When Microsoft Corp. wheels out Windows Server 2003 this month, the company will address some shortcomings of its embedded VPN technology, making the software more attractive to users looking to save money connecting remote sites over the Internet.
While the company has included VPN capabilities for free in its PC platforms as far back as Windows 98, other vendors – Check Point Software Technologies Ltd., Cisco Systems Inc., NetScreen Technologies Inc., Nokia Corp. and Nortel Networks Corp. – perennially have beaten Microsoft in sales of VPN gear. Upgrades in Windows Server 2003 improve Microsoft’s clients and servers. Notably, the new software will introduce features such as denial of access to the VPN if the PC trying to connect to it isn’t configured with the right set of security applications such as firewalls and antivirus software. The package also will expand the ability to move VPN traffic through firewalls and make stronger authentication methods possible.
Many vendors already supply these features, so Microsoft is playing catch-up. But Microsoft’s widespread use is an advantage that others don’t have. The company’s NT, 2000 and 2003 servers can function as VPN gateways to terminate VPN sessions. Client support is available via Windows 98, ME, 2000 Professional and XP Pro. VPN gateways from Cisco, Enterasys Networks, Nortel and NetScreen support Microsoft VPN clients. Check Point says it will soon offer VPN gateways that support Microsoft VPN clients.
“The (thing) is not having to touch every laptop. If they have (a Windows operating system), they have basic VPN features built in. No other vendor can say that,” said Joel Snyder, a senior partner with Opus One and a member of Network World’s Global Test Alliance.
Microsoft VPN server software could be a moneysaver for small companies by having their servers do double duty as an internal server and WAN gateway. “I’d say (it’s attractive to) small enterprises who have committed to Windows 2000 at their remote offices and who have significant training in Microsoft products as well as a good solid Active Directory implementation,” Snyder says.
The VPN capabilities that come with Windows Server platform are attractive, but aren’t necessarily the most feature-rich, experts say. For instance, the ability for VPN traffic to cross firewalls that perform network address translation (NAT) is a common feature of most VPN appliances and their custom clients, but something that Microsoft still is developing.
Microsoft has hired SafeNet to write upgrades for Windows 98, 2000 and ME clients so they will support NAT, and Microsoft has made its own NAT upgrades for Windows 2000 and Windows XP that will be ready in about two months, says Mike Chan, technical product manager for Microsoft VPN.
Firewalls commonly change the private IP addresses on a LAN to a public IP address for traffic that crosses the Internet so it can be routed properly. NAT is also a way to mask the private network IP address structure from public inspection as a way to thwart hackers. Microsoft has had server support of NAT, but it is not as robust as other vendors’, Snyder says.
While NAT is key to setting up VPNs, users also seek more secure ways to ensure that remote users are authorized to log on to the VPN. With Windows Server 2003, Microsoft is making it easier to use public-key infrastructure (PKI), a more stringent machine authentication method that ultimately makes it harder to crack encryption.
Rather than use one set of keys to encrypt and decrypt traffic,customers can use a pair of public and private keys with PKI. But to set this up securely, the machines involved first must be authorized. Windows Server 2003 adds a certificate authority that issues digital certificates to the machines so their identity can be proven before admitting them to a VPN.
Having its own certificate authority is an improvement over the method that Microsoft servers currently use to support certificates, says Benny Frederiksen, a support engineer for VPN appliance vendor Intermate. “You have to install a Windows 2000 certificate server if you want to use certificates,” he says, making the network more complex.
Windows Server 2003 also supports more ways to authenticate not just the machine but the person who is trying to log on to the VPN. By adding support for Extensible Authentication Protocol (EAP), Windows Server 2003 lets users employ such methods as smart-card tokens that also require a user’s PIN. This two-factor authentication is considered more secure than simply username and password. EAP is a framework that allows negotiating what authentication mechanism will be used.
A feature called Quarantine is another safeguard being added to Windows Server 2003 to protect the VPN before a user is admitted. Quarantine denies VPN access to remote machines if the boxes aren’t configured properly. So if the machines don’t have updated antivirus software or their personal firewalls aren’t turned on, for instance, the server would reject the VPN session. Users can get a prompt to update their machines or be forwarded automatically to a Web site where they can download whatever updates they need.
Quarantine is set up through a Windows Server 2003 deployment wizard called Connection Manager Administration Kit (CMAK), a 30-pane wizard for setting up VPN clients. CMAK asks for the IP address of the VPN server, a name for that connection, the authentication type to use and a few other parameters. This process creates an executable file called a connectoid to be sent to remote machines via the Web or floppy or Microsoft’s Systems Management Server. The connectoid self-installs and is compatible with Windows 98 clients and later.
Many VPN vendors offer this feature via alliances with makers of remote policy enforcement software such as InfoExpress, Sygate and Zone Labs.
Microsoft’s VPN architecture varies from other vendors that focus on IP Security (IPSec) as their core technology. The Microsoft method uses only standards-based technologies, hence its hybrid nature, Chan says.
The software supports Point-to-Point Tunneling Protocol (PPTP), IPSec and Layer 2 Tunneling Protocol running over IPSec (L2TP/IPSec), and each has different uses. PPTP is for small organizations that want to set up remote access easily and quickly, Chan says. This is done via ISA server and can be configured in minutes. It doesn’t require digital certificates, and all Microsoft clients support it.
L2TP/IPSec is a more secure method – Microsoft says the most secure – of creating remote-access VPNs. L2TP provides a standard method of authenticating the user, while an IPSec tunnel is used to carry the encrypted traffic.
IPSec is intended for connecting server to server for site-to-site VPNs that let many users at one site tunnel through to resources at the other.
Windows Server 2003 has a number of other VPN-related features:
— It will store VPN logs in XML format, making it easier to sort and format the data in different ways.
— It adds clustering to the features of its Remote Authentication Dial-In User Service server called Internet Authentication Service (IAS). IAS can be installed on separate hardware platforms so if one box fails, authentication for the VPN remains intact.
— It combines technologies in IAS, Active Directory and Remote Access Server to recognize and admit guest VPN users to a limited subset of the network, making it easier to set up temporary access for business partners.
Microsoft also is getting ready to add a second type of VPN to its client for PDAs. Currently the client supports only PPTP VPNs, but the new version will add L2TP/IPSec support to its Pocket PC platform.