Basic Virtual Private Network Deployment
Why deploy a Virtual Private Network? It is important to first understand the needs of your environment and then decide whether tunneling will fulfill those needs. This chapter also covers many common attacks that occur over networks to help you understand why it is important to protect your servers. Finally, it covers basic tunnel network designs.
Before discussing the features of Windows 2000 tunneling technology, it is important to establish the terminology that one should be familiar with. The terminology is not specific to Windows 2000 and can be applied to almost any VPN-related product. After defining the terminology this book uses, this chapter discusses one all-important question: Why deploy a Virtual Private Network? It is important to first understand the needs of your environment and then decide whether tunneling will fulfill those needs. This chapter also covers many common attacks that occur over networks to help you understand why it is important to protect your servers. Finally, it covers basic tunnel network designs.
The first step is to define some VPN terminology. You should be familiar with the following terms:
VPN server (also known as a tunnel server). A computer that accepts VPN connections from VPN clients. A VPN server can provide remote access VPN connections or a router-to-router (site-to-site) VPN connection. It is the VPN server that is connected to the public network. This book primarily refers to Windows 2000 as the tunnel server, but there are many other types of tunnel servers.
VPN client (also known as a tunnel client.) A computer that initiates a VPN connection to a VPN server. A VPN client can be an individual computer that obtains a remote access VPN connection or a router that obtains a router-to-router VPN connection. This book primarily covers Windows 2000, Windows 98, and Windows NT 4 as VPN clients.
Tunnel. The logical link between the tunnel client and the tunnel server. This link is where the data is encrypted and encapsulated. It is possible to create a tunnel and send the data through the tunnel without encryption, but that is not a recommended VPN connection type because the data being sent can be intercepted and read.
Edge server. This tunnel server is the outermost server on the company's private network. Typically, anything "behind" this server (on the corporate network) is "open frame" traffic and can be readily intercepted. If frames are captured on the private network, the security of the traffic is compromised, even though the network is using a tunnel to the edge server. This scenario does not, therefore, have end-to-end security. An edge server can be a firewall, or it can be a specific system that does nothing but handle tunnel traffic.
End-to-end security. A path that is encrypted from the client all the way to the actual destination server has end-to-end security. Because the technology needed for a practical implementation of end-to-end security has just been released, most designs currently use a specific tunnel server on the edge of the corporate network. If you have complete security, it will not matter if frames are captured anywhere in the path because they maintain their encryption at all points in their journey. At this time, most designs use a specific tunnel server on the edge of the corporate network and have encryption only between the client and the tunnel server.
Voluntary tunnel. A user or client computer can issue a VPN request to configure and create a voluntary tunnel. In this case, the user's computer is a tunnel endpoint and acts as the tunnel client. The client must have the appropriate tunnel protocol installed. Many network designs require this because the corporate networks do not generally control home LANs, and having the tunnel clients as the actual endpoints reduces the potential security risks.
Compulsory tunnel. A tunnel configured and created by a VPN-capable dial-up access server. With a compulsory tunnel, the user's computer is not a tunnel endpoint. Another device, the remote access server, between the user's computer and the tunnel server is the tunnel endpoint, which acts as the tunnel client. This configuration allows multiple clients on the branch office or home LAN to use the tunnel concurrently. It is possible to share a single tunnel to multiple computers.