VPN
Types
As the concept of creating secure tunnels over the public network has
evolved, there have been many different ideas about the best security
technology for implementation. Most of the VPN technologies are
difficult to implement, are difficult to implement or just plain won't
work in certain situations, and are equally as difficult to administer
once they are in production. I have included a summary of VPN
technologies in general, so that you can make an informed decision
about which VPN technology to implement for your situation.
pptp (Microsoft's point-to-point tunneling protocol)
pptp first
encapsulates the data using ppp
(point-to-point protocol) and then encrypts the data stream using MPPE (Microsoft
point-to-point encryption). Session keys can be 40, 56 or 128
bit and are rotated frequently to increase security. The POPTOP open
source project provides the ability to connect Microsoft pptp clients
to Linux/Unix servers. If your situation is a heavy Microsoft
implementation, POPTOP may be for you. http://www.poptop.org
L2TP (Layer 2
Tunneling Protocol {Definition
from webopedia})
Short
for Layer Two (2) Tunneling Protocol, an extension to the PPP protocol
that enables ISPs to operate Virtual Private Networks (VPNs). L2TP
merges the best features of two other tunneling protocols: PPTP from
Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the
ISP's routers support the protocol.
Cisco meets Microsoft. Proprietary! Yuck!
If your network is 100% Microsoft with Cisco routers this
is probably the perfect solution. I have not included resources for
this protocol as you are probably already paying lots of money to Cisco
and Microsoft to provide this information.
IPsec (IP Security {Definition
from webopedia})
Short for IP Security, a set of protocols developed by the IETF to
support secure exchange of packets at the IP layer. IPsec has been
deployed widely to implement Virtual Private Networks (VPNs).
IPsec supports two encryption modes: Transport and Tunnel. Transport
mode encrypts only the data portion (payload) of each packet, but
leaves the header untouched. The more secure Tunnel mode encrypts both
the header and the payload. On the receiving side, an IPSec-compliant
device decrypts each packet.
For IPsec to work, the sending and receiving devices must share a
public key. This is accomplished through a protocol known as Internet
Security Association and Key Management Protocol/Oakley
(ISAKMP/Oakley), which allows the receiver to obtain a public key and
authenticate the sender using digital certificates.
The "tunnel" mode is called AH
(Authentication Header). Since the header of the IP packet
is encrypted, AH
is not capable of providing VPN services for networks utilizing NAT (Network Address
Translation) as NAT is unable to rewrite the encrypted IP header.
The "transport" mode is called ESP
(Encapsulating Security Payload). ESP
only encrypts the payload portion of the IP packet so it can be used to
provide VPN services for networks utilizing NAT.
IPsec is an excellent choice for providing VPN services. However, it
can be extremely difficult to implement. The setup for IPsec varies
widely across the Linux/Unix variants. For example, systems running 2.4
kernels require a much different setup than systems running 2.6 kernels.
Jacco de Leeuw has put together an excellent collection of resources
detailing IPsec deployment between Windows, Mac OS and Linux. Click Here
TLS / SSL (Transport
Layer Security / Secure Sockets Layer {Definition from openvpn.net})
TLS is the
latest evolution of the SSL family of protocols developed originally by
Netscape for their first secure web browser. TLS and its SSL
predecessors have seen widespread usage on the web for many years and
have been extensively analyzed for weaknesses. In turn, this analysis
has led to a subsequent strengthening of the protocol such that today,
SSL/TLS is considered to be one of the strongest and most mature secure
protocols available. As such, we believe TLS is an excellent choice for
the authentication and key exchange mechanism of a VPN product.
In recent years with the explosive growth of eCommerce, TLS has become
the de facto standard for security over the internet.
The OpenVPN
project has developed a TLS-based VPN solution which includes client
and server software for Linux, Windows 2000/XP and higher, OpenBSD,
FreeBSD, NetBSD, Mac OS X, and Solaris. In addition to being extremely
scalable and flexible, it is also very easy to configure and deploy.
Since OpenVPN is so flexible, the documentation can be somewhat
confusing to a new user. Be sure to view the OpenVPN documentation on
this site for setup instructions.