Win 2000 has tools to build a VPN
By John McCormick
Early reports on Microsoft Windows 2000 suggest that it is practically bulletproof, capable of running around the clock for weeks without showing users the dreaded blue screen of death.
Certainly I found Release Can-didate 2 of the operating system impressive.
That stability may eventually make Win 2000 as acceptable as a Unix platform for enterprise networks. But for many administrators, the most important new features are the tools that aid in securing and managing virtual private networks.
The potential cost savings in moving from leased lines to the Internet as an integral part of your enterprise network are considerable, but Windows NT 4.0 lacks the tools to build a practical VPN.
A VPN can consist of dozens of large geographically dispersed networks or a single small LAN with some dial-in users. Win 2000 has features that help managers in either scenario. Kerberos:
Named for the three-headed dog guarding the nether regions, Kerberos guards the network by authenticating users and giving them tickets allowing access to services.
Because it is a Massachusetts Institute of Technology-developed standard authentication protocol, many administrators already know it and have been waiting for Microsoft Corp. to add this important tool.
Unfortunately, Microsoft recently acknowledged that it has implemented Kerberos in a form that does not integrate easily with non-Win 2000 platforms.
Kerberos allows for the central management of authentication of both users and services. The authentication of services is especially important in a VPN because users need to know they are sending data to the part of the network to which they think they are connected.
Users and services have passwords, and a central Kerberos database keeps lists of both. The database server issues to users encrypted time-limited tickets that are attached to requests for services and sent to the printer, e-mail server or other network service. Because the ticket is encrypted by a trusted source'the Kerberos server'it is accepted by the service, which does not need to keep an authorized user database.L2TP:
The Layer 2 Tunneling Protocol is a combination of the Layer 2 Forwarding protocol developed by Cisco Systems Inc. of San Jose, Calif., and the Point-to-Point Tunneling Protocol developed by Microsoft and some partners.
Although the IP Security specification provides tools for server-to-server packet tunneling, it takes L2TP to support the client-server tunneling essential for many virtual private networks because it permits secure tunneling from a local Internet service provider to a network.
By itself, L2TP isn't secure, but it supports standard IP Security tools, which should be used in conjunction with it.RADIUS:
An Internet draft standard, the Remote Authentication Dial-In User Service is another addition of special interest to VPN managers.'It provides for authentication, authorization and accounting. Basic authentication is tied to the user name and password stored in the RADIUS server, but more sophisticated tools can be used. The RADIUS database also contains information about the privileges each user has for each service.
The big news is that all of these tools are based on standards not proprietary Microsoft developments, so you can easily integrate Win 2000 networks with others.John McCormick, a computer consultant and free-lance writer, has been working with computers since the early 1960s. E-mail him at [email protected]