Telecommuting and traveling for business are commonplace in today’s global economy. For both of these to be effective, remote access to the corporate network is a must. A network operating system should provide full remote access capabilities. A core feature set at minimum should include support for modem and ISDN dial-up users, support for the PPP protocol, multi-protocol (IPX and TCP/IP support), callback, and encrypted login. Additionally, connection management software, shared modems for internal dial-out, and a VPN solution for secure access over the Internet are nice-to-have features.
Solaris 7 Implementation Details
Solaris 7 has two key remote access and VPN components:
These components support Solaris clients only.
Remote Access Support
Solaris 7 provides a remote access implementation through the inclusion of the Solstice PPP 3.0.1 application. Solstice PPP provides a standard implementation of the following IETF RFCs:
RFC 1661 - Point-to-Point Protocol (PPP) - Describes a standard method for transporting multiprotocol datagrams over serial point-to-point links.
RFC 1662 - PPP in HDLC-like Framing - Describes the use of HDLC-like framing for PPP encapsulated packets.
RFC 1332 - PPP Internet Protocol Control Protocol (IPCP) - Describes the Network Control Protocol (NCP) for establishing and configuring the Internet Protocol (IP) over PPP, and a method for negotiating the use of Van Jacobson TCP/IP header compression with PPP.
RFC 1334 - PPP Authentication Protocols - Describes two protocols for user authentication in the PPP domain: the Password Authentication Protocol (PAP) and the Challenge-Handshake Authentication Protocol (CHAP).
RFC 1144 - Compressing TCP/IP Headers for Low-Speed Serial Links - Describes a method to improve the performance of TCP/IP connections across low-speed links by compressing the packet headers.
Management for the Solstice PPP 3.01 dial-up networking service is provided by a combination of command-line tools that provide diagnostic and statistical information (ppptrace and pppstat), and by the manual editing of the PPP configuration files for the server and client system.
For VPN services, Solaris 7 includes SunScreen SKIP. SunScreen SKIP is a subcomponent of the larger SunScreen Secure Net firewall available from Sun. Simple Key-management for Internet Protocols (SKIP) is used to manage IP encryption through a combination of shared-key and public-key encryption technologies.
SunScreen SKIP operates at the network (IP) layer and enables secure communications with all IP applications over TCP and UDP. Encryption is a key component of the SunScreen SKIP security model. SKIP supports shared keys, public keys, and certificates as well as 40-bit RC2, 40-bit RC4, 56-bit DES CBC, 128-bit RC4, 128-bit SAFER CBC and 3-key Triple-DES encryption.
SunScreen SKIP also supports automatic key distribution through the Diffie-Hellman key exchange algorithm. With Diffie-Hellman key exchange, SunScreen SKIP can securely distribute keys without needing to distribute secret keys. Once a user’s private and public key is obtained, SunScreen SKIP creates a public key certificate for the user and this certificate can then be exchanged between hosts. Through Certificate Discovery, computers running SKIP can retrieve certificates from other computers running SKIP, provided a network or serial connection is available.
SunScreen SKIP also uses Perfect Forward Secrecy (PFS) to encrypt traffic keys. With Perfect Forward Secrecy, a clock-based master key takes the place of the Diffie-Hellman shared secret key. Perfect Forward Secrecy requires that the date, time and time zone on computers be synchronized. If they aren’t, the time variable calculated for PFS would be off between hosts and decryption would fail.
Encryption is only one part of the SunScreen SKIP security model; SunScreen SKIP also supports access control lists, authentication and proxies. Access control lists restrict access to computers by IP address, host name and/or network ID. Authentication is the process that verifies computers sending messages and computers receiving messages are who they say they are. Validation of message traffic is also a part of authentication. Here, SKIP validates that the message traffic hasn’t been modified during transmission.
SunScreen SKIP also supports security proxies which are used in IP tunneling. With tunneling, a security proxy acts as the middleman to hide the corporate network topology from the outside world. Packets are sent to and received by the security proxy, which in turn passes the packets on to their final destination. In the complete security offering from Sun, called SunScreen Secure Net, other types of proxies are also supported. These proxies handle HTTP, FTP, Telnet and SMTP traffic.
Management of SunScreen SKIP is handled through a combination of graphical and command-line tools. Access control lists are managed through SunScreen SKIP Access Manager and other core functions can be managed through Skiptool. While a graphical wizard is provided for installation, configuring SunScreen SKIP is very complex.
Windows NT Server 4.0 Implementation Details
Windows NT Server 4.0 ships with a complete remote access solution including dial-up and secure VPN access. Either configuration supports both direct-dial and VPN based remote access for clients-to-server connections. Windows NT Server also provides support for server-to-server direct-dial and VPN connections.
Hardware and Protocol Support
Windows NT Server 4.0 supports dial-in clients using standard modems, ISDN, or X.25. The Point-to-Point protocol is used for remote connections and the TCP/IP, IPX, and NetBEUI protocols are all supported for dial-in. TCP/IP configuration is either on a pool basis or DHCP services can be used. Multi-link PPP is fully supported, allowing for the combination of a single logical interface from multiple physical interfaces to provide a larger pipe, increasing effective bandwidth. Concurrent connection support is limited to 256 per server.
Auto-dial and auto-logon dial is also supported as part of Microsoft’s remote access client implementation in Windows 95, Windows 98 and Windows NT 4.0. With this feature, Windows can map and maintain an association between a Dial-Up-Networking entry and a network address. It can seamlessly integrate Dial-Up Networking with files and association. If a user attempts to open a file that is only remotely accessible, the connection will be automatically dialed and established.
