I'm a practical guy, so I avoid getting bogged down with the technical details of VPNs when I can and focus more on what's going to work effectively in a business environment. Most IT folks I know prefer to work this way and I'm guessing you do too. My customers and prospects often ask me what I would do to create secure dial-in access for remote users. This is the perfect scenario for using client-to-server VPN. Considering most people I know like to save money whenever and wherever, this is a perfect application for a PPTP VPN using the Routing and Remote Access server (RRAS) that's built into Microsoft Windows. The really neat thing is that doesn't cost anything extra beyond the standard Windows licenses.
With the combination of increasing traffic, corporate support of telecommuting, and various laws requiring secure authentication and data transmission, client-to-site VPNs are becoming quite the craze. There are a lot of client-to-site VPN options out there – most of which cost a lot of money, not to mention require technical skills that frankly many people would just as soon not possess. In addition, there's a lot to wade through when it comes to finding a good VPN solution. Practically all of the popular VPNs are excellent at what they do and certainly have their place in the market. The problem is that these solutions are often overkill when the basic requirement is merely secure and manageable remote client access. Many people I know are finding that implementing a Windows server-based PPTP VPN is one of the smartest IT choices they've made in a while.
So, what does it take? The RRAS service on an existing or spare low-end Windows NT server is really all that's needed to do this. However, I recommend Windows 2000 Server or Windows Server 2003. Microsoft has made a lot of improvements in the security and usability of PPTP and the overall OS since the "new technology" days. I've yet to come across an organization that doesn't have at least one Windows server in-house. Not that you would necessarily want to host VPN services on a machine that's serving as a domain controller, e-mail server, or Web server, it can be done. The secure and recommended way of doing it would be to serve up RRAS on a dedicated server, but that's for a different discussion.
Barring any installation quirks, you can setup a PPTP client-to-site VPN in less than five minutes. This includes configuring RRAS as well as creating a VPN connection on a client machine. Beware, every now and then – especially with older and unpatched Windows 2000 servers – you may come across some installation issues where you'll have to add a Microsoft loopback adapter or select the manual configuration option when installing RRAS to get it to work, but all-in-all, it's a great solution for those looking to keep costs down and implement something that just works. If you do have problems, a quick Google Web or Groups search will assuredly uncover the solution in no time.
Sure, there have been many security vulnerabilities posted and discussed regarding Microsoft's implementation of PPTP, but these issues, for all practical purposes, have gone away. There's always pros and to every technical solution. Some say there's still a chance an attacker can capture PPTP authentications and crack passwords. They're right, the chance is there, but remember what I said about me being a practical guy? If you've got someone on your switched Ethernet network capturing packets, then you've probably got many bigger problems to worry about and a VPN should probably go down a few notches on your priority list. You've got to weigh the practical risks with the business benefits. Microsoft's PPTP client-to-site VPN solution is a hard deal to pass up.
Kevin Beaver, CISSP, is an information security advisor with Principle Logic, LLC specializing in security assessments and incident response. He is the author of several information security books including the new book titled Hacking For Dummies by John Wiley and Sons.
