Microsoft VPN uses proven Windows NT RAS security. Businesses can ensure secure communication between remote users and the private network using Windows NT RAS encryption and authentication protocols. Windows NT RAS supports Password Authentication Protection (PAP), the more sophisticated Challenge Handshake Authentication Protocol (CHAP), a special Microsoft adaptation called MS-CHAP, as well as RSA RC4, and DES encryption technologies.
Clients accounts are validated against the Windows NT user database, and only those with valid permissions are allowed to connect. The keys used to encrypt data are derived from the users credentials, and are not transferred on the wire. When authentication is completed, the user's identity is verified, and the authentication key is used for encryption. Windows NT 4.0 uses 40-bit RC-4 encryption. For the United States and Canada, Microsoft will provide an optional add-on pack for 128-bit encryption, which provides security so tight that exporting it elsewhere is prohibited today by U.S. law.
PPTP filtering is an important security feature. An administrator can decide to only allow PPTP-enabled users to connect to the corporate network from the Internet. Filtering out non-PPTP packets avoids the risk of somebody attacking the corporate network through the PPTP gateway server.
PPTP is designed to allow front-end processors (FEPs) to be connected with Windows NT servers, so clients that call into the FEP have transparent access to the server's network. This means the client won't notice whether it's going straight to the server, or to an FEP which is tunneling through the server. Because Microsoft VPN provides transparent access to a PPP client, it can work with UNIX, Win 16, MS-DOS®, Macintosh, and other clients.
FEPs can be operated by telephone companies because FEPs don't allow access to the data exchange between the client and server. The FEP is just a pass-through that lacks the intelligence to evaluate the information passing through it. From a security standpoint, this means a company will not lose control of who gets access to its network. Data privacy is maintained. This is very important for companies that outsource dial-up access because they need their data to be secure.
Another important point is to keep control of who has access to the server on the server itself, rather than on the FEP. The server authenticates the clients calling in. The FEP only looks at the callers identity and establishes the tunnel to the server. Because it has a passive role, security is tight.
Microsoft is a leader in developing and implementing encryption and other security technologies. Because security is so crucial to maintaining the integrity of the world's computer networks, research and development at Microsoft and elsewhere is a continuing project. For example, the Internet Protocol Security Protocol Working Group (IPSEC) is developing enhancements for existing IP security, and RSA Data Security is leading a consortium effort to implement the S/WAN initiative, to ensure interoperability among firewall and TCP/IP products. As new security technologies are developed, they will be evaluated for integration with Microsoft VPN.