Windows 2000's VPN-Related Security Issues

The new OS from Redmond has lots of new security features, but — surprise! — there are significant compatibility issues with existing security gateways. We scrutinize the technology and offer a list of pitfalls to watch out for.

Lisa Phifer
VP Core Competence, Inc.

The February release of Microsoft's long-awaited Windows 2000 occurred amid much self-congratulatory fanfare. But now that the launch party is over, what next?

While corporate America ponders when and how to roll out Windows 2000, ISPs specializing in residential dial-up can largely breathe a sigh of relief — for now. The newly released Windows 2000 Professional and Server are enterprise-market NT replacements. Microsoft won't be releasing its a consumer/Windows 98 replacement, Windows Millenium Edition (ME) until later this year.

But what about ISPs who offer business services that reach the enterprise desktop — specifically, those who offer remote access VPN services? What kind of impact can these ISPs expect from Windows 2000? What's New In Windows 2000 Security? Windows 2000 Professional and Server, once deployed, will offer many new security features and improvements. Why the caveat "once deployed"?

Although Microsoft estimates that more then one million copies of Windows 2000 were shipped in its first month, corporations won't roll out Windows 2000 in one ubiquitous fell swoop. Expect enterprise rollout to take time, particularly for road warrior laptops that were never strongly populated by NT in the first place.

Overview
Here's a 30,000-foot view of the new and improved security features incorporated into Windows 2000:

• Active Directory: distributed infrastructure for centralized user and group policy management
• Connection Manager Administration: dial-up profile configuration, integrated with single sign-on
• Kerberos User Authentication: grants tickets to authenticated users and streamlines domain login
• Certificate Server: built-in support for public key infrastructure (PKI) based on digital certificates
• Authenticode: file-signing service that enables detection of unauthorized content modification
• Encrypting file system: transparently scrambles files and folders for privacy under NTFS
• IPsec support: IP packet authentication, integrity, and data privacy for virtual private networks

This list is just the tip of the iceberg. For further information about general Windows 2000 security services, visit Microsoft's own security services notes. Here, we'll focus on the last item: embedded support for IP security (IPsec).

Windows 2000 IPsec Support
Embedded operating system support for tunneling protocols promises to greatly simplify VPN deployment. Witness PPTP today: This oft-maligned tunneling protocol has seen widespread use purely because it's been included with Windows 9x Dial-Up Networking and NT RRAS. This means no VPN client software to install or update on the desktop and minimal or no end-user configuration. ISPs and enterprises alike can benefit from integration of stronger VPN protocols like IPsec and IKE within operating systems such as Solaris, OpenBSD, and Windows 2000.

But there's a snag. In the end, Microsoft chose to ship Windows 2000 with a suite of VPN tunneling protocols: PPTP, the layer 2 tunneling protocol L2TP, and IPsec. But remote access IPsec has been confined to L2TP encrypted with IPsec (L2TP/IPsec).

Why didn't Microsoft provide native (non-L2TP) support for IPsec remote access? The answer can be found in the combined limitations of L2TP and IPsec. L2TP, a hybrid evolving from PPTP and Cisco's L2F, provides dial-up user authentication and IP address assignment for PPP sessions. But L2TP doesn't offer data privacy — it lacks encryption. On the other hand, IPsec standards offer strong encryption — but do not address legacy (non-certificate-based) user authentication or tunnel endpoint address assignment.

IETF work is underway to enhance IPsec remote access support, and many vendors have deployed products that employ proprietary or draft measures like XAUTH (Extended Authentication) and DHCP-based tunnel configuration to meet these needs.

goto page 2: Issues to Watch Out For