|
Page 12 of 15 VPN - Virtual Private Network It is a secure private network, based on resources of a public network like internet. Companies and organizations use a VPN to communicate confidentially over a public network and can be used to send voice, video or data. It's an excellent option for remote workers and organizations with global offices and partners to share data in a private manner. It is difficult to define precisely what constitutes a VPN because the term means different things to different people. To some people, separation of their traffic on a network is sufficient to call it "private" while others expect encryption when they hear the word "private". Types of VPNConnection-oriented/connectionless technologies
Many VPN technologies are connection oriented. That means that a VPN user who connects to the VPN service appears to have a connection to another VPN user, e.g. IPsec, GRE, and IP-in-IP.
Other like MPLS is a connectionless VPN technology: a VPN user (customer equipment) does not have a direct relationship with any other VPN user; rather, it is connected to the MPLS service as a "cloud," which ensures that packets are forwarded correctly to the other VPN user site.
Encrypted/non-encrypted
Encrypted VPN types are typically used where confidentiality of data in transit is required, such as over a wireless network or the public Internet. The most widely used encrypting VPN technologies are IPsec and SSL.
Internet based/not Internet based
Some VPN types can be used over the public Internet and thus allow easy interconnection of sites worldwide, assuming availability of Internet services in these locations. IPsec, GRE, IP-in-IP, TLS, and SSH are examples of VPN technologies that can be used over the Internet. The advantage of Internet-based VPN types is their mostly worldwide availability; the disadvantage is that often no quality-of-service guarantees are available for such services. Common VPN TechnologiesPPTP
The Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft in conjunction with other technology companies. PPTP is an extension of the Internet standard Point-to-Point protocol (PPP), the link layer protocol used to transmit IP packets over serial links. PPTP uses the same types of authentication as PPP (PAP, SPAP, CHAP, MS-CHAP, EAP).
PPTP establishes the tunnel but does not provide encryption. It is used in conjunction with the Microsoft Point-to-Point Encryption (MPPE) protocol to create a secure VPN. PPTP has relatively low overhead, making it faster than some other VPN methods.
L2TP
The Layer 2 Tunneling Protocol (L2TP) was developed in cooperation between Cisco and Microsoft, combining features of PPTP with those of Cisco’s proprietary Layer 2 Forwarding (L2F) protocol. One advantage of L2TP over PPTP is that it can be used on non-IP networks such as ATM, frame relay and X.25. L2TP operates at the data link layer of the OSI networking model.
IP Security (IPSec), and more specifically its Encapsulating Security Payload (ESP) protocol, provides the encryption for L2TP tunnels.
The L2TP client is built into Windows 2000, XP and 2003, but you can download client software for most pre-Windows 2000 operating systems (Windows 98, ME and NT 4.0).
L2TP has several advantages over PPTP. PPTP gives you data confidentiality, but L2TP goes further and also provides data integrity, authentication of origin, and replay protection. On the other hand, the overhead involved in providing this extra security can result in slightly slower performance than PPTP.
IPSec
We know as above, that IPSec as a protocol is used for encryption in conjunction with the L2TP tunneling protocol. However, IPSec can itself be used as a tunneling protocol, and is in fact considered as “standard” VPN solution, especially for gateway-to-gateway (site-to-site) VPNs that connect two LANs. IPSec operates at the network layer (Layer 3). IPSec VPN works only with IP-based networks and applications.
Authentication is accomplished via the Internet Key Exchange (IKE) protocol with either digital certificates (which is the more secure method) or with a preshared key. IPSec VPNs can protect against many of the most common attack methods, including DoS, replay, and “man-in-the-middle” attacks.
Many vendors include “managed client” features in their VPN client software, which make it possible for you to establish policies regarding such things as a requirement that the client machine have anti-virus software or personal firewall software installed in order to be allowed to connect to the VPN gateway.
SSL
SSL VPNs are known as “clientless” solutions, as it uses the Web browser as the client application. This also means the protocols that can be handled by an SSL VPN are more limited. However, this can also be a security advantage. With SSL VPNs, instead of giving VPN clients access to the whole network or subnet as with IPSec, you can restrict them to specific applications. If the applications to which you want to give them access are not browser-based, however, custom programming might be necessary to create Java or Active-X plug-ins to make the application accessible through the browser.
SSL VPNs operate at an even higher layer of the OSI model than IPSec VPNs: the session layer. SSL VPNs use digital certificates for server authentication. Other methods can be used for client authentication, but certificates are preferred as the most secure.
|
