Introduction.
There are three main protocol types used in
VPN - Virtual Private Networking.
- Tunneling Protocols
- used to establish the tunnel
- Encryption Protocol
- security protocol used to obscure the data
- Network/Transport Protocol
- used for communications on the private network
- likely to be TCP/IP, but not necessarily
Tunneling Protocols.
The tunneling protocol is used to
encapsulate the data so that the original protocol headers are wrapped
inside. The following outline surveys the several of the most common
tunneling protocols.
- PPTP - Point to Point Tunneling Protocol
- extension of the PPP link protocol
- established by Microsoft
- requires IP addressing
- encapsulates a PPP frame inside a GRE - Generic
Routing Encapsulation header
- the source address is the VPN client
- the destination address is the VPN server
- the original data is usually encrypted
- Microsoft uses MPPE for encrypting
- PPTP-linux runs on Linux and UNIX
- PoPToP is PPTP server software
- Linux
- Sun Solaris
- FreeBSD
- UNIX
- supports Windows clients
- MacIntosh users can connect to Windows PPTP
servers by using third party software
- Network Telesystems TunnelBuilder
- L2F
- developed by Cisco
- part of IOS software since 1996
- can use IP, ATM and Frame Relay protocols for
tunneling
- provides authentication of the endpoints of the
tunnel
- L2TP
- developed by Microsoft and Cisco to combine
PPTP and L2F features
- works over more protocols
- used for Internet or for specific WAN media
- advantages over PPTP
- supports multiple tunnels
- supports compression of headers
- capable of tunnel authentication
- works over non-IP networks using ATM or Frame
Relay virtual circuits
- IPSec
- can actually be used for tunneling and encryption
- used to encapsulate IP packets
- can be configured to protect data between two IP
addresses
- can be configured to protect data between two IP
subnets
- AH Tunneling Mode
- doesn't encrypt
- does authenticate sender
- ensures integrity by not allowing any changes
during transit
- ESP Tunnel Mode
- original source and destination are contained
within encapsulated IP header
- outer header usually contains the gateway
addresses
- encrypts data
- outer IP header is not protected
- IPSec Interoperability
- Microsoft Windows 2000 include built in support
- Linux
- UNIX
- MacIntosh
- other IP supporting OSs
- IPSec Authentication can be done in a variety of
ways
- Kerberos
- shared secret keys
- certificate services
- SSH/SSH2
- for Linux and UNIX
- client software for Windows
- circuit level VPN
- can be installed on firewalls
- client access firewall
- firewall sends on traffic to a server
- best used with a few trusted employees to connect
to a small office
- CIPE
- Linux kernel driver
- used to establish tunnel between two IP subnets
- simpler more efficient than IPSec
Encryption Protocols.
Assuming a tunnel has been established, data must
be encrypted before the connection and data transfer can be
considered to be secure. The following outline surveys
several major VPN encryption protocols.
- MPPE
- used with PPTP
- encryption algorithms are
- highest encryption may well still be restricted
to use within the US and Canada
- IPSec
- used on L2TP tunnel
- uses DES or 3DES for encryption
- uses a combination of keys and cryptography
based algorithm
- Diffie-Hellman algorithm enables secure
exchange of key without sending the key itself across the network
connection
- VPNd
- for Linux
- uses Blowfish algorithm for encryption
- 64 bit encryption
- 32 to 448 bit keys
- SSH
- public key cryptography
- end pairs must have common network/transport
protocol
|