A VPN consists of our components:
How VPN works?
■ Point-to-Point Tunneling Protocol (PPTP)
■Layer 2 Forwarding (L2F)
■ Layer 2 Tunneling Protocol (L2TP)
■ IP Security (IPSec) Protocol Suite
Layer 2 Tunneling Protocols
Layer 2 tunneling protocols operate at the data link layer (or Layer 2).
Tunnel Creation Process
PPTP
Point-to-Point Tunneling Protocol was developed by a consortium founded by Microsoft for creating VPN over dialup networks, and as such has long been the standard protocol for internal business VPN. PPTP is used to connect a remote client to a private server over the Internet.
Pros
Client built-in to just about all platforms
Very easy to set up
Fast
Cons
Not at all secure (the vulnerable MS CHAPv2 authentication is still the most common in use)
Definitely compromised by the NSA
L2TP
L2TP combines the features of PPTP and L2F. Unlike PPTP, which runs over TCP, L2TP runs over UDP and does not use GRE. Because many firewalls do not support GRE, L2TP is more firewall-friendly than PPTP. In L2TP, the NAS is called the L2TP access concentrator (LAC) and the VPN server is called the L2TP network server (LNS). Figure 9.13 illustrates the components of an L2TP-based VPN.
L2TP/IPSec Disadvantages
Layer 2 Tunneling Protocol (L2TP) is a protocol used to tunnel data communications traffic between two sites over the Internet. L2TP is often used in tandem with IPSec (which acts as a security layer) to secure the transfer of L2TP data packets over the Internet. Unlike PPTP, a VPN implementation using L2TP/IPSec requires a shared key or the use of certificates.
IPSec was originally designed to add security to the TCP/IP. IPSec provides packet-level authentication, integrity, and confidentiality by adding two security headers: the Authentication Header (AH), which provides header integrity and authentication without confidentiality; and the Encapsulating Security Payload (ESP) which provides integrity, authentication, and confidentiality to payload (or IP datagrams). ESP permits packet-bypacket encryption and uses a standards-based encryption key management protocol. Thus, IPSec VPN can be created with either AH or ESP or both. AH does not provide data encryption and is useful in those environments where only authentication is required. More importantly, since authentication is not regulated, AH is the preferred method for VPNs that cross U.S. borders. AH also has a lower processing overhead than ESP. However, when data encryption is desired, ESP is used. One drawback to using IPSec is that it supports only IP. However, PPTP, L2F, and L2TP can support non-IP traffic, such as IPX and AppleTalk, because they are Layer 2 protocols.
- VPN client,
- Network access server (NAS),
- Tunnel terminating device (or VPN server),
- VPN protocol.
How VPN works?
- VPN client initiates a PPP connection with the ISP’s NAS via the public switched telephone network (PSTN).
- NAS is a device that terminates dial-up calls over analog (basic telephone service) or digital (ISDN) circuits.
- The NAS is owned by the ISP, and is usually implemented in the ISP’s POP.
- After the user has been authenticated by the appropriate authentication method, the NAS directs the packet to the tunnel that connects both the NAS and the VPN server.
- VPN server may reside in the ISP’s POP or at the corporate site, depending on the VPN model that is implemented.
- VPN server recovers the packet from the tunnel, unwraps it, and delivers it to the corporate network.
There are four tunneling protocols used to establish VPNs, and three are
extensions of the Point-to-Point Protocol (PPP):
■ Point-to-Point Tunneling Protocol (PPTP)
■Layer 2 Forwarding (L2F)
■ Layer 2 Tunneling Protocol (L2TP)
■ IP Security (IPSec) Protocol Suite
Layer 2 Tunneling Protocols
Layer 2 tunneling protocols operate at the data link layer (or Layer 2).
Tunnel Creation Process
PPTP
Point-to-Point Tunneling Protocol was developed by a consortium founded by Microsoft for creating VPN over dialup networks, and as such has long been the standard protocol for internal business VPN. PPTP is used to connect a remote client to a private server over the Internet.
Client built-in to just about all platforms
Very easy to set up
Fast
Cons
Not at all secure (the vulnerable MS CHAPv2 authentication is still the most common in use)
Definitely compromised by the NSA
L2F
L2F is a proprietary protocol that was developed by Cisco Systems. It is
protocol-independent and can run over X.25, frame relay, and ATM networks.
It supports private IP, IPX, and AppleTalk, and uses UDP for Internet tunneling.
L2F defines many connections within a tunnel, allowing a tunnel to support
many connections.
L2TP
L2TP combines the features of PPTP and L2F. Unlike PPTP, which runs over TCP, L2TP runs over UDP and does not use GRE. Because many firewalls do not support GRE, L2TP is more firewall-friendly than PPTP. In L2TP, the NAS is called the L2TP access concentrator (LAC) and the VPN server is called the L2TP network server (LNS). Figure 9.13 illustrates the components of an L2TP-based VPN.
L2TP or Layer 2 Tunneling Protocol does not do any encryption by itself. It simply does provide the routing tunnel. VPN providers generally use IPsec for encryption.
L2TP/IPSec Advantages
- Supported on most modern devices and OSes.
- Encryption at 256bit.
- Easy to setup on MAC and Windows as it is natively supported.
- No known major vulnerabilities.
L2TP/IPSec Disadvantages
- Higher encryption means more CPU, but in general that is not a biggie for modern devices.
- Most challenging to configure on a Linux server.
- Higher encryption with double encapsulation results in B/W hit. How much depends on your device and the VPN Server/Provider.
- Relatively easy to block by ISP.
Layer 2 Tunneling Protocol (L2TP) is a protocol used to tunnel data communications traffic between two sites over the Internet. L2TP is often used in tandem with IPSec (which acts as a security layer) to secure the transfer of L2TP data packets over the Internet. Unlike PPTP, a VPN implementation using L2TP/IPSec requires a shared key or the use of certificates.
Layer 3 Tunneling Protocols: IPSec
IPSec was originally designed to add security to the TCP/IP. IPSec provides packet-level authentication, integrity, and confidentiality by adding two security headers: the Authentication Header (AH), which provides header integrity and authentication without confidentiality; and the Encapsulating Security Payload (ESP) which provides integrity, authentication, and confidentiality to payload (or IP datagrams). ESP permits packet-bypacket encryption and uses a standards-based encryption key management protocol. Thus, IPSec VPN can be created with either AH or ESP or both. AH does not provide data encryption and is useful in those environments where only authentication is required. More importantly, since authentication is not regulated, AH is the preferred method for VPNs that cross U.S. borders. AH also has a lower processing overhead than ESP. However, when data encryption is desired, ESP is used. One drawback to using IPSec is that it supports only IP. However, PPTP, L2F, and L2TP can support non-IP traffic, such as IPX and AppleTalk, because they are Layer 2 protocols.
