|VPN - Virtual Private Network|
|Written by Harry Fairhead|
|Monday, 04 July 2011|
Page 2 of 2
This brings us to the most important aspect of any VPN protocol – security.
Essentially VPN security has three components:
Authentication and access control for users that connect via a VPN are really no different from the security needed by a local user logging on to the network. There are additional issues, however, because the transaction occurs over the public Internet and not safely behind the locked doors of the private network.
For example, you might be happy with a password being sent across your private network without encryption but over the Internet?
A more critical issue is what sort of encryption is used to keep the private data safe?
PPTP uses Microsoft Point-to-Point Encryption – MPPE encryption which being a proprietary method makes it more difficult for non-Windows machines to connect using PPTP. The encryption keys are also derived from the password used to authenticate the connection. This is very simple as there is nothing to set up other than selecting a minimum key size – the actual key size is negotiated when the connection is made. Its problem is that it is vulnerable to attack if the password is “weak” in the sense that it contains repeated patterns. However, as long as strong passwords are used it is good enough for most applications.
If you really want the best you have to use L2TP which takes a completely different approach to the problem of encryption. PPTP first authenticates the user and then, if possible starts encryption. L2TP first sets up IPSec encryption and then proceeds to authentication. This means that almost the entire transaction between the client and server is protected at the same level. IPSec uses the DES encryption algorithm with ether a single 56-bit key or three 56-bit keys for Triple DES (3DES), a standard which was introduced because of the worry about the security of the standard DES algorithm. IPSec also allows each data packet received to be authenticated, i.e. checked that it was sent by the authorised client, and checked for integrity, i.e. for any tampering since it was sent. This is much stronger security than PPTP and MPPE encryption which only attempts ensure that the data is difficult to read without the key.
IPSec is a general encryption and security protocol that can be used to secure any IP connection – a VPN is just one use of IPSec. IPSec doesn’t use passwords to generate keys and this means that key exchange is a necessary part of the security. There are two distinct methods that can be used to exchange keys. The first is to make use of pre-shared keys - sequences of characters used to establish the IPSec portion of the L2TP/IPSec connection. Both the client and the server have to be configured to use the same case-sensitive string of characters. The pre-shared key is used to derive all of the necessary encryption keys. This is simple but it is difficult to make secure. The alternative is to make use of digital certificates and public key cryptography but this means setting up a complete Public Key Infrastructure PKI on both ends of the VPN – something that is often worth doing.
A more complicated setup is where you want to connect every machine on a local network to every other machine on a remote local network - a VPN bridge. To do this you need to setup either a VPN server at each end of the connection or better a pair of VPN routers set into network-to-network mode.
The VPN Consortium has general information and standards documents:
The Intranet Journal has a comparison of L2TP and PPTP security:
and a general overview:
For in depth information on L2TP:
|Last Updated ( Friday, 25 February 2022 )|