Restartable File Copy
Windows NT Server also supports a feature called Restartable File Copy. When downloading files from a Windows NT-based server, if the connection is interrupted during a file copy, the copy can be resumed from where the download let off rather than having to start over.
Authentication and Security
By default, remote authentication occurs in the Windows NT Domain or Workgroup in which the remote access server is a member. Users are required to have valid Windows NT user accounts with remote access permissions. RADIUS client support has also been provided as part of the remote access client. This allows authentication into ISP networks or non-Windows corporate direct-dial networks without using the Windows NT account database. With the Windows NT Option Pack, Microsoft has also provided support for a RADIUS server so that ISPs and non-Windows-based client systems can authenticate against the Windows NT Server domain.
Windows NT Server also provides a complete inbound and outbound VPN implementation for both client-to-server and server-to server via the Point-to-Point Tunneling Protocol (PPTP). In client-to-server VPN, clients can remotely establish connections over the Internet from their location to the Windows NT enterprise via a secure, encrypted tunnel. All standard remote access options, such as password configuration and access restrictions, also apply to PPTP clients.
Windows NT Server 4.0 also provides server-to-server PPTP support. This enables entire networks to be connected to each other securely over the Internet, rather than via more expensive dedicated leased line arrangements. This provides tremendous cost and infrastructure savings to the customer.
Management of the Windows NT Server 4.0 remote access implementation is entirely GUI-based. Management tasks are accomplished via the Network application in Control Panel and the Routing and Remote Access Service Administrator application that is provided with the Windows NT Option Pack upgrade.
With the installation of the Windows NT Option Pack, Windows NT Server is also able to provide a distributed remote access phonebook solution. With the Connection Manager Administration Kit (CMAK), system administrators can customize the user interface of the remote client software and then distribute it to end-users. ISPs can maintain a POP phonebook independently of the corporate direct-dial numbers. When users connect, phonebooks from the ISP(s) and corporate network are synchronized and collated into a common view.
Windows 2000 Server Implementation Details
Windows 2000 Server improves on the Routing and Remote Access Services found in Windows NT Server 4.0on. Enhancements have been made in management tools, VPN support, policy and security management, RADIUS support, and directory integration.
Virtual Private Networking
Many enhancements have been made to the Windows 2000 Server VPN implementation. Unlike the previous version, which supported only PPTP, the Windows 2000 Server VPN implementation also supports Layer 2 Tunneling Protocol (L2TP) with IP Security Protocol (IPSEC). With IPSEC, TCP/IP traffic is encrypted using public key encryption as an alternative to PPTP for secure VPN communications. If protocols other than TCP/IP, such as NetBEUI and IPX, are to be used, then L2TP with IPSEC support can encapsulate the legacy protocol within IPSEC encrypted TCP/IP packets. Alternatively, PPTP is still available for companies who cannot justify the expense of a public key infrastructure or who want to protect their existing investment in PPTP-derived solutions.
Windows 2000 Server remote access services are now fully integrated with the Active Directory service. This allows the creation of directory-based group policies for full-featured control of remote access protocols, time of use, type of use, encryption, and authentication. Consequently, support for Active Directory and the addition of the directory-integrated policy and security management enhancements effectively tackles one of the toughest administrative problems for remote connections while simultaneously reducing costs and improving security.
RADIUS support is greatly improved in the Windows 2000 Server remote access implementation. The scope of support is expanded to support both RADIUS authentication and RADIUS accounting, with information stored in either Active Directory or a local database (for workgroup servers). This allows for integrated authentication between an organization and ISP, providing for a single logon to the Internet and the VPN simultaneously. Previously, using the Internet to access a VPN connection, required a login to the Internet using an ISP account and then a login to the corporate network with an internal user account. With complete RADIUS authentication support, the ISP can setup a proxy authentication scheme in which the user can authenticate directly into an Active Directory-based system via the RADIUS protocol. Active Directory users with appropriate permissions will automatically have an account with the ISP. Users can simultaneously login to the ISP and the VPN with a single logon. Potential benefits, beyond simplified VPN login for users, include cost benefits to the customer depending on billing and service programs from the ISP.
Connection sharing is another beneficial feature added to the remote access implementation in Windows 2000 Server. With this, any network connection can be shared among users in a workgroup. Shared connections can be dynamically established without the client system needing to know the details of the connection configuration. For example, a small office could easily share a single dialup ISP connection with multiple clients without the need to setup a proxy server. Benefits to the customer are many – security is improved as fewer external connections are required to the Internet, and ISP fees can be saved by not needing to acquire separate accounts for multiple workstations.
Management tools have been upgraded to support the Microsoft Management Console (MMC). Additionally, many wizards have been added to help get the system up and running quickly – automating many common administrative tasks.
Remote Access and VPN Summary
Windows 2000 Server offers the most in terms of the number of ports supported (a tie with Windows NT Server 4.0 at 256), features and functionality, and security. Its IPSEC, L2TP, connection sharing, directory integration/security policies, and RADIUS authentication support are unmatched by either Windows NT Server 4.0 or Solaris 7.
Windows NT Server 4.0 offers a considerably greater feature depth over Solaris 7 – offering VPN services, additional protocol support, RADIUS client support, additional password encryption options, and Restartable File copy. However, it falls behind Windows 2000 Server in its lack of advanced VPN, security, and connectivity features.
Solaris 7 provides remote access and VPN support via two included applications; Solstice PPP 3.01 for dial-up services and Sunscreen SKIP for VPN services. Both are strong offerings but are inherently complex to configure and manage. While Solaris 7 supports IP security and point-to-point tunneling, the implementation requires all computers involved to install and use Sunscreen SKIP. The Windows solution, on the other hand, is built on IPSEC, PPTP, and L2TP standards.