Implementing a VPN infrastructure must be planned carefully because you are deliberately exposing your internal network to the Internet. In many cases, VPN clients have complete access to the internal network, just as if the client computer were connected to the internal network behind the ISA Server computer. This means that your VPN implementation must be as secure as possible.
Use the following guidelines when planning your ISA Server VPN implementation:
1- For the highest level of security, implement a VPN solution that uses L2TP/IPSec,MS-CHAP v2, or EAP/TLS for user authentication and certificate-based authentication for computer authentication. With this configuration, you must deploy certificates to all remote-access clients. However, the certificate authentication means that only computers that have the appropriate certificate will be able to connect.
2- You can also deploy PPTP using certificate-based authentication. In this scenario,you can use two-factor authentication, with devices such as smart cards, to ensure the identity of the remote client. Although this option provides a more secure means to authenticate the remote-access user, it does not provide an option for authenticating the remote-access client computer.
3- If you do not have the option of deploying client certificates to all VPN clients or using smart cards, the most secure option is to use PPTP with password authentication. When you use PPTP, the data is encrypted; however, the authentication mechanism is not as secure. If you use password-based authentication, ensure that you enforce strong passwords by using Group Policy.
4- Always use the most secure protocols that both your VPN access servers and clients can support and configure the remote-access server and the authenticating server to accept only secure authentication protocols. If you have older VPN clients that do not support secure authentication protocols, consider not enabling VPN access for these clients. Only enable VPN access for these clients if there is a strong business need to do so, and if you do not have the option of upgrading the clients.
5- ISA Server 2004 allows you to use pre-shared keys in place of certificates when creating remote-access and gateway-to-gateway VPN connections. Pre-shared keysupport for IPSec-based VPN connections should be used only for testing purposes. A single remote-access server can use only one pre-shared key for all L2TP/IPSec connections requiring a pre-shared key for authentication. This means that you must issue the same pre-shared key to all L2TP/IPSec VPN clients. Unless you distribute the pre-shared key within a Connection Manager profile, each user must manually enter the pre-shared key into the VPN client software settings. This reduces the security of the L2TP/IPSec VPN deployment.
6- Using RADIUS for authentication does not increase the level of security for VPN connections. The only advantage of using RADIUS is that you can centralize policy management for multiple ISA Server computers acting as VPN remote-access servers.
7- Using SecurID can significantly increase the level of security for the VPN connections because SecurID requires access to the token that provides a one use password. However, deploying SecurID significantly increases the complexity of the VPN server deployment.
Guidelines for Planning a VPN Infrastructure
