Information Technology Reference
In-Depth Information
How It Works
Configure a network address translation router with VPN support when you want to allow
workstations on your LAN to access the Internet through a single connection (the router) and
you also want to host a VPN server so that your mobile users, business partners, and home-
office employees can connect securely from the Internet and access resources on the LAN.
Design and security considerations for network address translation (NAT) are the same as
those described in Recipe 5-1, “Enabling and Configuring a Network Address Translation
Router.” Design and security considerations for VPNs, however, could easily be the subjects for
their own topics. Rather than attempt to identify all the issues relating to this topic, we will
point out a few that deserve particular attention:
The “health” of the remote client:
Once a client establishes a VPN tunnel to your network,
that client is now part of the network in the same way that any workstation on your LAN
is on the network. If the client has any malware installed, including viruses, worms, or
spyware, that malware may be capable of spreading to the rest of the network. Therefore,
as a system administrator, you should make certain that the VPN-connected clients have
up-to-date virus protection, have operating systems and applications that are fully patched,
and have users behind the keyboard who are trained on security best-practices. You may
also want to configure a network quarantine zone in which your remote clients will be
confined until a policy gives them a clean bill of health and permits them to access the
rest of the LAN.
Split-tunnel VPNs:
For enhanced security, configure your VPNs so that the remote clients
cannot access other networks (especially the Internet) when connected to your network.
When a client can access both your network through the VPN at the same time as the
Internet (a scenario known as “split tunneling”), the client is susceptible to compromise
by man-in-the-middle attacks and other known hacking techniques.
Password and other remote access policies:
When a user connects via VPN, that user
has a direct connection into your network along with all rights and privileges granted to
that user account. Therefore, you must make certain that you have strong password
policies in place to prevent unauthorized users from accessing the network based on the
trusted user's credentials.
See Also
Microsoft KB 816573: “How to Configure a VPN Server to Act as a Router in Windows
Server 2003.” This article provides general information regarding the configuration of an
existing VPN server as a router.
Microsoft KB 867483: “Network Configuration in ISA Server 2004.” This article provides
information relating to NAT and VPNs in conjunction with Microsoft ISA Server 2004.
Microsoft: “ISA Server 2004 VPN Deployment Kit” (
http://www.microsoft.com/
isaserver/techinfo/Guidance/2004/configuration.mspx
). This article provides in-depth
documentation relating to VPNs and RRAS in an ISA Server 2004 environment.
Microsoft TechNet: “Security Issues for VPN” (
http://technet2.microsoft.com/
WindowsServer/f/?en/Library/09b02d03-ac5d-4a9f-96a2-abde22a714191033.mspx
).
This article discusses security considerations regarding virtual private networks.
