Privacy Protected Network Access: Virtual Private Networking and Intranet Security

	Read Document Microsoft Word Version commsec.doc 120 KB Word 2000 file 1 min @ 28.8 kbps Office File Viewers Download Compressed Word Document commsec.exe 89 KB executable file 1 min @ 28.8 kbps Office File Viewers

Summary

This white paper focuses on link layer and end-to-end security. It explains Microsoft's commitment to support PPTP, L2TP, and IPSec and shows how these protocols are implemented in the Windows® operating systems.

Network security is increasing in importance for companies of all sizes. Whether to protect information in transit in remote access sessions, branch network connections, or internal networks, solutions for this form of security are essential.

In general, security is not a single product or technology but an integration of several technologies combined with management policy that provides protection balanced with acceptable risks. Microsoft takes security seriously and is working on a number of initiatives to provide customers with the technology and tools needed to easily define and manage security policy.

Security services include confidentiality, integrity protection, authentication, authorization, and replay protection. Among these tools are network encryption services that help minimize risks associated with transmitting sensitive information over public and privately managed networks. Microsoft also takes total cost of ownership seriously and is committed to providing standards based solutions that maximize communications interoperability and flexibility using Windows® operating systems.

There are three major models for securing the network and Microsoft supports each of these:

• Transport layer security technologies. Today, many applications are hosted for access across public and privately managed networks, secured through transport layer security technologies such as HTTPS, SOCKS, or Secure Sockets Layer (SSL). Transport layer security as provided by SSL/TLS means that TCP-based applications are written specifically to use these security services. Microsoft supports SSL/TLS extensively across its products. However, SSL/TLS applications are not well-suited to centralized management because these services are frequently applied on a page-by-page basis. SOCKS is an authenticated firewall traversal protocol that provides for extensible authentication, as well as granular authorization for both incoming and outgoing sessions. SOCKS V, which is not supported by Microsoft, applies both to TCP and UDP-based protocols, and is amenable to centralized management. As a result, SSL/TLS, and SOCKS technologies are complementary and can be used together to provide transport layer security within virtual private networks and extranets.
• Private or trusted network infrastructures. Many companies use private or trusted network infrastructures including internal and outsourced cable-plants and wide area networks, which offer a level of privacy by virtue of physical security. Alone, these networks do not protect against inadvertent or intentional viewing of information as it passes over a network. With most security breaches occurring within a company network, additional technology is required to protect information from theft and attack.
• End-to-end network security. End-to-end network security consists of security techniques and protocols that transparently secure communications requiring application awareness. Careful network design and configuration is required to achieve this security. These tools are generally managed through administrative policy so that communications are safely protected as they travel across a network, without the knowledge or involvement of applications or end users.

All three models have been discussed in the industry under the broad category of virtual private networking (VPN). While it is true that each model provides some level of private networking, this broad definition is a bit confusing. As such, Microsoft has adopted a more restricted definition of the term, and uses "VPN" to refer to providing security across a public or untrusted network infrastructure. This includes:

• Secure remote access from client-to-gateway. This can occur either through Internet connections or within private or outsourced networks
• Secure gateway-to-gateway connections. This can occur across the Internet or across private or outsourced networks.

Additionally, Microsoft is leading the industry with the first operating system-integrated solution for securing end-to-end communications within a private network. Windows 2000 integrates IPSec with Active Directory^TM services to deliver central control of policy-based security administration.

This paper discusses the Microsoft direction for both the VPN and end-to-end models for secure networking. It describes the key differences between the leading network protocols, discusses the Microsoft position relative to these protocols, and explains how Microsoft is supporting these protocols in its operating systems.