An Overview of Systems

I first want to describe the components in creating a typical network VPN system along with some aspects of those choices.

The client

The software on the end device must be compatible with the VPN 'head end'. The natural choice for years was the Cisco VPN client which does not cost additional money. The Cisco client does work and supports a wide variety of platforms, such as Linux, Macintosh and many Windows platforms including CE. There are also some nice proprietary features such as the support for Cisco head end load balancing and firewall integration. But there are also a number of shortcomings when using digital certificates, particularly the lack of support for integrated Windows login and the software's propensity to use any available certificate even those not designed to be used for client authentication.

On the other hand, the native Microsoft L2TP over IPSec client software is bundled with Windows XP and Windows 2000 - no separate software download is required nor is there the difficulty in upgrading software when required. There is also a client download available at no extra cost for Windows 98, ME and Windows NT 4.0 although due to poor certificate handling I only can recommend using certificates with Windows XP Pro or newer systems.  I find the Microsoft client to be far more secure than the Cisco client from a system perspective.
The Cisco client will allow you to use any available certificate (despite its intended purpose) to establish a tunnel that the head end can validate as being in its chain and not revoked. Then a user is prompted to supply any logon ID and password of the user's choosing. In practice this means that I could use any legitimate machine certificate or user certificate to connect, then I could use any legitimate ID and password from any other user to authenticate and be on a corporate network.
The Microsoft client first uses the machine certificate to create a tunnel, then uses the logged in user's certificate and cached password to authenticate the user. This is all done transparently without the need for user input (unless there are multiple user certificates registered to that user's ID). There is no provision for choosing other certificates (as well as those that are not intended for authentication) which enhances the security operations as well as making the user experience better.

The VPN concentrator (head end)

The VPN concentrator handles VPN tunnel termination. It's job is to handle encryption/decryption functions and controls for VPN tunnels as well as authentication control. For this example I chose the Cisco 3000 series concentrator since it is the most common VPN head end in use in large companies. As a purpose built appliance these models have the ability to scale to the size companies need. There are other similarly functional systems such as Nortel's Contivity. Other popular VPN systems are software based systems that run on general servers such as Microsoft's ISA and Check Point VPN-1 Pro. Without special hardware the amount of encrypted sessions is extremely limited and extra attention must be paid to hardening a system to prevent unauthorized breaches. Although the Cisco VPN concentrator supports a wide variety of clients, those choices are much more limited when using digital certificates.

The Authentication system

A key reason to use digital certificates is to ease the administration and management efforts while maintaining or improving the security of the system. Using a central database of user identities tied to digital certificate management will afford this and is at the heart of an authentication system. Although VPN concentrators can authenticate users with their own internal lists, for certificate based authentication you will authenticate users to an external database (such as a Windows Active Directory system). Using the Microsoft L2TP over IPSec protocol the actual user authentication is done after an IPSec tunnel has been established and done with PPP encapsulation to a RADIUS server using EAP-Proxy methods. The initial tunnel in a Microsoft environment will typically be done with Kerberos using the machine certificate. Then the user certificate requires a RADIUS server. There are quite a few RADIUS servers to choose from: Open Source FreeRADIUS; Funk Steel Belted RADIUS; Cisco ACS; Microsoft IAS, Lucent NavisRADIUS.

The Digital Certificates (PKI)

Digital certificates (specifically X.509 version 3 certificates) provide a strong system to positively identify end users and machines provided that the distribution and protection of private keys is well managed. PKI provides a large scale certificate management system, including the creation (CA or Certificate Authority) , revocation (CDP or Certificate revocation list Distribution Point) and distribution of certificates. Microsoft Active Directory includes Enterprise CA functionality although commercial CA systems will provide more flexibility. Microsoft 2003 Server will provide easier certificate handling than 2000 Server as well as better support for Version 2 templates.
Basic tips when handling certificates include: ensure that the device or person receiving the certificate is who you expect it to be; make certain the device that stores the certificate is capable of storing them securely (Windows XP or newer); mark the certificates as being non-exportable; ensure that the user device validates certificates that it accepts; the head end also requires an identity certificate - protect it as well; enable CRL checking on the VPN head end; enable CRL caching on VPN head end for better performance; protect each CA and the private keys for each root certificate.

March 10, 2006 in VPN | | Comments (2) | TrackBack (1)

Remote Access VPN issues

I am surprised by how difficult it is to find clear and practical information on configuring the world's most popular operating systems (Windows XP Pro as well as Windows 2000) to work with the world's most popular VPN concentrator (Cisco 3000 series formerly Altiga).

I plan to write a series of posts that discuss how to configure the Windows built in VPN client to work securely with a Cisco VPN concentrator. The obvious protocol is L2TP over IPSEC using digital certificates. Both Microsoft and Cisco lack any clear configuration guides so my hope is that this series of posts will help others trying to accomplish the same.

I have found that many companies choose to use the Cisco VPN client (the latest version is 4.8 currently) but I have found that this poses far too many issues to continue using. Namely:

  • Lack of support for Windows integrated login APIs. (When you attempt to make a VPN connection you are prompted to provide an identity and a password[even though you already did that when you logged in]. Aside from the obviously redundant effort to re-enter the information, you also enable someone to login to Windows as one identity then connect remotely as another. The Microsoft client is seamless - your credentials are passed through to the VPN gateway.
  • The painful process (especially in a large enterprises) of upgrading client software each time a new release is required. For the Cisco client this often involved three complete system reboots. The Microsoft client is patched as part of the Microsoft security patching process.
  • The painful process (especially in a large enterprises) of configuring Cisco clients remotely either initially or as parameters change. Microsoft clients can be configured using GPO updates.
  • Poor certificate handling. Cisco VPN client software will allow (perhaps encourage is a better description) users to choose any valid certificate regardless of the certificate's specified purpose.  An example of this is that the VPN client will allow you to use a certificate designated only for signing as a certificate for authentication and encryption. The Cisco interface doesn't help the user easily distinguish between certificate purposes. The Microsoft client only uses certificates that are designated for specific purposes. You will normally use two certificates. The first one is a machine certificate for initial client authentication then the second is a user certificate for authentication.

Your participation is welcome!

January 29, 2006 in EAP, PKI, VPN | | Comments (1) | TrackBack (0)