Privacy is Not Security

I should note here that VPN connections are more about privacy than security. While I do recognize that privacy is a major component of secure communications, privacy in and of itself does not provide security. VPN technologies provide for privacy of communications over the Internet, which prevents intruders from reading the contents of your communications. VPN technologies also allow you to make sure that only authorized users can connect to the network through the VPN gateway. However, privacy, authentication and authorization do not provide a comprehensive security solution.

For example, suppose you have an employee who you have granted VPN access. Since your Windows Server 2008 VPN protocols support EAP user authentication, you decided to deploy smart cards for your users and use the L2TP/IPSec VPN protocol. The combination of smart cards and L2TP/IPSec help insure that strong machine and user authentication is required. Your smart card and L2TP/IPSec solution works well and everyone is happy.

Everyone is happy until one day one of your users connects to your SQL server to access payroll information and starts to share that information with other employees. What happened? Wasn’t the VPN connection secure? Yes, the VPN connection was secure to the extent that it provided privacy, authentication and authorization – but one thing it did not provide was access control, and access control is the most pivotal aspects of computer security. In fact, it can be argued that without access control, all other security measure are of relatively little value.

For a VPN solution to be truly secure, you need to make sure your VPN gateway is able to perform user/group based access controls so that you can implement least privilege access to VPN users. Advanced VPN gateways and firewalls like the ISA Firewall can perform this type of strong user/group based access control on VPN connections. In addition, advanced firewalls like the ISA Firewall can perform stateful packet and application layer inspection on VPN client connections.

Even though the Windows Server 2008 VPN server does not provide for user/group access controls, there are other ways you can implement strong access controls on the data servers themselves if you do not want to pay for an advanced firewall and VPN gateway. In this article we are focusing only the VPN server component. If you would like to learn more about the ISA firewall and its advanced VPN server capabilities, check out www.isaserver.org

Why Introduce a New VPN Protocol?

Microsoft already had two viable VPN protocols that allowed users to connect to the corporate network, so why introduce a third one? SSTP is a great advance for Windows VPN users because SSTP does not have the problems with firewalls and NAT devices that PPTP and L2TP/IPSec have. In order for PPTP to work through a NAT device, the NAT device needs to support PPTP through a PPTP “NAT editor”. If there is no NAT editor for PPTP on the NAT device, the PPTP connections will fail.

L2TP/IPSec has problems with NAT devices and firewalls because the firewall needs to have the L2TP port UDP 1701 open outbound, the IPSec IKE port, UDP 500 open outbound, and the IPSec NAT traversal port, UDP 4500 open outbound (the L2TP port is not required when using NAT-T). Most firewalls in public places, such as hotels, conference centers, restaurants, and other locations only allow a small number of ports open outbound, such as HTTP, TCP port 80 and HTTPS (SSL), TCP port 443. If you need support for protocols other than HTTP and SSL when you leave the office, you are playing a game of dice. You may or may not get the required ports needed for PPTP or L2TP/IPSec.

In contrast, SSTP VPN connections are tunneled over SSL using TCP port 443. Since all firewalls and NAT devices have TCP port 443 open, you will be able to use SSTP from anywhere. This greatly simplifies the life of the road warrior who needs to use VPN connections to connect to the office, and also makes life a lot easier on the lives of the corporate admin who needs to support the road warrior, as well as the help desk people at the service providers who provide Internet access for hotels, conference centers, and other public locations.