Page 2 of 2
This brings us to the most important aspect of any VPN protocol – security.
Essentially VPN security has three components:
- Authentication – is the user who is trying to make the connection a legitimate user?
- Access control – assuming the user has been authenticated what are they allowed to access?
- Encryption – how is the encapsulated data encrypted so that only the two ends of the VPN can access it?
Authentication and access control for users that connect via a VPN are really no different from the security needed by a local user logging on to the network. There are additional issues, however, because the transaction occurs over the public Internet and not safely behind the locked doors of the private network.
For example, you might be happy with a password being sent across your private network without encryption but over the Internet?
A more critical issue is what sort of encryption is used to keep the private data safe?
PPTP uses Microsoft Point-to-Point Encryption – MPPE encryption which being a proprietary method makes it more difficult for non-Windows machines to connect using PPTP. The encryption keys are also derived from the password used to authenticate the connection. This is very simple as there is nothing to set up other than selecting a minimum key size – the actual key size is negotiated when the connection is made. Its problem is that it is vulnerable to attack if the password is “weak” in the sense that it contains repeated patterns. However, as long as strong passwords are used it is good enough for most applications.
If you really want the best you have to use L2TP which takes a completely different approach to the problem of encryption. PPTP first authenticates the user and then, if possible starts encryption. L2TP first sets up IPSec encryption and then proceeds to authentication. This means that almost the entire transaction between the client and server is protected at the same level. IPSec uses the DES encryption algorithm with ether a single 56-bit key or three 56-bit keys for Triple DES (3DES), a standard which was introduced because of the worry about the security of the standard DES algorithm. IPSec also allows each data packet received to be authenticated, i.e. checked that it was sent by the authorised client, and checked for integrity, i.e. for any tampering since it was sent. This is much stronger security than PPTP and MPPE encryption which only attempts ensure that the data is difficult to read without the key.
IPSec is a general encryption and security protocol that can be used to secure any IP connection – a VPN is just one use of IPSec. IPSec doesn’t use passwords to generate keys and this means that key exchange is a necessary part of the security. There are two distinct methods that can be used to exchange keys. The first is to make use of pre-shared keys - sequences of characters used to establish the IPSec portion of the L2TP/IPSec connection. Both the client and the server have to be configured to use the same case-sensitive string of characters. The pre-shared key is used to derive all of the necessary encryption keys. This is simple but it is difficult to make secure. The alternative is to make use of digital certificates and public key cryptography but this means setting up a complete Public Key Infrastructure PKI on both ends of the VPN – something that is often worth doing.
Practical VPNs can get complicated very quickly. It all depends on what you want to do. The simplest case is where you want to connect your portable or home computer to an office network. In this case you can setup a VPN server or use a VPN router on the office network and connect using VPN client software on the client machine. Notice that in this case all fo the traffic from the client is routed through the remote network including traffic intended for the public Internet.
A more complicated setup is where you want to connect every machine on a local network to every other machine on a remote local network - a VPN bridge. To do this you need to setup either a VPN server at each end of the connection or better a pair of VPN routers set into network-to-network mode.
The VPN Consortium has general information and standards documents:
The Intranet Journal has a comparison of L2TP and PPTP security:
and a general overview:
For in depth information on L2TP: