Overview of virtual private networks (VPN)
Microsoft Forefront Threat Management Gateway provides secure site-to-site virtual private network (VPN) functionality and secure VPN client access.
Virtual Private Networks
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers or two networks across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a VPN.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Data that is intercepted on the shared or public network is indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.
VPN connections allow users who work at home or travel to obtain a remote access connection to an organization server using the infrastructure provided by a public network such as the Internet. From a user's perspective, you are connected to the corporate network, and do not consider that you are communicating over a public infrastructure. The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.
VPN connections also allow organizations to have routed connections with other organizations or branch offices over a public network, such as the Internet, while maintaining secure communications (for example, between offices that are geographically separate). A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. These connections are made over the Internet using a site-to-site VPN connection. Companies are changing from leased lines to standard Internet connections, because of the higher costs of leased lines, the complexities of maintaining these leased lines, and time required to have leased lines installed.
With Forefront TMG, you can configure a secure VPN, accessible by remote access clients and by remote sites, according to your specifications. By using the Forefront TMG computer as the VPN server, you benefit by protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the Forefront TMG firewall policy.
There are two types of VPN connections:
- Remote access VPN connection
- Site-to-site VPN connection
Remote Access VPN Connection
A remote access client makes a remote access VPN connection to a VPN server that connects the remote access client to a private network. Forefront TMG provides access to the entire network to which the VPN server is attached. Configuration of remote access VPN connections is discussed in Configuring remote client VPN access.
By using the Forefront TMG computer as the VPN server, you can manage VPN client access to the corporate network. VPN clients can be quarantined by Forefront TMG in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified, and can then be moved to the VPN Clients network. Both of these VPN client networks are subject to your Forefront TMG firewall access policy, so that you can control VPN client access to network resources. For example, you can allow quarantined clients access to only the resources needed to restore their security compliance, such as access to antivirus updates or to a Windows Update server.
All VPN connections to the Forefront TMG computer are logged to the Firewall log, so that you can monitor VPN connections.
Forefront TMG enables VPN client access using either Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPsec), or the Point-to-Point Tunneling Protocol (PPTP) commonly used by VPN servers. We recommend that L2TP over IPsec be used. From a security standpoint, L2TP over IPsec is superior to PPTP, because it uses certificate authentication to secure the connection.
Quarantine Control provides phased network access for remote (VPN) clients by restricting them to a quarantine mode before allowing them access to the network. After the client computer configuration is either brought into or determined to be in accordance with your organization's specific quarantine restrictions, standard VPN policy is applied to the connection, in accordance with the type of quarantine you specify. Quarantine restrictions might specify, for example, that specific antivirus software is installed and enabled while connected to your network. Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.
With Forefront TMG, you can select how to enable quarantine mode:
- Enable quarantine mode, using Routing and Remote Access. When you select the Quarantine according to RADIUS Server policies option, when a VPN client attempts to connect, Routing and Remote Access determines if the client will be subject to quarantine. After the client clears quarantine, the client unconditionally joins the VPN Clients network.
- Enable quarantine mode, using Forefront TMG. When you select the Quarantine VPN clients according to Forefront TMG policies option, when a VPN client attempts to connect, Routing and Remote Access unconditionally passes the request to the Forefront TMG computer. Forefront TMG determines if the client will be subject to quarantine. After the client clears quarantine, the client joins the VPN Clients network.
You can also choose to disable quarantine mode. Quarantine Control is disabled by default and is enabled on the Quarantine VPN Clients network. For more information about configuring Quarantine Control, see Configuring RQS/RQC based quarantine control and Configuring NAP based quarantine.
VPN client credentials
The credentials received by Forefront TMG when a user connects through a VPN client connection can vary depending on the connection scenario.
When a user establishes a VPN connection from a client computer, Forefront TMG associates those credentials with the connection. Note that if other users use that connection, Forefront TMG will not receive their credentials, but will continue to associate the traffic with the credentials used to establish the connection, which could be a security concern. This would be the case if users use Terminal Services to connect to the client computer and then make requests over the VPN connection. Another example is if the client computer is configured to act as a network address translation (NAT) device, allowing the VPN connection to be shared among many users on different computers.
When the computer that hosts a VPN client connection or the computers behind it have a properly installed and configured Firewall client, those computers will join the VPN Clients network, but Forefront TMG receives the credentials of each user, rather than the credentials of the host computer.
Virus-infected VPN clients
VPN client computers that are infected with viruses are not automatically blocked from flooding the Forefront TMG computer (or the networks it protects) with requests. To prevent this occurrence, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification by e-mail. If an infected VPN client computer is identified, perform one of the following:
- Restrict VPN access by user name by using the remote access policy to exclude the user from the VPN clients who are not allowed to connect.
