As with most networking technologies, the details are in the protocols. In this video, you’ll learn about PPP, PPTP, SSL VPNs, and IPSec.
<< Previous: VPN ConnectionsNext: TACACS and RADIUS >>
Well, if you’re using a virtual private network, then you’ve got to use some type of networking protocol to get that data from one side to the other. And in this video we’ll go through some of the most commonly used ways to send data across these VPN tunnels. PPP has been around for a very long time. And this point-to-point protocol allows us some very nice functionality when we’re trying to tunnel information from one side of the network to another.
It has built into PPP things like authentication and compression, error detection, and even the ability to use multiple links simultaneously to increase the amount of bandwidth that we can use. But as you can tell, PPP does not have any type of encryption mechanism built into the base point-to-point protocol. PPP has been used in a number of networking environments. But it’s best used when there is one link at one end, and one link at another end, and there’s no need to communicate to anyone else, thus the name point-to-point protocol.
So you’ll see this used across telephone lines. You’ll see it used across mobile devices. You may see it used across modems and serial cables, for instance. It is a Layer 2 protocol. And when it is just a modem connection that’s connecting to another modem connection, it makes perfect sense to use something like PPP. But now that we have IP connections and we need to communicate to Google, and Yahoo, and ESPN, and other websites, PPP doesn’t have quite the same functionality for encrypting and protecting the information that we’re sending across the network.
A tunneling protocol that’s a bit more modern is PPTP, which stands for Point-to-point Tunneling Protocol. This is a protocol that manages and configures the tunnel between two locations. It uses something called GRE, or Generic Routing Encapsulation, to actually do the tunneling. PPP is then used to send the multi-protocol traffic across the GRE tunnel.
So you’ve got this combination of protocols working together. One to create the tunnel, and one to then send traffic over that tunnel. Unlike PPP, PPTP has the ability to authenticate and encrypt the information going across. One way to do that is through something called Microsoft CHAPv2, MS CHAP version 2, which is the Microsoft Challenge Handshake Authentication Protocol that’s used to authenticate someone on that tunnel.
Then to encrypt the data we can use EAP-TLS, which stands for Extensible Authentication Protocol-Transport Layer Security. So by using these protocols, we can build a tunnel, send traffic over the tunnel, and then authenticate and encrypt that information as it’s going across the tunnel. You may also see data encrypted using Microsoft’s Point-to-Point Encryption. And when you’re using Windows type PPTP, you may also see the Windows type of encryption using MPPE.
Another common VPN protocol is the SSL VPN. It stands for Secure Sockets Layer VPN. Now, secure sockets layer, of course, is the mechanism that we use to encrypt our communication to web servers. So it just makes sense that the firewalls and the other network devices that allow web server encryption would also allow an SSL VPN encryption as well.
You’ll also find that an SSL VPN generally doesn’t have a very big VPN client that needs to be installed on someone’s workstation. Often the client is even built into the operating system itself. This would allow us to have this client talk back to a central concentrator. And we have a VPN communication now that can go from our device to our corporate networking VPN concentrator.
This would also allow us to authenticate users. An SSL VPN can simply use a user name and password. There’s no requirement to have a digital certificate, or a shared password, like you might have in something like IPsec. And sometimes you can even run this from inside a browser, or from a very light VPN client. And this might work on many different operating systems since all different operating systems have browsers that can be used instead of something like a client that has to be installed into the OS.
If you’re doing any high-end or very secure type of VPN communication, then you’re probably using IPsec. That stands for Internet Protocol Security. And it provides us with a way to secure IP packets there at layer 3. Every packet can be authenticated and encrypted through the tunnel, so that the only thing anyone would be able to see if they tapped into that connection was that two IP addresses were talking to each other. Everything else inside of that is completely secure.
This not only provides the confidentiality of information, but it also provides integrity. So that prevents someone from replaying that traffic and trying to use that to gain access to our network. This encryption and packet signing functionality maintains both the security, and it’s ensured that only this traffic is going to be used once through that tunnel.
This is a very standardized type of VPN protocol. In fact, you’ll find that you can connect many different vendors devices together using IPsec. And they all generally communicate to each other without any type of problem.
There are two core IPsec protocols that you need to be aware of. One is the Authentication Header, or AH, and the other is the Encapsulation Security Payload. The Authentication Header is used to make sure that the data going through is authenticated on both sides. And we can add the ESP functionality to secure the data and make sure that all of the information is also encrypted.