There are times when you want to connect to hosts or networks across the big bad Internet, where crackers and script kiddies lurk behind every corner. Luckily, Windows XP Professional offers several options to do just this, in a safe and secure manner, using encrypted tunnels.
Connecting hosts and networks to each other via encrypted tunnels is often referred to as Virtual Private Networking; Windows XP Professional can act as both a client and a server in this respect.
Easy VPN with PPTP
Point To Point Tunnelling Protocol has been around since Windows 95 and is probably the easiest way to set up secure remote access with Windows XP Professional. It encapsulates standard Point-To-Point (PPP) frames, the same protocol as used for Internet dial-up connections, and offers up to 128-bit encryption.
PPTP authenticates users with a variety of methods. They range from the weak and insecure Password Authentication Protocol (PAP) that sends usernames and passwords in clear text, to stronger methods such as CHAP (Challenge Handshake Authentication Protocol). The latter doesn't send passwords across the Internet, but rather responds only to Message Digest 5 hashes calculated from the passwords.
Other RAS authentication protocols include MS-CHAP (Microsoft CHAP) versions 1 and 2 (the former is used only for connecting to older RAS servers running Windows 95), SPAP (Shiva PAP, for Shiva Remote Access Servers), and the more flexible and advanced Extensible Authentication Protocol (EAP).
EAP can be used with a great number of authentication mechanisms, including Smart Cards, digital certificates, public key authentication and more. Windows XP supports two types - EAP-MD5 CHAP (the same as CHAP) and EAP-TLS (Transport Level Security), for authenticating users with certificates.
Setting up a PPTP connection is easy: open My Network Places, and click View network connections in the Network Tasks pane. In the same pane, click Create a new connection and in the wizard that pops up, pick the Connect to the network at my workplace and the Virtual Private Network connection options.
Name the connection, give it the right IP address and you are ready to log in to the remote server. To pick any of the different authentication protocols mentioned above, simply click the Properties button in the Connect dialogue box, and select the Security tab. On the Security page you can tick the Advanced Security Settings radio button, and pick which protocols are allowed, including EAP. You can also select whether or not to require encryption of data for the connection - this enables (or disables) the Microsoft Point To Point Encryption (MPPE) protocol for the connection. Note that MPPE isn't available with all authentication methods, so take care to choose the right one if you wish to encrypt the data traffic.
If you are behind a firewall or a Network Address Translation (NAT) router, make sure you allow traffic through TCP port 1723, and that your equipment can pass Generic Routing Encapsulation (GRE) traffic (sometimes referred to as IP type 50).
To set up Windows XP Professional to act as a VPN dial-in server, click Create a new connection as above but this time click Set up an advanced connection in the New Connection wizard. Pick Accept incoming connections, with your modem as the device, and, next, Allow virtual private connections.
Specify which users are allowed to connect to the computer over the incoming line, and check that settings for TCP/IP are correct (e.g., whether or not to use DHCP to assign IP addresses for hosts connecting to your one, if the dial-in server should route incoming traffic to the LAN), and you are set. A small caveat here is that the system that acts as a dial-in RAS server should have a fully-qualified domain name and IP address for VPN connections to work; as you are not allowing connections over the Internet to the dial-in server, only over the public telephone network, you could get away with not running a VPN dial-in RAS, if encrypted connections aren't tantamount.
Coming up: boosting VPN security with L2TP and IPsecMicrosoft's PPTP implementation has been criticised for not being secure, despite the improved authentication and encryption methods. While PPTP will keep casual crackers at bay, determined attackers with the ability to run dictionary attacks are able to get through most challenge-response authentication schemes.
If you need it, Windows XP Professional offers two other VPN RAS protocols with stronger security than plain PPTP, namely Layer 2 Tunnelling Protocol (L2TP) and IP security (IPsec). Setting up a VPN using these is more involved than PPTP, and I'll cover it in the next instalment of this column.