Comparing VPN Options
Virtual private networking has become more of a necessity than a luxury for business users who need a way to access files on an office network when they're on the road, working from home or otherwise physically separated from the network. Of course, they could dial in directly to a remote access server, but that solution has a couple of significant drawbacks:
- If your remote location is not in the same calling area as the remote access server, you'll have to pay long distance charges - and those can add up fast if you need to spend much time connected to the network.
- The remote access server will need multiple phone lines and modems in order to accommodate more than one incoming connection at a time - that cost, too, can add up if many.
The solution, of course, is a VPN connection. If the remote computer has Internet connectivity (via modem, broadband or through a LAN) and the office network has a permanent connection to the Internet such as T-1 or business-class broadband, the most cost effective way for remote users to connect is by tunneling through the public network. VPN technologies use tunneling protocols to create the connection and encryption protocols to provide the "private" part, allowing you to securely access a VPN server on the company network and through it (if the VPN server is set up to allow it), other computers on the company LAN.
So the question today is not whether to use VPN technology, but which VPN technology to use. There are four popular VPN protocols in use, and each has advantages and disadvantages. In this article, we'll take a look at each and discuss how they compare, depending on your purpose.
Four Favorite Flavors of VPN
Because a VPN creates a secure "tunnel" through the public network, the protocols used to establish this tunneled connection are called tunneling protocols. If you ask the typical Windows administrator to name five VPN tunneling protocols, he/she is apt to get be stumped, having dealt only with the two VPN methods for which Windows provides built-in support. The five most common methods of creating a virtual private network include:
The first two, of course, are familiar to Windows admins. The last two may be less so. Unfortunately, there is no clear cut one-size-fits-all solution. The best choice for your organization depends on a number of factors: server and client operating systems deployed, network resources to which access is needed, level of security required, performance issues, administrative overhead, and so forth.
The Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft in conjunction with other technology companies, is the most widely supported VPN method among Windows clients, and it is the only VPN protocol built into Windows 9x and NT operating systems. PPTP is an extension of the Internet standard Point-to-Point protocol (PPP), the link layer protocol used to transmit IP packets over serial links. PPTP uses the same types of authentication as PPP (PAP, SPAP, CHAP, MS-CHAP, EAP).
PPTP establishes the tunnel but does not provide encryption. It is used in conjunction with the Microsoft Point-to-Point Encryption (MPPE) protocol to create a secure VPN. PPTP has relatively low overhead, making it faster than some other VPN methods.
Because the client software is built into most Microsoft operating systems, PPTP servers can be deployed without having to worry about installing client software on those systems. PPTP clients are also available for Linux (see http://pptpclient.sourceforge.net/) and Macintosh OS 9.x (see http://www.rochester.edu/its/vpn/tunnelbuilder.html). Mac OS X 10.2 comes with built-in support for PPTP, and there are also third-party clients available for OS X (see http://www.gracion.com/vpn/). PPTP VPNs are supported by many major firewall appliances and enterprise level software firewalls, including ISA Server, Cisco PIX, SonicWall and some models of WatchGuard.
PPTP has been criticized in the past for various security flaws; many of these problems have been addressed in current versions of the protocol. Using EAP authentication greatly enhances the security of PPTP VPNs. One advantage of using PPTP is that there is no requirement for a Public Key Infrastructure; however EAP does use digital certificates for mutual authentication (both client and server) and highest security.
The Layer 2 Tunneling Protocol (L2TP) was developed in cooperation between Cisco and Microsoft, combining features of PPTP with those of Cisco's proprietary Layer 2 Forwarding (L2F) protocol. One advantage of L2TP over PPTP is that it can be used on non-IP networks such as ATM, frame relay and X.25. Like PPTP (and as its name implies), L2TP operates at the data link layer of the OSI networking model. L2TP VPNs are supported by many major firewall products, including ISA Server, CheckPoint, Cisco PIX, and WatchGuard.
The L2TP client is built into Windows 2000, XP and 2003, but you can download client software for most pre-Windows 2000 operating systems (Windows 98, ME and NT 4.0).
