Point-to-Point Tunneling Protocol (PPTP) is often used on Windows networks to create Virtual Private Networks (VPNs). Setting up a Windows PPTP server means shoveling out money for Windows server licenses. If you already have a Windows server, then you have a built-in VPN via its Routing and Remote Access Server (RRAS), so you might as well use that. But if you don't, you can set up a nice PPTP-based VPN server for no more than the cost of the hardware using Linux and the Poptop pptpd server. It will need at least two network interfaces, as it will be acting as a router and forwarding traffic.
Where does your VPN server belong in your network? A common practice is to put a VPN gateway on border routers. If you have a nice Linux-based border router, then this is easy-peasy. For other circumstances, you might want a standalone VPN gateway, which would sit behind a border router like Figure 10-1 shows.
PPTP was created in the days of dial-up networking, so you'll still see a lot of references to dial-up in documentation and on your Windows clients. You may use it over any type of network: dial-up, Ethernet, ISDN, Internet, whatever.
A PPTP-based VPN is a weak VPN. It is Point-to-Point Protocol (PPP) over a Generic Routing Encapsulation (GRE) tunnel, neither of which was designed with security in mind. PPTP adds single-factor authentication, requiring only a login and password from the client. Microsoft's implementation relies on Microsoft Challenge Handshake Authentication (MS-CHAP V2) for authentication, and Microsoft Point-to-Point Encryption (MPPE) for encryption. MPPE uses the RC4 algorithm to generate a 128-bit encryption and decryption key, which is derived from the cleartext authentication password of the user. The same key is used at both ends of the tunnel. The tunnel itself is trusted from the start, and needs no authentication. An attacker needs only to capture a chunk of the datastream, and then brute-force the password offline at leisure. Once the password is cracked, the attacker owns the works.
Contrast this with how OpenVPN (see Chapter 9) uses a proper Public Key Infrastructure (PKI) and several levels of encryption. So, why use a PPTP-based VPN, when OpenVPN is free of cost, cross-platform, and far stronger? Because you may not have a choice; because PPTP is quick and easy; because all versions of Windows already have clients (sort of); or because you may be stuck with legacy networking gear that does not support Windows' IPSec implementation, and PPTP is your only common VPN option.
You can easily set up a good test lab with three PCs; just follow Recipe 9.1.
Windows 9x and ME need the MSDun 1.4 update. Windows 2000 requires installing the Windows 2000 High Encryption Pack. This enables 128-bit encryption. These are free downloads from http://microsoft.com.
Your best defense is to enforce a very strong password policy.
The maximum is 20 characters, so why not use them all? Don't use words
or names, but random characters like 9/'wx1$)E6^bB-L3%=sP. Your users are
probably going to tick the "remember this password" button in their
clients anyway, so they don't have to be memorable. Change them
periodically. Remember how OpenVPN limits the damage from successful
intrusions by changing the encryption/decryption keys hourly? Your
PPTP keys are only going to be changed when you change the
passwords.
If you need help generating passwords, there are all kinds of password generator programs and web sites to help you.
Windows also supports L2TP/IPsec-based VPNs. L2TP/IPsec-based VPNs require a PKI, so they are more work to set up, but significantly stronger.
L2TP means Layer 2 Tunneling Protocol. L2TP is a blend of the best features of Microsoft's original PPP and Cisco's Layer 2 Forwarding (L2F).
IPSec is Internet Protocol Security. It is a suite of protocols for encrypting and authenticating network traffic. Microsoft, for reasons that must seem good to them, combine L2TP and IPSec almost inseparably, which considerably complicates client support on non-Windows platforms, and hurts compatibility with other VPN gear. IPSec alone works fine, and is widely supported.
Server and client support for the three protocols varies in the extended Windows family:
- PPTP-based RAS (Remote Access Server)
NT4 Server
- PPTP and L2TP/IPsec RRAS (Routing and Remote Access Server)
Windows 2000 server and 2003 Server
- PPTP and L2TP/IPsec single-connection RAS
Windows 2000 Professional, XP Professional, and Vista
- PPTP and L2TP/IPsec client
Windows 98, ME, NT4, 2000, 2003, XP, and Vista
The single-connection RASis used to open up a remote VPN to your PC. It is configured in the Incoming Connections part of the Network Connections folder.
Windows 95 only supports a PPTP client. Windows 98 and ME did not ship with PPTP clients, but should have received them through routine updates, along with L2TP/IPsec client support. They'll want the MSdun1.4 update.
Router-to-router L2TP/IPSec connections are possible only with:
A Windows server running RRAS.
A third-party VPN router that supports L2TP/IPSec.
Windows NT4 Server does not support L2TP/IPSec.
As a rather amusing side note, Microsoft is developing SSTP, or Secure Socket Tunneling Protocol, which is based on HTTP over SSL, just like the many SSL-based "VPNs" by Cisco, Juniper, Nortel, and so forth. It is scheduled to be included in Longhorn server. Please refer to Charlie Hosner's excellent paper "OpenVPN and the VPN Revolution" (http://www.sans.org/reading_room/whitepapers/vpns/) for a discussion of what is a real VPN and what isn't.
The easy way is to use a Linux distribution with a kernel newer than 2.6.15-rc1, and to make sure you have the exactly correct ppp version. With Poptop pptpd versions 1.3.0 to 1.3.4, this is ppp 2.4.3. At the time this was written, most newer Linux distribution releases were shipping with ppp 2.4.4. Debian users can rest easy—it works fine without any hassles. Fedora users should download the matching ppp RPM along with the pptpd RPM from the Poptop download site. Ubuntu users may have some difficulties, which are addressed in Recipe 10.10.
Older kernels need to be patched to get MPPE support; visit Poptop (http://www.poptop.org/) for more information.
In my opinion, this is debatable. The main argument for PPTP over stronger VPNs is that it's easier because you don't have to install client software, which is only partly true—Windows 2000 requires an update to support 128-bit encryption, and older Windows versions require updates to get PPTPD clients and 128-bit support. If you have kept your systems upgraded, you're in good shape. If you have to install client software, consider using OpenVPN instead. For the same amount of work, you get a much stronger system.
PPTP Security: http://pptpclient.sourceforge.net/protocol-security.phtml