Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.
Use L2TP/IPSec VPNs
Where dial-up access is required, require the use of VPNs and do not allow plain dial-up connections. VPNs are a better choice for security. Two VPN types can be configured. Where possible, use L2TP/IPSec. PPTP is considered to be a less secure VPN protocol than L2TP/IPSec; however, it can provide secure communications if correctly configured. In general, though, L2TP/IPSec is simply a better choice. Important differences in these technologies are listed in Table 11-3.
Figure 11-4. Remote access can be controlled via Remote Access Policies.
Table 11-3. Differences in PPTP and L2TP/IPSec VPNs
When VPN access is configured during setup, both PPTP and L2TP/IPSec ports are configured on the RRAS server. No configuration is possible directly on the ports. Settings on clients determine which protocol is used; however, if you can restrict VPN access to one or the other, you may delete the other type of communication port.
NOTE The L2TP/IPSec standard as originally written is incompatible with NAT because IPSecencrypted packets including a checksum calculated over the IPSec source address. Since NAT modifies the source address, packets are considered to be corrupt or modified and dropped when received. NAT-Traversal, or NAT-T, uses UDP to encapsulate the IPSec packet, and therefore the packet can pass through the NAT server without a modification that will cause problems for IPSec. The NAT server must implement NAT-T. The Windows Server 2003 implementation of Internet Key Exchange (IKE), a component of IPSec, can detect NAT-T and use UDP-ESP encapsulation.
Click for the next excerpt in this series: Use Remote Access Policies.
Click for book details or purchase the book.
This was first published in March 2005