To adapt to the needs of information and mobile office, many enterprises have deployed VPN servers. The VPN (virtual private receptacle), which is built on the Windows Server 2003-based Routing and Remote Access service, is a secure and convenient remote access solution, and is now the preferred choice for most small and midsize enterprises. Then how to secure the VPN is a problem for the enterprise CIO to face.
VPN solution is to virtual a LAN on the Internet, to facilitate the client (enterprise staff) and the server (company) or mutual information sharing, transmission, communication needs. VPN clients can use Point-to-Point Tunneling Protocol (PPTP), second-tier Tunneling Protocol (L2TP), and IP Security (IPSEC) to create a secure tunnel to the Windows Server 2003-based Routing and Remote Access Service VPN server, so that The client becomes a remote node on the private network.
The VPN security threat comes from outside this line, the Internet. So how do you reinforce a VPN to protect it from external attacks? Configuring PPTP packet filters for the VPN server is a more efficient approach. The principle is to give the client that has access to the VPN the least privilege and discard all packets other than the explicitly allowed packets.
Configuring PPTP Input Filters
Configure PPTP input filters to allow inbound traffic from PPTP VPN clients only, as follows:
The first step is to run the start → program → administrative tools, and then open the Routing and Remote Access window. In the left window of its console, expand server name (local) →ip routing, and then click General to double-click Local Area Connection in the right-hand pane to open the Local Area Connection Properties dialog box.
Step two: On the General tab, click Inbound Filters, and then click the New button in the Open Inbound Filter dialog box to open the Add IP Filter dialog box. Check the target network checkbox and type the IP address of the external interface in the IP address edit box. Type "255.255.255.255" in the Subnet Mask edit box, select the "TCP" protocol in the Drop-down menu of the Protocol box, and type the port number in the destination Port box that pops up "1723 , and then click OK.
Step three: Go back to the Inbound Filter dialog box, click the "Discard all packages, except the following" Radio box, and then click the New button to check the target network checkbox. Type the IP address of the external interface in the IP address edit box. Type "255.255.255.255" in the Subnet Mask edit box, select "Other" in the Protocol box drop-down menu, type "47" in the Agreement Number box, and then click OK to complete the setting.
II. Configuring PPTP Output filters
Configure the PPTP output filter to allow outbound traffic only to the PPTP VPN client, as follows:
First step: Open the Add IP Filter dialog box by opening the External Interface Properties dialog box in the Routing and Remote Access window, and then clicking the Outbound Filter button in the General tab and clicking the New button in the Open Outbound Filters window. Check the source network checkbox, type the IP address of the external interface in the IP address edit box, the subnet mask is "255.255.255.255", specify "TCP" for the protocol, and specify the "source port" number to "1723" and click OK.
Step two: Go back to the Outbound Filter dialog box and click the "Discard all packages except the following" Radio box. Then click the New button to select the Source network check box. Type the IP address of the external interface in the IP address edit box. Subnet Mask "255.255.255.255", select "Other" in the "Protocol" box drop-down menu, specify "protocol number" to "47", and then click OK to complete the setting.
Tip: The "1723" port is the default port used by the VPN server, and "47" represents the TCP protocol.
After you complete the above settings, only those PPTP-based VPN clients can access the external interface of the VPN server, which greatly strengthens the security of the VPN.