In the remote connections you’ve seen so far, the
security exists mostly at the connection point. That is, you set up
usernames with strong passwords, and no one can access your dial-up or
Remote Desktop connection without entering the correct logon data. This
works well, but it doesn’t do much for the actual data that’s passed
between the host and client. A malicious hacker might not be able to
access your system directly, but he certainly can use a packet sniffer
or similar technology to access your incoming and outgoing data. Because
that data isn’t encrypted, the hacker can easily read the contents of
the packets.
What do you do, then, if you
want to transfer secure data such as financial information or personnel
files, but you love the simplicity of a dial-up connection? The answer
is a tried-and-true technology called virtual private networking
(VPN), which offers secure access to a private network over a public
connection, such as the Internet or a phone line. VPN is secure because
it uses a technique called tunneling, which establishes a connection between two computers—a VPN server and a VPN client—using
a specific port (such as port 1723). Control-connection packets are
sent back and forth to maintain the connection between the two computers
(to, in a sense, keep the tunnel open).
When it comes to sending the actual network data—sometimes called the payload—each
network packet is encrypted and then encapsulated within a regular IP
packet, which is then routed through the tunnel. Any hacker can see this
IP packet traveling across the Internet, but even if he intercepts the
packet and examines it, no harm is done because the content of the
packet—the actual data—is encrypted. When the IP packet arrives on the
other end of the tunnel, VPN decapsulates
the network packet and then decrypts it to reveal the payload. (Which
is part of the reason why VPN connections tend to be quite slow.)
Windows 7 comes with VPN client support built in and it uses two tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP)— This protocol is the most widely used in VPN setups. It was developed by Microsoft and is related to the Point-to-Point Protocol (PPP) that’s commonly used to transport IP packets over the Internet. A separate protocol—Microsoft Point-to-Point Encryption
(MPPE)—encrypts the network packets (IP, IPX, NetBEUI, or whatever).
PPTP sets up the tunnel and encapsulates the encrypted network packets
in an IP packet for transport across the tunnel.
IP Security (IPSec)—
This protocol encrypts the payload (IP packets only), sets up the
tunnel, and encapsulates the encrypted network packets in an IP packet
for transport across the tunnel.
Note
A third popular VPN protocol is Layer 2 Tunneling Protocol
(L2TP), which goes beyond PPTP by allowing VPN connections over
networks other than just the Internet (such as networks based on X.25,
ATM, or Frame Relay). L2TP uses the encryption portion of IPSec to
encrypt the network packets.
There are two main ways to use VPN:
Via the Internet—
In this case, you first connect to the Internet using any PPP-based
dial-up or broadband connection. Then you connect to the VPN server to
establish the VPN tunnel over the Internet.
Via a dial-up connection—
In this case, you first connect to the host computer using a regular
dial-up connection. Then you connect to the VPN server to establish the
VPN tunnel over the telephone network.
Configuring a Network Gateway for VPN
The best way to use VPN is
when the client has a broadband Internet connection and the server has a
public IP address or domain name. This enables you to access the server
directly using your fast Internet connection. What happens, however, if
the Windows 7 machine you set up as the VPN server sits behind a
gateway or firewall and so uses only an internal IP address?
You can often get
around this problem by setting up a network gateway to pass through VPN
packets and forward them to the VPN server. (Note that some broadband
routers come with VPN capabilities built in, so they can handle an
incoming VPN connection automatically.)
The details depend on the device, but the usual first step is to enable the gateway’s support for VPN passthrough, which allows network computers to communicate via one or more VPN protocols (such as PPTP and IPSec). Figure 1 shows a sample page in a gateway setup application that that lets you enable passthrough for the PPTP and IPSec protocols.
In some cases,
just enabling VPN passthrough is all you need to do to get VPN up and
running through your gateway. If your VPN connection doesn’t work or if
your gateway doesn’t support VPN passthrough, you have to open a port
for the VPN protocol you’re using and then have data to that port
forwarded to the VPN server. (This is similar to the port forwarding
described earlier for Remote Desktop connections.) The forwarded ports
depend on the protocol:
PPTP | Forward TCP to port 1723 |
IPSec | Forward UPD to port 500 |
Figure 2 shows an example of port forwarding.
Configuring the VPN Client
Now you have to configure the remote computer as a VPN client. Here are the steps to follow:
1. | Select Start, type connect,
and then select Set Up a Network or Connection in the search results.
Windows 7 displays the Choose a Connection Option dialog box.
|
2. | Click Connect to a Workplace and then click Next. The How Do You Want to Connect? dialog box appears.
|
3. | Click one of the following two choices:
- Use My Internet Connection— Click this option if you want to make the VPN connection over the Internet.
- Dial Directly— Click this option to use a dial-up VPN connection.
|
4. | In the next dialog box (Figure 3 shows the Internet connection version), configure the following controls (click Next when you’re done):
- Internet Address— If
you’re using an Internet connection, type the domain name or IP address
of the VPN server (or the network gateway that forwards your connection
to the VPN server).
- Telephone Number— If you’re using a dial-up connection, type the phone number used by the VPN server.
- Destination Name— Type a name for the VPN connection.
- Use a Smart Card—
Activate this check box if your VPN server requires you to have a smart
card security device inserted in your system as part of the server’s
authentication process.
- Allow Other People to Use This Connection— Activate this check box to make this connection available to other user accounts on your computer.
- Don’t Connect Now—
Activate this check box to prevent Windows 7 from connecting to the VPN
server right away. This is useful if you’re just setting up the
connection for later use.
|
5. | Type your VPN logon data: your username, your password, and your network domain (if any).
|
6. | Click Create. Windows 7 creates the connection and launches it (unless you activated the Don’t Connect Now check box in step 5).
|
7. | Click Close.
|
Windows 7 adds a
Virtual Private Network group to the Network Connections folder, and
places in that group an icon with the name you specified in step 5.
Making the VPN Connection
With the VPN client
configured, you can now use the client to make the VPN connection.
Follow these steps on the VPN client computer:
1. | If you need to establish a dial-up connection to the Internet before connecting to the VPN server, make that connection now.
Tip
You can configure the VPN connection to make the dial-up connection to the Internet automatically. Click Start, type connections,
and then select View Network Connections in the search results.
Right-click the VPN connection icon, and then click Properties to open
its properties sheet. In the General tab. activate the Dial Another
Connection First check box, and then use the associated list box to
select the dial-up connection you want dialed. Click OK.
|
2. | Click the Network icon in the taskbar’s notification area.
|
3. | Click
the VPN connection and then click Connect. The Connect dialog box
appears for the VPN connection. Type your username, password, and domain
(if applicable).
|
4. | If
you want Windows 7 to remember your logon data, activate the Save This
User Name and Password for the Following Users, and then activate either
Me Only or Anyone Who Uses this Computer.
|
5. | Click Connect. Windows 7 sets up the VPN connection. |