Remote Access Do's and Don'ts

Remote Access Do's and Don'ts
Throughout this book, we emphasize techniques for keeping other people out of your computer and your network. But on some occasions, you want to allow carefully controlled connections to resources on your network. For home and small business networks, where you need only a single incoming connection at any time, Windows XP and Windows 2000 have everything you need built in.

Setting Up a Virtual Private Network
A virtual private network (VPN) is a secure means of connecting to a private network (such as your home or office network) via a public network (typically the Internet). Using a VPN, you can access all your network resources just as if you were connected directly to the network, and you can do so from any location where you can make an Internet connection.

VPNs work by tunneling between two computers (or two networks) that are each connected to the Internet. Tunneling protocols travel across the public network using standard protocols, but each IP packet or frame (depending on the protocol) is encrypted and then wrapped inside another packet or frame with header information that allows it to travel from point to point. When the new packet or frame reaches its destination, the VPN software strips off the header, decrypts the original data, and routes it to its ultimate destination. If you were to send the original data "in the clear" over the Internet, anyone who intercepted the packets could read the content. In a VPN, however, the data is encrypted before it enters the public network and decrypted only after it's safely behind the firewall at its destination; thus, anyone who intercepts the packets will see only encrypted data that looks like gibberish.

Tunneling protocols form the basis of VPNs. Although Windows supports a variety of protocols used by legacy hardware devices, three tunneling protocols are in wide use today:

Point-to-Point Tunneling Protocol (PPTP). PPTP allows IP, IPX, or NetBEUI frames to be encrypted and then wrapped in an IP header to be sent across an intervening network.
Layer 2 Tunneling Protocol (L2TP). L2TP allows IP, IPX, or NetBEUI frames to be encrypted and then sent over any IP, X.25, Frame Relay, or ATM intervening network.
IP Security (IPSec) Tunnel Mode. IPSec Tunnel Mode allows IP packets to be encrypted and then encapsulated in an IP header to be sent across an intervening network. IPSec is often coupled with L2TP for purposes of encryption (because L2TP doesn't support data encryption).
Windows XP and Windows 2000 use PPTP or L2TP for tunnel connections. Only Windows 2000 Server or Windows .NET Server can act as a VPN server using L2TP. Windows XP and Windows 2000 Professional can, however, connect to a VPN server using L2TP. Windows XP and Windows 2000 can use IPSec to enhance the security of all network interactions.

With minimal effort, you can set up your computer as a remote access server, allowing anyone with the proper credentials (yourself included) to connect to it by way of a VPN. After successfully authenticating to the VPN, you can access shared folders on local drives and also browse the network and access shared resources elsewhere on the network.

NOTE
--------------------------------------------------------------------------------

To create or modify incoming connections, you must be logged on as a member of the Administrators group.
The procedure for setting up an incoming VPN connection is nearly identical in Windows 2000 and Windows XP. In the following steps, we assume you're using Windows XP and have noted the differences in Windows 2000 where needed:

Open the Network Connections folder. (In Windows 2000, this folder is called Network And Dial-Up Connections.)
Choose File, New Connection. The New Connection Wizard appears. (In Windows 2000, it's called the Network Connection Wizard.) If the Location Information dialog box appears, enter your area code—even if your computer doesn't have a modem or you don't plan to ever use the computer to dial a phone number.
Click Next to bypass the wizard's opening page.
On the Network Connection Type page, select Set Up An Advanced Connection. (In Windows 2000, select Accept Incoming Connections.) Click Next.
On the Advanced Connection Options page, select Accept Incoming Connections and click Next. (This step is not necessary for Windows 2000.)
If a Devices For Incoming Connections page appears, simply click Next. (These options are for setting up an incoming dial-up connection, direct cable connection, or infrared connection.) This page appears only if your computer has an installed modem, serial port, parallel port, or IrDA port.
On the Incoming Virtual Private Network (VPN) Connection page, select Allow Virtual Private Connections and click Next. (In Windows 2000, this page is called Incoming Virtual Private Connection.)
To receive VPN connections over the Internet, the IP address of your Internet connection must be known on the Internet. If your computer is directly connected to the Internet, use the IP assigned to you by your Internet service provider. If you're connected through a router or residential gateway, remote users will specify the IP address of the gateway; you'll need to forward the VPN port to your computer, as described in "Configuring a Router or Residential Gateway."

On the User Permissions page (called Allowed Users in Windows 2000), select the check box next to the name of each user you want to allow to make an incoming connection. Windows lists all of the local user accounts on your computer. Use the Add button to create a new local account on the fly; click Properties to create or change a password.

When you're finished assigning user permissions, click Next.

On the Networking Software page (called Networking Components in Windows 2000), select the check box next to the name of each network component you want to use for an incoming connection. For the overwhelming majority of users, the default settings, using TCP/IP, are correct. Click Next to continue.
Windows 2000 offers you the opportunity to give the connection a descriptive name; Windows XP does not. Click Finish to save your new connection.
After creating the incoming connection, you can adjust its settings (including adding or removing users from the list of those permitted to make a VPN connection) at any time. Open the Network Connections folder (Network and Dial-Up Connections in Windows 2000), right-click the connection icon, and choose Properties.

INSIDEOUT
--------------------------------------------------------------------------------

Add encryption to VPN transmissions

One change that we strongly recommend is to require that all users of your incoming VPN connection encrypt all transmitted data and passwords. (By default, this option is turned off on VPN connections.) Right-click the icon for your incoming connection and choose Properties. Click the Users tab and select the Require All Users To Secure Their Passwords And Data check box. Before a user can connect to a VPN with this option enabled, he or she must open the properties dialog box for the outgoing VPN connection, choose the Security tab, and select Require Data Encryption (Disconnect If None).