c-- styles for logos and headline links do not modify internet, red, or black styles -->

Intranet Journal   Earthweb  
Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts

   Intranet Journal Subjects
Search Earthweb

Privacy Policy



internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet commerce
Be a Commerce Partner
















 

[ Home | Discussion Forum | How Do I... | Lotus Notes Intranets | Microsoft SharePoint | Products | Shopping  ]

free news!

Virtual Private Networks

Protocols for Remote Access VPN Services

If the distinctions between the many types of VPN tunneling protocols aren't crystal clear to you, you're not alone. Here's a protocol-by-protocol analysis

Lisa Phifer
VP Core Competence, Inc.

Printer Friendly Version

The market forces driving the adoption of Remote Access VPNs (primarily an ever-more-mobile and -distributed workforce in need of economical connectivity) are building daily. ISPs hoping to capitalize on this growth market must build a tunneling infrastructure to support Remote Access VPN services. But. the $64,000 question.which tunneling infrastructure? In this column, we'll examine the alternative tunneling protocols that ISPs may wish to consider.

Layer 2 Tunnels: Extending the PPP Session
Layer 2 tunnels connect a single dial user to a private network, treating the public Internet as a virtual data link. Without tunnels, PPP sessions connect a dial user to an enterprise's private modem pool or to an ISP's network access server (NAS). With tunnels, the PPP session endpoint can be extended to the edge of the customer's corporate network, providing secure remote access. Sounds simple enough, but there are several competing approaches to consider.

Cisco's Layer 2 Forwarding Protocol (L2F) provides compulsory authenticated tunneling between an ISP's NAS and a device at the edge of the customer's network called a Home Gateway. Calls made to the ISP's POPs are forwarded to the customer's Home Gateway for authentication. Customers benefit by eliminating toll or 800# charges, and no client-side software is required. The downside is that L2F does not provide data privacy; customer traffic transits the ISP's network as clear text. L2F is still supported by a few products, but will eventually be replaced by L2TP.

Microsoft's Point-to-Point Tunneling Protocol (PPTP) is often used for voluntary authenticated and encrypted tunneling between dial-up clients and a PPTP Network Server located just inside the customer's network. With PPTP, users dial into any Internet POP and then launch the Microsoft VPN Adapter. client software supplied with Windows 95/98/NT. The PPTP Network Server authenticates the tunnel user with MS-CHAP and negotiates data compression and encryption as dictated by security policies. PPTP offers payload privacy, but does not encrypt session control traffic. Microsoft has addressed many criticisms of PPTP in Windows Dial-Up Networking 1.3, and over a dozen vendors currently market PPTP Network Server products.

The Layer Two Tunneling Protocol (L2TP) consolidates the best of L2F and PPTP within a single standard. L2TP Access Concentrators (LACs) terminate PPP LCP and carry out dial session authentication. L2TP can be used with a separate LAC at the ISP NAS, or with a LAC Client on the end-user's PC. L2TP Network Servers (LNSs) terminate PPP NCP, provide routing and bridging for the PPP session, and make the user appear directly connected to the "home" network.

L2TP inherits benefits found in L2F and PPTP like transparency in compulsory mode, multiprotocol support, and leaving authentication, authorization, and addressing responsibility within the customer's network. However, L2TP is a tunneling protocol, not an encryption protocol. If customers require data confidentiality, you'll need to run L2TP over IPsec. While L2TP has not yet fully matured, several L2TP products are now commercially available.

Layer 3 Tunnels: Adding Security Features to IP
Features have been added to the IP protocol to provide greater security for IP packets that transit public networks. The Authentication Header (AH) allows a recipient to verify the identity of a packet sender and protects against modification. The Encapsulating Security Payload (ESP) encrypts packets, usually by encapsulating a private IP packet inside an outer public IP packet. Another standard known as ISAKMP can be used for strong authentication of tunnel endpoints and key management. Collectively, these extensions are called IP Security (IPsec).

Typically, IPsec supports Site-to-Site VPNs by creating security associations between gateways at the edge of customer networks. All packets that enter or leave each network can be tunneled according to customer-defined policy, with filtering down to the individual host and port level. IPsec-compatible encryption and packet authentication algorithms support a wide variety of security policies, allowing customers to strike their own balance between security and performance.

But IPsec can also be used to support Remote Access VPNs by tunneling from an individual host to a security gateway, topologically similar to voluntary PPTP tunnels. IP packets sent by an IPsec host to a protected network are encrypted and delivered to the security gateway for that network. IP packets to public destinations are sent without addition of IPsec protocols.

IPsec support will be included in Windows 2000 and various Unix incarnations. Until these OS upgrades are widely deployed, client software must be installed on each IPsec host. Security parameters must be configured at each host, and each host must bear the additional processing imposed by IPsec. Furthermore, IPsec support for roaming hosts is still limited. IPsec hosts can be authenticated with certificates, which provides strong authentication but adds deployment complexity. Standard extensions like XAUTH and IKECFG may someday allow dynamic assignment of tunnel endpoint addresses and integrate dial user authentication methods like RADIUS. For now, many vendors are using proprietary extensions to bridge this gap.

The Best ISP Platform for Remote Access VPN?
For a VPN service that simply reduces the cost of authenticated remote access, compulsory L2TP tunneling is arguably the most straightforward approach. ISP NAS configuration is comparatively limited, and there is no client software to support.

But many customers equate "remote access VPN" with "secure remote access VPN." These customers expect data confidentiality, and that means PPTP or IPsec. The choice here is really dictated by the target market: Low-end customers may be satisfied with PPTP, while high-end customers will demand IPsec or an IPsec/L2TP combo.

PPTP is easier to deploy than IPsec, but provides much weaker security. Still, PPTP tunneling may meet the needs of many small-to-midsize businesses, and this kind of VPN service can be turned up quickly. Even though IPsec and L2TP have been added to Windows 2000, Microsoft plans to continue supporting PPTP. This speaks for itself.

Large businesses that require stronger encryption and authentication may pay the premium price required to build an IPsec infrastructure. IPsec remote access support varies from product to product. some vendors recommend L2TP over IPsec, while others enhance IPsec itself. Careful planning and analysis are required to find the best fit.

Printer Friendly Version

    Of Interest
    · VPNs Are Hot, but What Are They? VPNs Are Hot, but What Are They?

    The Virtual Private Network (VPN) market is exploding. There are many different ideas on what a VPN is, and how to implement them. This article clarifies what sound VPN products and services should include, and what to expect as the market matures.