
tunneling protocol should be L2TP/IPSec. You can mix and match tunneling
protocols to better suit the operating system of the remote access
client, but questions on the exam often entail employing a single
protocol service as a standard.
In addition, Microsoft has created an L2TP/IPSec VPN
client for Windows 98, Windows Millennium Edition, and Windows NT 4.0.
This VPN client must be downloaded and installed separately because it
is not included in those base operating systems.
The following sections
review what these protocols entail as far as setup and security
settings.
PPTP
PPTP is an old Microsoft
favorite. Microsoft clients are the most prolific users of PPTP. PPTP
places an encrypted PPP payload inside a Generic Routing Encapsulated
(GRE) tunnel. The GRE tunnel is basically an IP-in-IP packet tunnel
using IP protocol 47. PPTP also requires the use of a control packet run
over another TCP session. The PPTP control session is maintained using
TCP port 1723 to manage the PPTP process. (See Table 1 for protocol and port number details.) This extra TCP
session causes many of the issues with firewalls. Windows Vista now
includes support for PPTP over IPv6 (PPTPv6).
Table 1. Protocols and Port Numbers Used by L2TP
and PPTP
| VPN Protocol | Protocol/Port Number | Protocol/Port
Use |
|---|
| PPTP | TCP
Port 1723 | PPTP
tunnel maintenance traffic |
| PPTP | IP protocol 47 | PPTP tunnel data |
| L2TP | UDP Port 1701 | L2TP tunnel maintenance |
| IPSec | UDP Port 500 | Used
by Internet Key Exchange (IKE) to negotiate securing the tunnel, key
exchange, and encryption keys |
| IPSec | UDP Port 4500 | Passage through NAT/NAT-Traversal (NAT-T) |
| IPSec | IP protocol 50 | IPSec ESP traffic |
| IPSec | IP protocol 51 | IPSec AH traffic |
Some advantages to using
PPTP over L2TP are as follows:
PPTP does not
require a certificate infrastructure.
PPTP does not require any modification when
used with NAT through a firewall.
If stronger authentication is
desired, you can use Extensible Authentication Protocol (EAP) to further
secure the authentication process.
Windows Vista
clients use the following authentication and encryption protocols to
secure PPTP sessions.
Password
Authentication Protocol (PAP)—
PAP is an authentication session that provides no encryption of the
authentication session. You should never choose this protocol in most
circumstances unless another service is providing another layer of
protection over this session.
Challenge Authentication Protocol (CHAP)— CHAP is a standardized
authentication protocol. If Windows Vista clients use this protocol,
they are not able to utilize Microsoft Point-to-Point Encryption (MPPE)
for encryption. You should choose the CHAP protocol only if there are
mixed clients that are non-Windows clients. Windows Vista clients
support CHAP if the endpoint supports none of the two authentication
protocols that follow.
MS-CHAPv2— This is an enhanced
authentication protocol of the older and now-unsupported protocol
MS-CHAP. MS-CHAPv2 provides for a secure authentication session between
the tunnel origin (a Windows Vista client in this case) and the tunnel
endpoint.
Extensible Authentication Protocol
(EAP)— EAP provides additional
protection of the authentication (EAP) session by allowing the use of
certificates and SmartCards as well other devices and methods for added
security. If used with PPTP, EAP requires a certificate infrastructure.
Microsoft Point-to-Point
Encryption (MPPE)— Microsoft’s default
encryption service is provided on PPTP connections and uses up to
128-bit encryption. MPPE provides for a relatively secure data
connection. You can adjust settings to ensure the highest level of
encryption is used with the remote access server.
L2TP/IPSec
L2TP is the
preferred secure tunneling protocol native to Windows Vista. L2TP in
itself provides only the tunnel service. IPSec is required to provide
the encryption of the data. Microsoft recommends that L2TP be
implemented with the use of a certificate infrastructure. A certificate
is recommended to authenticate the client and the server creating the
tunnel, although a preshared key option is available for this step of
the authentication process.
L2TP tunnels PPP packets inside a
UDP datagram using UDP port 1701 for source and destination. The
tunneled PPP packet is encrypted with IPSec. IPSec comes in two flavors:
Authentication Header (AH) or Encapsulating Security Payload (ESP). In
addition to many of the previously discussed authentication protocols
from the PPTP section, the following security protocols are added by the
use of L2TP with IPSec:
IPSec AH— IPSec AH provides only for authentication of
the data payload as well as portions of the original IP header. It does
not encrypt or disguise in any way the actual data. IPSec AH uses IP
protocol 51. Microsoft’s L2TP/IPSec implementation does not use IPSec
AH.
IPSec
ESP— IPSec ESP provides for authentication
of the data payload as well as encryption of it. IPSec ESP uses the
highest level of encryption available from Microsoft clients.
Microsoft’s TechNet states that if the client is a Windows Server 2008
endpoint, the IPSec encryption protocol that can be chosen is the
Advanced Encryption Standard (AES). AES is not included in the released
versions of previous Windows Server operating systems, so DES or 3DES is
used for those connections. IPSec ESP uses IP protocol 50. IPSec ESP is
the protocol chosen by Microsoft’s L2TP/IPSec implementation.
L2TP/IPSec VPNs
support IPv4 and IPv6 VPN connections.
Table 1 shows details on the protocol numbers and ports used for
L2TP VPNs.
