Making sense of remote access protocols in Windows

To help make sense of all the protocol configuration options involved in setting up remote access servers, take a look at the categories of protocols and the advantages and disadvantages of the various protocols within each one.

Setting up remote access servers and connections in Windows can be somewhat overwhelming and confusing if you don’t understand the protocol configuration options involved. You have a number of remote access protocol options to choose from, and deciding which ones to use will depend on the functionality you need, your system configuration, and your hardware and communications capabilities. To help make sense of all these options, we’ll take a look at the categories of protocols and the advantages and disadvantages of the various protocols within each one.

Categories and choices
First, you need to consider two distinct methods of remote access, each of which uses different protocols:
  • Dial-up
  • Virtual private networking (VPN)

Within each method, there are three basic categories for protocols:
  • Connectivity
  • Authentication
  • Data encryption

In making decisions about which protocol to use, you must remember two things. First, you want the best security you can provide for the remote session. You want authentication to be encrypted so that someone who is snooping cannot see it, and you want the data that is passed in the remote session to be encrypted for the same reason.

Second, older systems and their associated protocols are less capable in terms of encryption than newer systems, so you need to be aware of when you may have to use the older protocols and what you're giving up when you do.

Let’s take a look at the protocols for dial-up connectivity, authentication, and encryption. Then, we will do the same for VPN remote access.

Dialing up a connection
Dial-up involves one modem connecting with another over the Public Switched Telephone Network (PSTN), creating a temporary, dedicated WAN link. There are three possible protocols for making the initial connection: Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), and Asynchronous NetBEUI (AsyBEUI). Table A explains their differences.
Table A





Point-to-Point Protocol (PPP)

PPP is almost always the protocol of choice for both server and client.  It is required if encryption is to be used in the dial-up session.

Supports TCP/IP as well as other LAN protocols such as IPX/SPX, AppleTalk, and DECnet.

Serial Line Internet Protocol (SLIP)

SLIP is used as a client in NT or Win2K only when necessary to connect to an older server that is not supporting PPP.

Allows TCP/IP connections only and does not support WINS or DHCP.

Asynchronous NetBEUI (AsyBEUI)

This is a Microsoft proprietary remote access protocol used only for legacy systems such as early versions of Windows NT, Windows for Workgroups, or DOS.

Supports only the NetBEUI LAN protocol.

Authenticating the user
Part of the dial-up process involves authentication, usually by providing a password. Since that password can be intercepted and used to gain unauthorized access, it should be encrypted using the strongest possible method that is supported by both the server and the client. It’s important to remember that PPP is the only dial-up protocol that supports encryption. If you must use SLIP or AsyBEUI, the only authentication protocol you can use is PAP. Table B outlines the differences between the available authentication protocols.
Table B





Password Authentication Protocol (PAP)

Used only when the server requires a plaintext password.

This protocol passes the password without encryption and so is not secure.

Shiva Password Authentication Protocol (SPAP)

Developed as an improvement to PAP for use with Shiva LAN Rover products.

Uses a very weak encryption scheme.

Challenge Handshake Authentication Protocol (CHAP)

Probably the most commonly used dial-up protocol for authentication.

Uses reversibly encrypted passwords for greater security.  However, the passwords are stored on the RAS server in plaintext.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Version 1

As a Microsoft proprietary protocol, MS-CHAP was developed for use with the Windows operating system.

Similar to CHAP but allows storage of passwords on the server in encrypted format.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Version 2

As a Microsoft proprietary protocol, MS-CHAP was developed for use with the Windows operating system.

Similar to MS-CHAP Version 1 but requires mutual authentication and different encryption keys when sending and receiving, and
so is more secure than
MS-CHAP v. 1.

Extensible Authentication Protocol (EAP)

EAP was designed as an extension to PPP to be able to use newer authentication methods such as one-time passwords, smart cards, or biometric techniques.

There are two different types of EAP, and both the server and client must be using the same type:
Used primarily for password-based security

Used primarily for certificate-based security.

Security for your data
Although it’s important that passwords be encrypted in the authentication process, it’s also desirable to encrypt the data that is transmitted after authentication takes place. You can provide data encryption using link encryption or end-to-end encryption. With link encryption, the data is encrypted only on the link (i.e., only to the remote access server); with end-to-end encryption, the data is encrypted from the client application to the server hosting the resource being accessed. In a Windows network, when using PPP for a dial-up connection, only one protocol is available for data encryption, the Microsoft Point-to-Point Encryption Protocol (MPPE), as shown in Table C.
Table C





Microsoft Point-to-Point Encryption (MPPE)

For data encryption in a dial-up session in a Windows network.

In order to use MPPE, the authentication protocol for the dial-up session must be either EAP-TLS or MS-CHAP version 1 or 2.

VPN protocols
Virtual private networking protocols encapsulate PPP frames (the data units at the data link layer of the OSI model) into IP datagrams at the network layer. These datagrams are then sent across an internetwork, which can be either a private network or, more commonly, the Internet. This encapsulation creates a “tunnel” that acts like a dedicated WAN link, even though it usually uses the Internet—thus, a “virtual” private network.

Because VPN is still using the PPP protocol, all of the authentication protocols associated with PPP, such as CHAP and EAP, still apply to VPN. However, we need to take a closer look at the protocols for connectivity and data encryption, shown in Tables D and E, respectively.
Table D





Point-to-Point Tunneling Protocol (PPTP)

Will work only over an IP internetwork.

Layer 2 Tunneling Protocol (L2TP)

In addition to an IP internetwork, can also be used over Frame Relay PVCs and X.25 or ATM virtual circuits.

This is a hybrid protocol designed to use the best features of both PPTP and a Cisco technology known as Layer 2 Forwarding.

Table E





Microsoft Point-to-Point Encryption (MPPE)

May be used only with PPTP, not with L2TP.

As with PPP, if MPPE is used, the authentication protocol must be either
MS-CHAP or EAP-TLS. Provides only link encryption.

Internet Protocol Security (IPSec)

May be used only with L2TP. Its use with L2TP will also require computer certificates provided by the Public Key Infrastructure.

Provides end-to-end encryption.

Bottom line
When planning and configuring a remote access environment, you need to know what protocols the clients and servers will be using. That will determine which protocols can be used for connectivity, authentication, and encryption. Given a choice of protocols, you almost always want to pick the combination that provides the greatest security. For dial-up, that may be a combination of PPP, MS-CHAP V2, and MPPE. For VPN, that may be a combination of L2TP, EAP-TLS, and IPSec. If you have client systems that do not support these protocols, you may have to either choose a different protocol that provides less security or not allow that client to connect to your remote access server.

Editor's Picks

Free Newsletters, In your Inbox