VPN - Virtual Private Network
Written by Harry Fairhead   
Monday, 04 July 2011
Article Index
VPN - Virtual Private Network
VPN Security

 

Security

This brings us to the most important aspect of any VPN protocol – security.

Essentially VPN security has three components:

  • Authentication – is the user who is trying to make the connection a legitimate user?
  • Access control – assuming the user has been authenticated what are they allowed to access?
  • Encryption – how is the encapsulated data encrypted so that only the two ends of the VPN can access it?

Authentication and access control for users that connect via a VPN are really no different from the security needed by a local user logging on to the network. There are additional issues, however, because the transaction occurs over the public Internet and not safely behind the locked doors of the private network.

For example, you might be happy with a password being sent across your private network without encryption but over the Internet?

A more critical issue is what sort of encryption is used to keep the private data safe?

PPTP uses Microsoft Point-to-Point Encryption – MPPE encryption which being a proprietary method makes it more difficult for non-Windows machines to connect using PPTP. The encryption keys are also derived from the password used to authenticate the connection. This is very simple as there is nothing to set up other than selecting a minimum key size – the actual key size is negotiated when the connection is made. Its problem is that it is vulnerable to attack if the password is “weak” in the sense that it contains repeated patterns. However, as long as strong passwords are used it is good enough for most applications.

If you really want the best you have to use L2TP which takes a completely different approach to the problem of encryption. PPTP first authenticates the user and then, if possible starts encryption. L2TP first sets up IPSec encryption and then proceeds to authentication. This means that almost the entire transaction between the client and server is protected at the same level. IPSec uses the DES encryption algorithm with ether a single 56-bit key or three 56-bit keys for Triple DES (3DES), a standard which was introduced because of the worry about the security of the standard DES algorithm. IPSec also allows each data packet received to be authenticated, i.e. checked that it was sent by the authorised client, and checked for integrity, i.e. for any tampering since it was sent. This is much stronger security than PPTP and MPPE encryption which only attempts ensure that the data is difficult to read without the key.

IPSec is a general encryption and security protocol that can be used to secure any IP connection – a VPN is just one use of IPSec. IPSec doesn’t use passwords to generate keys and this means that key exchange is a necessary part of the security. There are two distinct methods that can be used to exchange keys. The first is to make use of pre-shared keys - sequences of characters used to establish the IPSec portion of the L2TP/IPSec connection. Both the client and the server have to be configured to use the same case-sensitive string of characters. The pre-shared key is used to derive all of the necessary encryption keys. This is simple but it is difficult to make secure. The alternative is to make use of digital certificates and public key cryptography but this means setting up a complete Public Key Infrastructure PKI on both ends of the VPN – something that is often worth doing.


Practical VPNs can get complicated very quickly. It all depends on what you want to do. The simplest case is where you want to connect your portable or home computer to an office network. In this case you can setup a VPN server or use a VPN router on the office network and connect using VPN client software on the client machine. Notice that in this case all fo the traffic from the client is routed through the remote network including traffic intended for the public Internet.

A more complicated setup is where you want to connect every machine on a local network to every other machine on a remote local network - a VPN bridge. To do this you need to setup either a VPN server at each end of the connection or better a pair of VPN routers set into network-to-network mode.

More Information

The VPN Consortium has general information and standards documents:

http://www.vpnc.org/

The Intranet Journal has a comparison of L2TP and PPTP security:

http://www.intranetjournal.com/foundation/tunneling.shtml

and a general overview:

http://www.intranetjournal.com/foundation/vpn-1.shtml

For in depth information on L2TP:

http://docwiki.cisco.com/wiki/Virtual_Private_Networks

 

Banner


The Memory Principle - Computer Memory and Pigeonholes

We discover why computer memory can be likened to pigeonholes and even include instructions for you to build your own memory device.



The Fundamentals of Pointers

Despite the fact that pointers have been long regarded as "dangerous" they are still deeply embedded in the way we do things. Much of the difficulty in using them stems from not understanding where th [ ... ]


Other Articles



Last Updated ( Friday, 25 February 2022 )