Blog Archives

VPN’s

There are different protocols of VPN(Virtual Private Network). The most common are PPTP, L2TP, IPSec and TLS.

PPTP

This protocol was developed by Microsoft in conjunction with other technology companies. Is the most supported by Microsoft clients. PPTP is an extension of PPP and for that reason uses same type of authentication(PAP, SPAP, CHAP,MS-CHAP, EAP). The big  problem in this protocol is that can not provide encryption. Microsoft has resolved that issue using the protocol in conjnction with MPPE(Microsoft Point-toPoint Encryption) to provide a secure VPN.

In most Microsoft operating systems can be deployed without any kind of client software installation and is available for Linux and some Mac OS versions. PPTP is supported by Cisco PIX, SonicWall and most of firewall appliances.

L2TP

Achronym means: Layer 2 Tunneling Protocol. This protocols was depveloped by Microsoft with Cisco collaboration, combining features of PPTP with those of Cisco’s propietary Layer 2 Forwarding (L2F) protocol. It can be used on non-IP networks such as ATM, frame relay and X.25. Is supported by major  firewall products like ISA Server, CheckPoint, Cisco PIX for example.

IP Security(IPSec), and Encapsulag Security Payload (ESP) protocol, provides encyption for L2TP tunnels. It requires the use of digital certificates. User authentication is performed via the same PPP authentication mechanisms as PPTP, but L2TP also provides computer authentication.

L2TP provides data integrity(protection against modification of the data between the time it left the sender and the time it reached the recipient), authentication of origin(confirmation that the user who claims to have sent the data really did), and replay protection(keeps a hacker from being able to capture data that is send, sucha as the sending of credentials, and then “replay” it to “trick” the server). On the other hand, the overhead involved in providing this extra security can result in sightly slower performance than PPTP.

This protocol does not provide any encryption or confidentiality by itself.

IPSec

As its name implies it is an IP security protocol. It encrypts and authenticates each packet. It operates at layer 3 (network) in OSI model.

This is one of the most preferred VPN protocols for site-to-site connections. Many hardware VPN appliances use an implementation of IPSec (Cisco VPN Concentrators and PIX, SonicWall, Watchguard…).

It requires that the VPN client computers have client software installed. Useful for users that are not in the office(remote users).If it is used in tunnel mode, it secures packets transmitted between two gateways. It is a normal practise in VPN’s between branch offices.

IPSec is implemented by a group of cryptographic protocols to ensure flow control, mutual authentication and stablish cryptographic parameters. The security IP arquitecture uses SA(Security Association) to set-up security functions like IKE and IKEv2(Internet Key Exchange) or KINK(Kerberized Internet Negotiation of Keys).

There are two different modes: Transport or Tunnel

Transport mode. Only payload(data sent) is encrypted or authenticated

Tunnel mode. Complete packet is enrypted or authenticated

TLS

Transport Layer Security. It is the succesor of SSL(Secure Socket Layer). It is a protocol in which you do not need additional software installed in your computer. It uses web browsers as client application.TLS provides endpoint authentication using cryptography. TLS authentication is unilateral that means: server is authenticated but not vice-versa.

When a TLS or SSL connection is established, the client and server negotiate a CipherSuite, exchanging CipherSuite codes in the client hello and server hello messages, which specifies a combination of cryptographic algorithms to be used for the connection. The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared keys could be used. The message authentication codes are made up from cryptographic hash functions using the HMAC construction for TLS, and a non-standard pseudorandom function for SSL

I will explain IPSec and TLS protocols in separate posts.

Advertisements