Common Mistakes to Avoid When Configuring Network Policies for VPN
Saeed Sheikh is a Cloud and Infrastructure Specialist at Infront Consulting and a Microsoft Certified Solutions Expert in Cloud Platform and Infrastructure. Follow Saeed on Twitter at @saeedonweb.
A Network Policy Server is Microsoft implementation of a RADIUS server that performs authentication, authorization, and accounting for remote VPN connections. Network policies are defined by network administrators to use conditions, settings, and constraints in order to determine who can connect to the network.
I was recently involved in reviewing the existing VPN solution and then deploying another solution for a client. Here are some common mistakes I found made when configuring these policies.
Allowing clients to connect without authentication
This one is so obvious. When setting up your Network Policies for your VPN users, do not select the option Allow clients to connect without negotiating an authentication method.
The reason the option is even there is to allow basic testing during deployment without restricting connections due to incorrect Authentication Methods used by client and server. Leaving this option once in production is the equivalent to leaving your front door unlocked.
Using a Less Secure Authentication Method
There are various Authentication Methods available to choose. It can be very overwhelming for new admins which to select. They all have their pros and cons.
To make it easier, let’s talk about the ones not to choose.
- PAP - Password Authentication Protocol sends user passwords across the network to the authenticating server in plain text. This poses a huge security risk, as a hacker could capture the data packets using a protocol analyzer (sniffer) and obtain the password.
- SPAP - The Shiva Password Authentication Protocol is a reversible encryption mechanism. This authentication method is more secure than PAP but is still less secure than CHAP. This is susceptible to playback attacks, a form of network attack in which a valid data transmission is maliciously or fraudulently repeated. This is carried out by a hacker who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution. This is one of the lower tier versions of a "Man-in-the-middle attack."
Strong options that can be used as an Authentication Method are EAP: MS-CHAP v2 or MS-CHA.
Not Using Enough Encryption
Encryption settings for Network Policy Servers are used to determine the minimum encryption strength that will be allowed between the remote clients and the network access server. The choices are:
- Basic encryption (MPPE 40-bit)
- Strong encryption (MPPE 56-bit)
- Strongest encryption (MPPE 128-bit)
- No encryption
You can select multiple encryption strengths. The server and client will negotiate the strongest possible encryption they can both use and then create a connection.
The actual encryption method used will depend on the type of VPN connection.
- If you are using Point to Point Tunneling Protocol or PPTP, then Microsoft Point to Point Encryption or MPPE will be used with the bit length shown.
- If you are using Layer 2 Tunneling Protocol or L2TP, then IPSec will be used.
- If you are using Secure Socket Tunneling Protocol or SSTP, then SSL will be used.
It is not recommend to use the No Encryption option as that leaves your traffic wide open to attacks.
Network policies for remote VPN users can be confusing, but simple common sense prevails. You should not allow anyone into your network without authentication. Always use strong encryption to protect your data from hackers and be sure to enable the most secure authentication methods possible.