As an administrator, one of the things I really like to do is access my servers remotely - why travel to work when there's no need to, and how much nicer to just log in and fix the problem from home?
That's all fine in theory, but as we all know enabling remote access isn't something to be taken lightly, as it can introduce security problems if not implemented correctly. So, I'm going to take a look at Routing and Remote Access Services (RRAS) within Windows 2008 Server, to see what's new to help us fulfil our requirements for a safe and secure set of servers.
Virtual Private Networking (VPN) is one of the best known and most used forms of RRAS nowadays. A VPN can be used to enable home users to safely connect to servers at work, to effect connections between organisational sites within the same company and also between different companies.
Setting up a VPN requires a server with two network interfaces, one interface connected to the internet and the other to the local network.
As machines connect to the servers they receive IP addresses, either from a DHCP server or from the VPN server itself - you can choose what you want to happen there.
You should be aware, though, that if you have a DHCP server then the VPN server will grab IP addresses in groups of ten at a time (one for the RAS server interface and nine for its clients), so you'll need to think carefully about the size of allocation you make to the VPN server.
For a VPN to work, you need three components: a VPN client, which is any computer that runs an OS that supports PPTP, L2TP or IPSec; a VPN server; and a VPN tunnel through which they can communicate.
|Begin creating your VPN server by installing the Network Policy and Access Role in Windows Server 2008|
Obviously, the least secure area here is the VPN tunnel, so the various tunnelling protocols take care to encrypt all data that passes through the tunnel.
Windows Server 2008 comes with a new VPN tunnel called Secure Socket Tunneling Protocol (SSTP), which was introduced because many companies chose to block PPTP and L2TP/IPSec, for a variety of reasons.
Certainly, PPTP could never be regarded as totally secure, because while the link would eventually become secure the initial exchange of credentials between client and server was unencrypted, and the link became secure only after the credentials have been established.
This scheme was therefore somewhat open to attack and compromise. L2TP/IPSec did establish secure connection right from the start, but even so, many firewalls are routinely set up to not accept any connections from these protocols.
SSTP sends Point to Point Protocol (PPP) packets down the tunnel via the Secure Sockets Layer (SSL) channel used by HTTPS, thus offering a different routing scenario that may appeal to companies that don't use the other protocols.
The authentication method used by default in SSTP is Extensible Authentication Protocol (EAP) - which, of course, also works over L2TP/IPSec and PPTP - in the format of EAP-TLS (Transport Level Security). EAP can use other forms, but only TLS comes by default with Windows Server 2008.