There's more than one way to skin a VPN.
By Roger Gann, PC Advisor | PC Advisor | Published: 01:00, 09 November 2005
Remote access is now more of a necessity than a luxury for business users who need to access files on an office network when they're on the road or working from home. If the remote PC has Internet connectivity via modem, broadband or through a LAN, and the office network has a permanent connection to the Internet, the most cost-effective way for remote users to connect is by creating a VPN (virtual private network).
So, rather than lay your own network cable across the globe, you use a public network, the Internet, as your connection medium. As the Internet is by its very nature insecure, you place your private network traffic inside a secure 'wrapper' to stop eavesdroppers accessing your data. The result is a VPN inside a physical public network, a great solution to wide area networking requirements.
VPN technologies use 'tunnelling' protocols to create the connection and encryption protocols to provide the privacy on the public network. This allows you to securely access a VPN server and the rest of the company network. Once a VPN tunnel has been established, any application (web, email, even VOIP) can use it as though it were using a normal network connection.
So, if you need remote access, the question isn't whether to use VPN, but which VPN technology to use. There are four main protocols and each has pros and cons.
Because a VPN creates a secure virtual pipeline through the public network, the protocols used to create this connection are called tunnelling protocols. The most common VPN technologies available are:
Choosing which one to use is tricky. A lot depends on factors such as server and client OS, the network resources to which access is needed, the level of security required and performance issues.
PPTP (point-to-point tunnelling protocol) is an extension of the Internet standard PPP (point-to-point protocol), the link layer protocol used to transmit IP packets over serial links. PPTP was developed by Microsoft and it's the only VPN protocol built-in to Windows as standard.
PPTP drills the tunnel but it doesn't provide encryption. It's used in conjunction with MPPE (Microsoft point-to-point encryption) to create a secure VPN. With good authentication, for example EAP (extensible authentication protocol), PPTP is secure. It carries a low overhead, making it faster than other methods.
The L2TP (Layer 2 tunnelling protocol) was developed in co-operation between Cisco and Microsoft, combining features of PPTP with those of Cisco's proprietary L2F (Layer 2 Forwarding) protocol. As you might guess, L2TP operates at the data link layer of the OSI (open systems interconnection) networking model. An L2TP client is built-in to Windows 2000, XP and 2003, but you can download software for older versions of Windows.
L2TP has several advantages over PPTP. PPTP gives you data confidentiality, but L2TP goes further and also verifies data integrity and provides authentication of origin. However the overhead involved in providing this extra security can result in slower performance than PPTP.
Wait a sec
IPSec (the IP security protocol) actually provides the encryption for L2TP but it can also be used as a tunnelling protocol. Like PPTP and L2TP, IPSec provides a connection that terminates at the firewall and grants remote users access to the entire network. IPSec operates at a higher level of the OSI model, the network layer or Layer 3. Many hardware VPN appliances use an implementation of IPSec.
Authentication is accomplished via the IKE (Internet key exchange) protocol with either digital certificates or with a pre-shared key. IPSec VPNs can protect against many of the most common attack methods, including Denial of Service, replay, and 'man-in-the-middle' attacks.
IPSec support is included in Windows 2000/XP/2003, but not in older Windows operating systems. If you have a VPN gateway you may have to buy client licenses for the client software. If you use multiple apps, IPSec can be a godsend.
The down side is that it leaves the network wide-open if the remote-access client has been compromised. IPSec clients often allow IT managers to specify that client PCs have security or antivirus software installed before permitting a VPN connection. IPSec is a good fit for 'fixed' site-to-site VPNs, because it can be implemented in network hardware without client software support. For mobile users, however, it's more hassle - the cost of deploying the software, configuring it and supporting it can be significant.
Socket to 'em
If you've ever bought anything on the Internet you'll have come across SSL (secure socket layer) connections.
And this is a big plus for SSL VPNs - you don't need special client software, you just use a web browser to access the remote network. With SSL VPNs, instead of giving VPN clients access to the whole network as with IPSec, you can restrict them to specific applications, which naturally have to be web or Java-based. Less expensive, and easier to deploy than IPSec VPNs, SSL VPN technology provides remote access to web applications such as email and corporate intranets.
SSL VPNs operate at an even higher layer of the OSI model than IPSec VPNs: Layer 7 or the session layer, which permits much finer granularity when it comes to specifying access control. Because SSL VPNs work at the application layer, network administrators can specify access control sets and rules based on such criteria as application, TCP/IP port and user, something the all-or-nothing nature of IPSec can't match without installing additional firewalls behind the tunnel end point and getting bogged down with lots of tedious rule sets.
Because SSL VPN access is browser-based, users can log on securely with a web browser using almost any device. Firewalls usually don't cause any grief either as SSL uses TCP ports that are usually left open.
SSL operates transparently across proxies and routers performing Network Address Translation, a major boon. SSL solves almost all remote access issues except one: providing access to client/server or other applications not accessible from a browser. Unlike IPSec VPNs, SSL VPN appliances don't typically allow direct access to network file shares.
SSL can also require multiple handshakes per session, which can increase the CPU load at both the client and the host, making SSL less easy to support multiple VPN connections, something that IPSec concentrators can handle with aplomb.