A Virtual Private Network is an alternative method for securely communicating between computers. A VPN sets up a secured connection in much the same way that WPA does, but with many more required resources.
With a VPN you need a special security system run on a server that encrypts and decrypts traffic. With a VPN server and a firewall that is set up to only allow VPN traffic, you have a very secure system over which to allow a wireless connection. The best setup places your wireless gateway in front of the firewall.
Many of the more sophisticated wireless gateways come with VPN built into them as a capability. You can also create a VPN in software as a service on a server.
For very large networks or networks supporting many connections, a dedicated hardware solution is best because it contains specialized custom ASIC chips to encode/decode traffic quickly.
Windows Server 2003 VPNs
Windows Server 2003 and Windows Small Business Server 2003 come with two different VPNs built into them:
- Point-to-Point Protocol (PPTP) and Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec) connections.
- Authentication Protocol-Transport Level Security (EAP-TLS) authentication.
Setup a Windows Server 2003 VPN is not for the faint of heart. At the minimum, to create a PPTP connection you’ll need to do the following:
- Configure a DHCP service to create a new scope for your VPN.
- Open the Active Directory Users and Computers snap-in on your domain controller and install the Certificate Services component into the certificate authority on your network.
- Create a new group of users for your VPN.
- Configure an IAS server; that is a Windows Server 2003 that is providing RADIUS authentication to remote users.
- Set up remote access policies, authentication methods, and your encryption policy.
- Make sure that an IIS server (Internet Information Server) exists to provide Web and file services to your internal intranet clients.
- Set up a VPN server, which involves creating an appropriate VPN network connection with the right addressing and properties (including RADIUS settings) on a Windows 2003 server.
- Create a DHCP relay agent for your VPN so that incoming and outgoing traffic is directed to the correct server and nowhere else.
And that’s just the server part. Now for the client to connect to a PPTP connection, you’ll need to do the following:
- Add the VPN user account to the local Administrators group.
- Set an alternate IP configuration for a connection.
- Create a new connection and set that connection to the VPN, entering the name and the host’s IP address.
- Connect to the VPN using a dial-up connection-type dialog box.
The L2TP/IPSec-based remote access type of VPN connection relies on established credentials in the form of certificates. To set this up, you must configure certificates on your client and server.
Normally you create this type of VPN when a public key infrastructure, or PKI, exists to provide the appropriate certificates. You would use L2TP/IPSec for high-security infrastructures, and really this type of VPN argues for dedicated IT staff.
Finally, the EAP-TLS remote access VPN also uses a certificate- based authentication method, but usually uses smart cards in place of software certificates. Does this make you want to throw your hands up and surrender?
It isn’t that any of these methods are particularly hard given a recipe, but you have to know more than most people are willing to learn to make them work. Microsoft makes it as easy as it can with a very detailed step-by-step procedure that you can follow.
Numerous shareware and freeware products are out there that allow you to set up your own VPN server, but most aren’t any easier than Windows Server 2003 (albeit free), and at least Microsoft’s service has tech support.
For a small office, it might not be worth the effort to create your own VPN service, and it might be cheaper to subscribe to a service than to buy an appliance. The fact of the matter is that you can subscribe to commercial VPN services that provide a secure network operations center for your traffic to flow through.
The idea is that by having a secure connection from your client to the service’s secure operation center, you are removing the ability of anyone to either sniff your traffic over your WLAN or on your wired LAN where your network traffic is unencrypted and most likely to be hacked.