Let's look at some of the different protocols for creating secure VPNs over the Internet:
L2TP: Layer-2 Tunneling Protocol
IPsec: IP Security Protocol
L2TP or Layer-2 Tunneling Protocol is a combination of Microsoft's Point-to-Point Tunneling Protocol (PPTP) and the Cisco Layer-2 Forwarding (L2F) . L2TP is a network protocol and it can send encapsulated packets over networks like IP, X.25, Frame Relay, Multiprotocol Label Switching (MPLS) , or Asynchronous Transfer Mode (ATM) .
IPsec will encrypt all outgoing data and decrypt all incoming data so that you can use a public network, like the Internet, as a transportation media. IPsec VPNs normally utilize protocols at Layer 3 of the OSI Model. This is effectuated by using two different techniques:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
The Authentication Header provides two-way device authentication, which can be implemented in hardware or software, and in many cases provide user authentication via a standard set of credentials—user ID and password. You may also see implementations using a token, or an X.509 user certificate.
The Encapsulating Security Payload protocol provides the data encryption. Most implementations support algorithms such as DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), or AES (Advanced Encryption Standard). In its most basic configuration, IPsec will implement a handshake that requires each end point to exchange keys and then agree on security policies.
IPsec can support two encryption modes:
Transport: encrypts the data portion of each packet, but leaves the header unencrypted. The original routing information in the packet is not protected from being viewed by unauthorized parties.
Tunnel: encrypts both the header and the data. The original routing data is encrypted, and an additional set of routing information is added to the packet to be used for routing between the two endpoints.
IPsec supports a protocol known as the Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley) . This protocol allows the receiver to obtain a public key and authenticate the sender using digital certificates. The basic process of a key-based cryptography system provides a method of exchanging one key of a key pair. Once the keys are exchanged, the traffic can be encrypted. IPsec is described in many RFCs, including 2401, 2406, 2407, 2408, and 2409. Also see RFC 3193 for securing L2TP using IPsec.
The downside to a client-based VPN (such as those using IPSEC or L2TP) is that you need to configure and/or install some type of software. Yes, there is code that is built into Windows for a VPN, but you still need to configure the client. In some cases you may even need to install a client certificate. In addition, personal firewalls, anti-virus software, and other security technologies may be necessary. The basic configuration for an IPsec VPN is a central site hub device and a remote client computer. Once the connection has been established then a tunnel is created over the network (private or pubic). This encrypted tunnel will secure the communication between the end points, and once again our best buddy Hacker Bob is not able to read our communications.
Note
Secure VPNs
VPNC (Virtual Private Network Consortium) supports three protocols for secure VPN (L2TP, IPsec, and SSL/TLS) and another two protocols for trusted VPNs (MPLS and Transport of layer 2 frames over MPLS). For securing L2TP using IPsec (see http://www.vpnc.org/rfc3193).
Another option that is available to secure traffic on the Internet is Secure Socket Layer (SSL).SSL is a protocol that provides encryption for network-based traffic. SSL is a network protocol with responsibility for the management of a secure, encrypted, communication channel between a server and a client. SSL is implemented in the major Web browsers such as Internet Explorer, Netscape, and Firefox. One of the most basic functions of SSL is message privacy. SSL can encrypt a session between a client and a server so that applications can exchange and authenticate user names and passwords without exposing them to eavesdroppers. SSL will block Hacker Bob's attempts to read our data by scrambling it.
One of the most powerful features of SSL is the ability for the client and server to prove their identities by exchanging certificates. All traffic between the SSL server and SSL client is encrypted using a shared key and a negotiated encryption algorithm. This is all effectuated during the SSL handshake, which occurs at session initialization. Another feature of SSL protocol is that SSL will ensure that messages between the sender system and receiving system have not been tampered with during the transmission. The result is that SSL provides a secure channel between a client and a server. SSL was basically designed to make the security process transparent to the end user. Normally a user would follow a URL to a page that connects to an SSL-enabled server (see RFC1738—http://ds.internic.net/rfc/rfc1738.txt). The SSL-enabled server would accept connect requests on TCP port 443 (which is the default port for SSL). When it connects to port 443 the handshake process will establish the SSL session.
Several years ago there was a creative advertisement showing one person walking down the street eating chocolate and another person walking down the street eating peanut butter: they run into each other and now we have a product that comprises chocolate and peanut butter together. This is exactly what happened with the SSL VPN.
This combination of SSL and VPN provides us with the following benefits:
This combination of SSL encryption and proxy technologies can provide very simple access to Web and corporate applications.
The marriage of technologies can provide client and server authentication with data encryption between each party.
Overall, it can be easier to set up an SSL VPN than to set up and manage an IPsec VPN.
More benefits of SSL VPN technology will be discussed in the next chapter.
In some respects, the SSL VPN implementation will be similar to that of IPsec. SSL VPNs will also require some type of a hub device. Also the client will require some type of communication software, namely an SSL-enabled web browser. As most computers have an SSL-enabled browser that includes root SSL certificates from certified public Certificate Authorities (CA), by default SSL VPN access is available from the client. Additional client software can be downloaded automatically during SSL VPN sessions (typically this software is in the form of an applet plug-in). The central hub device and the software client will encrypt the data over an IP network. This process of encryption will make the data unreadable to Hacker Bob.
Note
A full discussion of public and private CA can be found in The Internet Security Guidebook: From Planning to Deployment available at: http://www.amazon.com/exec/obidos/tg/detail/-/0122374711/102-0386261-4698507?v=glance.