While almost all organizations use TCP/IP in their networks, others continue to use legacy protocols, such as Novell’s IPX/SPX, to access NetWare servers and NetBIOS/NetBEUI to access older Windows systems. While these organizations likely have a stake in continuing to support these protocols, they may also want to provide access to remote users. Or they may want to provide TCP/IP-based services to users, but in a secure manner. Luckily, there’s a global network capable of addressing both of these needs—it’s called the Internet.
But wait—the Internet is based on TCP/IP, not IPX/SPX, NetBIOS, or a secure IP solution. This is where tunneling comes in. Often, the term virtual private network (VPN) is used to refer to the concept of tunneling. The purpose of a tunnel is to securely extend the reach of a network to a remote office or to a remote client.
Using tunneling, an organization can embed these protocols inside a standard TCP/IP packet and send it securely across the Internet to a remote destination, where the original protocol is then pulled out of the packet and sent on to its destination. A tunnel is not just for non-IP based services, though. You can also use tunneling to provide “IP in IP” services to users.
Although there are several ways to tunnel protocols, I’ll focus on four of the most common tunneling methods. All four were developed based on the structure of PPP (Point-to-Point Protocol):
- PPPoE(Point-to-Point over Ethernet): DSL and cable modem providers use PPPoE to give their subscribers an authenticated service, which allows the provider to keep track of who’s using its service and how much they’re using it. This is not a common tunneling protocol for remote access to offices, but network administrators should be aware of it if they support remote users with broadband connections. As such, I won’t discuss it as an option for providing remote services to users.
- PPTP(Point-to-Point Tunneling Protocol): PPTP is a common but older tunneling technology. PPTP allows PPP packets to be encapsulated inside TCP/IP packets and routed over the Internet. Many VPNs are based on PPTP, which uses built-in encryption to provide some level of data security.
- L2F (Layer Two Forwarding): L2F was developed by Cisco and supports any authentication scheme that is supported by PPP. L2F has been superseded by L2TP, so I won’t discuss it further in this article. I included it only since you may run across it in a legacy application.
- L2TP(Layer Two Tunneling Protocol): This newer tunneling technology performs a function similar to that of PPTP, but it offloads the encryption job to a different and very powerful technology called IPSec. IPSec requires machine authentication for the establishment of the tunnel and provides further security by requiring user authentication for access to resources. L2TP is a “best of breed” technology created by the merging of PPTP and the less widely used L2F.
For any of the above tunneling methods, the remote PPP client needs to be able to authenticate to the remote access server. There are a number of ways to do this:
- PAP (Password Authentication Protocol) is the weakest of the methods, as it sends a clear text password across the tunnel for authentication. It’s only recommended for use with clients that don’t support anything better.
- CHAP (Challenge Handshake Authentication Protocol) is an improvement over PAP, but it still has its own security problems. Rather than sending a clear text password over the Internet, a CHAP-based server instead computes an MD5 hash based on the stored user’s password and sends a challenge string over the Internet to the client. The client then performs an MD5 hash on what the user has typed in. A matched hash signals a match. Unfortunately, CHAP requires the storing of clear text passwords or the use of reversible encryption on the password, both of which present security risks.
- MSCHAP (Microsoft CHAP)is an extension of CHAP developed by Microsoft. Rather than having to store passwords on the server in a clear text format, MSCHAP allows the storage of an MD4 hash of the password, which adds an important layer of security not found in PAP or CHAP. In addition, MSCHAP supports error-code information passing and password changes.
- MSCHAP Version 2provides security improvements over MSCHAP as well as the ability to change passwords with a single packet.
- EAP (Extensible Authentication Protocol) is a more recent innovation that allows for the use of alternate methods of authentication, such as smart cards. Two common EAP systems in use today are EAP-MD5 CHAP and EAP-TLS. EAP-TLS requires “mutual authentications,” which require both the client and the server to authenticate with each other. EAP-MD5 CHAP is similar to CHAP, but it uses EAP packets instead of the older network transport.
Providing remote services to users
The two most likely methods to consider when providing remote access to users are PPTP and L2TP. Depending on your situation, one may be a better option than the other. If your remote clients are behind NAT devices, they use addresses from RFC 1918, which are addresses in the 10.x.x.x range, the 172.16.x.x range, or the 192.168.x.x range. In such cases, L2TP will be more difficult to implement because IPSec doesn’t work with NAT.
While current proposals being worked on by the Internet Engineering Task Force (IETF) will address this major problem with IPSec, standards are not yet defined or supported. The reason that IPSec has trouble with NAT is simple: NAT makes modifications to the data inside the IP packet, while IPSec guarantees nonmodified delivery of an IP packet. These two technologies, therefore, are mutually exclusive.
PPTP, on the other hand, is very widely supported, but it’s not recommended for particularly sensitive environments. PPTP generally uses CHAP, MSCHAP, or MSCHAPv2 for authentication. As stated earlier, these methods don’t send a clear text password over the Internet, but rather they send a hash of the password. Unfortunately, this hash can be reverse-engineered back into the user’s original password using utilities such as l0phtcrack.
Of course, at some point, you’ll need to implement something. If you can’t implement L2TP because of NAT, you should implement PPTP instead.
VPNs and tunnels are powerful, convenient, and secure ways to access resources remotely. Windows 2000 includes the ability to set them up easily. If you’re running services that rely on IPX or NetBEUI, those services will also be enabled. This is because of the encapsulation nature of an IP tunnel, whereby foreign protocols are embedded inside IP packets in order to be able to traverse the Internet.