Setting up remote access servers and connections in Windows can be somewhat overwhelming and confusing if you don’t understand the protocol configuration options involved. You have a number of remote access protocol options to choose from, and deciding which ones to use will depend on the functionality you need, your system configuration, and your hardware and communications capabilities. To help make sense of all these options, we’ll take a look at the categories of protocols and the advantages and disadvantages of the various protocols within each one.
Categories and choices
First, you need to consider two distinct methods of remote access, each of which uses different protocols:
- Virtual private networking (VPN)
Within each method, there are three basic categories for protocols:
- Data encryption
In making decisions about which protocol to use, you must remember two things. First, you want the best security you can provide for the remote session. You want authentication to be encrypted so that someone who is snooping cannot see it, and you want the data that is passed in the remote session to be encrypted for the same reason.
Second, older systems and their associated protocols are less capable in terms of encryption than newer systems, so you need to be aware of when you may have to use the older protocols and what you're giving up when you do.
Let’s take a look at the protocols for dial-up connectivity, authentication, and encryption. Then, we will do the same for VPN remote access.
Dialing up a connection
Dial-up involves one modem connecting with another over the Public Switched Telephone Network (PSTN), creating a temporary, dedicated WAN link. There are three possible protocols for making the initial connection: Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), and Asynchronous NetBEUI (AsyBEUI). Table A explains their differences.
Authenticating the user
Part of the dial-up process involves authentication, usually by providing a password. Since that password can be intercepted and used to gain unauthorized access, it should be encrypted using the strongest possible method that is supported by both the server and the client. It’s important to remember that PPP is the only dial-up protocol that supports encryption. If you must use SLIP or AsyBEUI, the only authentication protocol you can use is PAP. Table B outlines the differences between the available authentication protocols.
Security for your data
Although it’s important that passwords be encrypted in the authentication process, it’s also desirable to encrypt the data that is transmitted after authentication takes place. You can provide data encryption using link encryption or end-to-end encryption. With link encryption, the data is encrypted only on the link (i.e., only to the remote access server); with end-to-end encryption, the data is encrypted from the client application to the server hosting the resource being accessed. In a Windows network, when using PPP for a dial-up connection, only one protocol is available for data encryption, the Microsoft Point-to-Point Encryption Protocol (MPPE), as shown in Table C.
Virtual private networking protocols encapsulate PPP frames (the data units at the data link layer of the OSI model) into IP datagrams at the network layer. These datagrams are then sent across an internetwork, which can be either a private network or, more commonly, the Internet. This encapsulation creates a “tunnel” that acts like a dedicated WAN link, even though it usually uses the Internet—thus, a “virtual” private network.
Because VPN is still using the PPP protocol, all of the authentication protocols associated with PPP, such as CHAP and EAP, still apply to VPN. However, we need to take a closer look at the protocols for connectivity and data encryption, shown in Tables D and E, respectively.
When planning and configuring a remote access environment, you need to know what protocols the clients and servers will be using. That will determine which protocols can be used for connectivity, authentication, and encryption. Given a choice of protocols, you almost always want to pick the combination that provides the greatest security. For dial-up, that may be a combination of PPP, MS-CHAP V2, and MPPE. For VPN, that may be a combination of L2TP, EAP-TLS, and IPSec. If you have client systems that do not support these protocols, you may have to either choose a different protocol that provides less security or not allow that client to connect to your remote access server.