PPTP Provides Secure Connectivity to Your Corporate Network

Creating a corporate WAN can be expensive. Small and midsized companies often can't afford the dedicated high-speed line, firewall, router, software, support, and maintenance necessary to build even a simple WAN. The current proliferation of quality Internet Service Providers (ISPs), cable modem providers, and Digital Subscriber Lines (DSLs) lets you create a corporate WAN over the Internet for a fixed monthly fee. This approach virtually eliminates the startup costs traditionally associated with building a corporate WAN. Although DSL and cable modem service providers aren't available on a national basis, large telecommunications companies are expanding these service offerings regionally, and ISPs are capitalizing on the new technology by offering support for DSL connections. Cable modem and DSL connections let you replace traditional low-speed dial-up access, multiple phone lines, and modem banks with higher-performance Virtual Private Networks (VPNs).

When you combine a permanent, reliable, high-speed Internet connection with Windows NT's Point-to-Point Tunneling Protocol (PPTP) and Remote Access Service (RAS) or Routing and Remote Access Service (RRAS), mobile users with Internet access have instant, secure connectivity to the corporate network. This approach has two benefits. First, a VPN lets mobile users avoid long-distance telephone charges (assuming they can access a local ISP). Second, the service provider is responsible for maintaining, updating, and troubleshooting your WAN's infrastructure. NT 4.0's Service Pack 4 (SP4) includes PPTP and RRAS upgrades that provide secure connections, mutual authentication, and optional packet filtering to significantly improve the performance and reliability of VPNs.

What Is PPTP?
Several companies (i.e., Ascend Communications, Microsoft, 3Com, ECI Telematics, and U.S. Robotics) developed PPTP specifically to support VPNs. PPTP is a method for sending network packets over an existing TCP/IP connection (called a tunnel). A VPN requires that the client and server each have an active Internet connection. The server typically has a permanent connection to the Internet. The client connects to the Internet via an ISP and initiates a PPTP connection to the PPTP server from a Dial-Up Networking (DUN) entry. The connection request includes access credentials (i.e., username, password, and domain) and an authentication protocol. RRAS adds the ability to provide server-to-server connections over PPTP, as well as permanent network connections.

A VPN connection exists between the server and client only after the PPTP server authenticates the client. The PPTP session acts as a tunnel through which network packets flow—client to server and vice versa. Network packets are encrypted at the source (client or server), travel inside the tunnel, and are decrypted at the destination. Because network traffic flows inside the tunnel, data is invisible to the outside world. Packet encryption inside the tunnel provides an additional level of security. After the VPN connection is established, a remote user can browse the LAN, connect to shares, and pick up and send email just as a locally connected user can. (For more information about PPTP, see "Related Articles in Windows NT Magazine.")

PPTP Improvements in SP4
The updated version of PPTP in SP4 corrects several security and performance problems. The two most important security enhancements are a new version of Microsoft Challenge Handshake Authentication Protocol (MSCHAP) and improved session encryption.

The new authentication protocol, MSCHAP 2.0, supports mutual client and server authentication. When you set up PPTP on a server with SP4, you can edit the Registry to force incoming PPTP connections to use MSCHAP 2.0 for authentication. Open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP Registry key. Then, edit the SecureVPN entry. Change the DWORD value to 0x00000001 to force MSCHAP 2.0 for VPN connections. The default value of 0x00000000 doesn't force secure MSCHAP 2.0. If you make the Registry edit on the PPTP server, the PPTP server refuses connections that don't request MSCHAP 2.0 authentication. If you make the Registry edit on the client, that client always uses MSCHAP 2.0 for authentication. This Registry setting affects only VPN sessions (not dial-up connections).

The new version of PPTP also provides improved encryption. The original version used the same key for the VPN session's transmit and receive paths. The new release employs seed keys and uses a different key for each path, which makes each VPN session more secure. To compromise the security of a VPN session, an intruder must decipher two unique keys—one for the transmit path and one for the receive path. The updated release also closes security holes that permitted some VPN traffic with no encryption at all.

If you haven't installed SP4 but are running Service Pack 3 (SP3), you can apply the PPTP3 hotfix to upgrade PPTP. You can download this hotfix from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/pptp3-fix. To get the full benefit of the PPTP enhancements, you must also update PPTP client platforms. For NT systems that function as PPTP clients, install SP4 or the PPTP3 hotfix. For Windows 95 clients, install the Dial-Up Networking 1.3 Performance & Security Update, which you can download from http://www.microsoft.com/windows95/downloads.