Common VPN and Tunneling Protocols
Let us discuss the most common and widely used real-world VPN protocols. The growing number of users, the ease of accessibility, and the reduced cost of the Internet connection have introduced a greater need for cost-effective and secure communications without purchase of leased lines. Many companies participated in the development that resulted in the creation of different VPN standards and protocols. We discuss the most common ones here.
IPSec
IPSec is the most widely acknowledged, supported, and standardized of all VPN protocols. It is the ultimate choice for interoperability reasons. IPSec is a framework of open standards that produced a secure suite of protocols that can be run on top of the existing IP connectivity. It provides both data authentication and encryption services at the third OSI layer and can be implemented on any device that communicates over IP. Unlike many other encryption schemes that protect a specific high-layer protocol, IPSec, working at the lower layer, can protect all traffic that is carried over IP. It is also used in conjunction with Layer 2 tunneling protocols to provide both encryption and authentication for non-IP traffic.
The protocol incorporates three major components: the Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE).
The AH is added after the IP header and provides packet-level authentication and integrity services, ensuring that the packet was not tampered with along the way and originated from the expected sender. ESP provides confidentiality, data origin authentication, integrity, optional antireplay service, and limited traffic flow confidentiality. Finally, IKE negotiates security associations that describe the use of security services between participating entities.
PPTP
Point-to-Point Tunneling Protocol (PPTP) is a proprietary development of Microsoft intended for VPN-like communications. PPTP offers user authentication employing authentication protocols such as MS-CHAP, CHAP, SPAP, and PAP. The protocol lacks the flexibility offered by other solutions and does not possess the same level of interoperability as the other VPN protocols, but its use is easy and abundant in the real world.
It consists of three types of communication:
PPTP connection, where a client establishes a PPP link to an ISP. PPTP control connection, where the user creates a PPTP connection to the VPN server and negotiates the tunnel characteristics. PPTP data tunnel, where both client and server exchange communications inside an encrypted tunnel.
PPTP is commonly used for creation of secure communication channels between a large number of Windows hosts on the intranet. We have to caution you that it has a long history of insecurities and typically uses lower grade encryption ciphers, such as MD4 or DES.
GRE
Generic Routing Encapsulation (GRE) is a Cisco-developed protocol that is used in networking to tunnel traffic between different private networks. This includes non-IP traffic that cannot be carried across the network in its native form. Even though it does not provide any encryption by itself, it does provide efficient low-overhead tunneling. GRE is often used in conjunction with network-layer encryption protocols to accommodate both features provided by GRE, such as encapsulation of non-IP protocols, and encryption provided by other protocols, such as IPSec.
L2TP
Jointly developed by Cisco, Microsoft, and 3Com, L2TP promised to replace PPTP as a major tunneling protocol. It is essentially a combination of PPTP and Cisco Layer Two Forwarding (L2F), merging both into a single standard. L2TP is used to tunnel PPP over a public IP network. It relies on PPP to establish a dial-in connection using PAP or CHAP authentication but, unlike PPTP, L2TP defines its own tunneling protocol. Because L2TP works on Layer 2, the non-IP protocols can be transported through the tunnel, yet it will work on any Layer 2 media, such as ATM, Frame Relay, or 802.11. The protocol does not offer encryption by itself, but it can be used in conjunction with the other protocols or application-layer encryption mechanisms to provide for security needs.
|