IP Security (IPSec), and more specifically its Encapsulating Security Payload (ESP) protocol, provides the encryption for L2TP tunnels.
L2TP requires the use of digital certificates. User authentication can be performed via the same PPP authentication mechanisms as PPTP, but L2TP also provides computer authentication. This adds an extra level of security.
L2TP has several advantages over PPTP. PPTP gives you data confidentiality, but L2TP goes further and also provides data integrity (protection against modification of the data between the time it left the sender and the time it reached the recipient), authentication of origin (confirmation that the user who claims to have sent the data really did), and replay protection (which keeps a hacker from being able to capture data that is sent, such as the sending of credentials, and then "replay" it to "trick" the server). On the other hand, the overhead involved in providing this extra security can result in slightly slower performance than PPTP.
Windows administrators know IPSec as the protocol used for encryption in conjunction with the L2TP tunneling protocol. However, IPSec can itself be used as a tunneling protocol, and is in fact considered by many to be the "standard" VPN solution, especially for gateway-to-gateway (site-to-site) VPNs that connect two LANs. IPSec operates at a higher level of the OSI model, the network layer (Layer 3).
Many hardware VPN appliances use an implementation of IPSec. For example, Cisco's VPN Concentrators and PIX firewalls support IPSec, as do NetScreen, SonicWall, and WatchGuard appliances. Enterprise level software firewalls such as ISA Server, CheckPoint and Symantec Enterprise Firewall also support IPSec VPNs.
IPSec in tunnel mode secures packets that are transmitted between two gateways or between a client computer and a gateway. As its name implies, an IPSec VPN works only with IP-based networks and applications. Like PPTP and L2TP, IPSec requires that the VPN client computers have client software installed.
Authentication is accomplished via the Internet Key Exchange (IKE) protocol with either digital certificates (which is the more secure method) or with a preshared key. IPSec VPNs can protect against many of the most common attack methods, including Denial of Service (DoS), replay, and "man-in-the-middle" attacks.
Many vendors include "managed client" features in their VPN client software, which make it possible for you to establish policies regarding such things as a requirement that the client machine have anti-virus software or personal firewall software installed in order to be allowed to connect to the VPN gateway.
IPSec support is included in Windows 2000/XP/2003, but not in older Windows operating systems. VPN gateway vendors, such as Cisco and CheckPoint, provide client software for their IPSec-based VPNs. Note that you may have to purchase licenses for the client software.
A VPN technology that has been growing in popularity is the Secure Sockets Layer (SSL) VPN. A big advantage of SSL VPNs is that you don't need special VPN client software on the VPN clients. That's because the SSL VPN uses the Web browser as the client application. Thus, SSL VPNs are known as "clientless" solutions. This also means the protocols that can be handled by an SSL VPN are more limited. However, this can also be a security advantage. With SSL VPNs, instead of giving VPN clients access to the whole network or subnet as with IPSec, you can restrict them to specific applications. If the applications to which you want to give them access are not browser-based, however, custom programming might be necessary to create Java or Active-X plug-ins to make the application accessible through the browser. A disadvantage of this is that in order to use such plug-ins, the client's browser settings will have to be opened up to allow active content - thus exposing the browser to malicious applets unless you set it to block unsigned active content and ensure that the plug-ins are digitally signed.
SSL VPNs operate at an even higher layer of the OSI model than IPSec VPNs: the session layer. This gives them the ability to control access more granularly. SSL VPNs use digital certificates for server authentication. Other methods can be used for client authentication, but certificates are preferred as the most secure.
Even though there is no client software installed (other than the Web browser), SSL VPN gateways can still provide the advantages of "managed clients" by forcing the browser to run applets, for example, to verify that anti-virus software is in place before the VPN connection can be established.
Virtual private networking is often the best and most cost effective way to provide remote access to your company network. The first step in deploying a VPN server/gateway is selecting the type of VPN technology to use. The four most common VPN technologies in use are PPTP, L2TP, IPSec and SSL. Each has advantages and disadvantages, so it is important to familiarize yourself with the characteristics of each, and with your users' needs, before making a decision. In this article, we've provide a brief overview of each of these VPN protocols.