67 If you cant find a CHAP implementation at all for a particular operating system, you may be forced to accept clear text passwords.

4.2.5.2 Data encryption

In the RAS properties for Windows NT, youll find a checkbox to require data encryption for the RAS connection. This option will make all data going across the connection stream unreadable to an interceptor. The box can be checked only if the option to require Microsoft encrypted authentication is also selected, meaning that you can use it only if youre also using MS-CHAP. The reason for this is that the value generated by the MD4 hash is used by the RAS client and server to derive a session key for encryption. The encryption algorithm used is RSAs RC4, with a 40-bit session key. As we said in Chapter 2 , U.S. export laws prevent the distribution of ciphers that can use session keys of greater than 40 bits. On the other hand, keys of 40 bits are often considered too vulnerable for transmitting secure data over the Internet. In order to meet the demand for better encryption methods, Microsoft has included a 128-bit strong encryption module in a U.S.-only version of their Service Pack 3 for Windows NT 4.0.

4.3 Features of PPTP

There are several factors in PPTPs favor. Among these are availability, easy implementation, multiprotocol tunneling, and the ability to use corporate and unregistered IP addresses.

4.3.1 Availability

Because PPTP is included with Windows NT Server, Workstation, and Windows 98, it is readily available to users of these platforms. No additional software need be purchased. Microsoft is giving away the PPTP upgrade for Windows 9598 as well. In addition, it is included free of charge in many different brands of remote access switches, including Ascend, 3Com, and ECI Telematics equipment. Because it has become part of the package of a leading network operating system and numerous remote access switches, PPTP enjoys a huge product-placement advantage. An administrator for a Windows NT network can start experimenting with a VPN right away, without spending any extra money.

4.3.2 Easy Implementation

On Windows NT systems, PPTP is installed as a network protocol, just like IPX SPX, TCPIP, or NetBEUI. In RAS, instead of using a modem as the RAS device, you use a VPN port with the name RASPPTPM. Many Windows NT administrators will already be familiar with how to set up network protocols and RAS, so using PPTP shouldnt be difficult for them. Likewise, on Windows 95 systems, PPTP is installed as a new version of the Dial-Up Adapter thats already a familiar part of Windows 95 Dial-Up Networking. On Windows 98, the VPN Adapter can also be installed and used like a modem for VPN connections. On remote access switches that support PPTP, enabling PPTP is typically straightforward. For users who wish to dial in using PPTP, you simply add the IP address of their PPTP server to their profiles. ISPs that use authentication and accounting software such as Merit Networks RADIUS server will also find PPTP as easy to implement in a user profile as PPP. Well go into detail about how to set up PPTP on both RAS and remote access switches in Chapter 5 . 68

4.3.3 Multiprotocol Tunneling

The ability to tunnel multiple protocols is one of PPTPs greatest advantages. Some tunneling software allows you to tunnel only IP packets. PPTP, however, can tunnel all of the protocols currently supported by RAS. Users connecting to a RAS server through a VPN will have access to the full range of protocols and servers they would normally have on their LAN. For Windows NT and Windows 9598 users, this means that their usual username and password, and all access privileges associated with their profile, will pertain to the dial-up user. They will be able to browse the network and access file servers and network printers, as always, through their Network Neighborhood.

4.3.4 Ability to Use Corporate and UnregisteredIP Addresses

When VPN users make PPTP connections with the RAS server, they can be assigned IP addresses by that server. The address can be part of the corporations range of IP addresses 2.1.1.129 is part of the 2.1.1.024 CIDR address range in our earlier examples, thus making the RAS users system appear to be on the corporate IP network. Sometimes corporations dont use what are known as registered IP addresses on their internal networks. If a block of addresses is registered, it means that it was obtained by an address registry such as the InterNIC that assures that the addresses are unique on the Internet. The Internet Assigned Numbers Authority IANA has set aside blocks of unregistered IP addresses for use on private internets, or Intranets. These addresses can be used on IP networks that dont have Internet access or that have access through a router that uses Network Address Translation or NAT, which well discuss more later. A listing of these unregistered blocks of addresses can be found in RFC 1918. If a company is using an unregistered range of addresses, a RAS client using PPTP can obtain one of these addresses and have access to the corporate IP network. If the user were simply dialing into an ISP and attempting to access the network without PPTP, a hole in the corporate firewall would have to be opened up for that user. If the user obtains a dynamic IP address whenever they dial into their ISP, this would be nearly impossible.