- Restrict VPN access by IP address. Do this by creating a new network to contain external IP addresses that are blocked, and move the IP address of the client out of the External network to the new network. This only works when the user connects from the same IP address all the time. If the client computer is assigned a different address each time it connects to the public network, we recommend that you restrict access based on user name.
Site-to-Site VPN Connection
A site-to-site VPN connection connects two separate private networks. Forefront TMG provides a connection to the network to which the Forefront TMG is attached. Site-to-site VPN connections are discussed in this document.
There are three VPN protocols for site-to-site connections:
- L2TP over IPsec
- IPsec tunnel mode
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiple protocol, virtual private networking over public networks, such as the Internet. PPTP allows IP traffic to be encrypted and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network, such as the Internet.
L2TP over IPsec
Layer Two Tunneling Protocol (L2TP) is an industry standard tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. L2TP allows IP traffic to be encrypted and then sent over any medium that supports point-to-point datagram delivery, such as IP. The Microsoft implementation of the L2TP protocol uses Internet Protocol security (IPsec) encryption to protect the data stream from one VPN server to the other VPN server. IPsec tunnel mode allows IP packets to be encrypted and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network, such as the Internet.
PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP over IPsec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates or a preshared key.
When choosing between PPTP and L2TP over IPsec site-to-site VPN solutions, consider the following:
- PPTP can be used for site-to-site VPN connections for servers running Microsoft Windows Server 2003 or Windows 2000 Server with Routing and Remote Access, or Windows NT Server 4.0 with the Routing and Remote Access Service (RRAS). PPTP does not require a public key infrastructure (PKI) to issue computer certificates. By using encryption, PPTP-based VPN connections provide data confidentiality. Captured data cannot be interpreted without the encryption key. PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).
- L2TP can be used with servers running Windows Server 2003 or Windows 2000 Server operating systems. When both types of servers are used, a PKI is required to issue computer certificates to all routers. Servers running Windows Server 2003 operating systems additionally support a single preshared key configured on the answering server and all calling servers. By using IPsec, L2TP over IPsec VPN connections provide data confidentiality, data integrity, and data origin authentication.
IPsec tunnel mode
When Internet Protocol security (IPsec) is used in tunnel mode, IPsec itself provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with other routers, gateways, or end systems that do not support L2TP over IPsec or PPTP VPN tunneling. Interoperability information is provided at the Virtual Private Network Consortium Web site.
Tunneling is the entire process of encapsulation, routing, and then removing the encapsulation. Tunneling wraps, or encapsulates, the original packet inside a new packet. This new packet might have new addressing and routing information, which enables it to travel through a network. When tunneling is combined with data confidentiality, the original packet data (as well as the original source and destination) is not revealed to those listening to traffic on the network. After the encapsulated packets reach their destination, the encapsulation is removed, and the original packet header is used to route the packet to its final destination.
The tunnel itself is the logical data path through which the encapsulated packets travel. To the original source and destination peer, the tunnel is usually transparent and appears as another point-to-point connection in the network path. The peers are unaware of any routers, switches, proxy servers, or other security gateways between the tunnel's beginning point and the tunnel's endpoint. When tunneling is combined with data confidentiality, it can be used to provide a VPN.
The encapsulated packets travel through the network inside the tunnel. In this example, the network is the Internet. The gateway might be an edge gateway that stands between the outside Internet and the private network. The edge gateway can be a router, firewall, proxy server, or other security gateway. Also, two gateways can be used inside the private network to protect traffic across untrusted parts of the network.
For more information about IPsec tunnel mode, see "IPSec Technical Reference" at the Microsoft TechNet Web site.
When you create a remote site network that uses the IPsec tunneling protocol, the Microsoft Firewall service modifies the IPsec filters on the computer, when restarting the Firewall service. This process can take up to several minutes, depending on the number of subnets included in the address ranges for the network. To minimize the effect, we recommend that you define IP address ranges that are aligned in subnet boundaries.
IPsec tunnel mode and L2TP over IPsec can use either preshared keys or certificates to authenticate incoming VPN connections. Because certificates are more secure than preshared keys, we recommend that authentication for L2TP over IPsec and IPsec tunnel mode VPN connections use certificate authentication.
For security reasons, we recommend the use of a dedicated private certification authority (CA) for certificates that will be used for IPsec authentication. This is due to the fact that IPsec does not match the name of the certificate to the name of the site. If the certificates come from the same CA, this is sufficient for authentication. For more information about security consideration for site-to-site VPN connections, see "Security Hardening and Administration Guide" at the Microsoft TechNet Web site.