IPSec has long been viewed as the most secure VPN standard. When properly deployed, it provides a secure tunnel for IP traffic. The primary advantage is that IPSec is built-in to many router, firewall, desktop, and mobile operating systems. In practice, IPSec is difficult to deploy in a heterogenous environment due to numerous configuration options. It also uses various protocols depending on the options chosen. These include IKE / ISAKMP (UDP port 500), ESP (IP protocol 50), AH (IP protocol 51), NAT-T-IKE (UDP ports 500 and 4500), PPTP (TCP port 1723), and GRE (IP protocol 47). If either endpoint is located behind a NAT firewall, ESP and AH protocols become problematic. Some proprietary implementations add an additional UDP encapsulation to address NAT issues.
L2TP/IPSec is labeled L2TP in many operating systems. Layer 2 Tunneling Protocol (L2TP) does not provide encryption or confidentiality; it relies on another protocol, usually IPSec. L2TP/IPSec can be advantageous because it is built-in to many operating systems. Users are authenticated with passphrases, and some implementations include an additional static authentication key. A good level of security can be achieved with careful configuration. However, since every packet is encapsulated twice, performance suffers.
PPTP is a fast, easy to use VPN protocol supported by most devices. Compared to IPSec, it is simple to implement and configure clients. It also avoids the double encapsulation of LT2P/IPSec. This makes it tempting, but PPTP uses outdated cryptography (including DES) and can be compromised in less than 24 hours by capturing the VPN session and cracking the keys. It therefore does not meet any realistic security requirement and should not be used.
OpenVPN is the solution of choice for remote access and a strong contender for branch office connectivity. Open source and low-cost commercial products interoperate well. Most Linux distributions include an OpenVPN package, and an increasing number of firewalls support the protocol. Windows, OS X, Android, and IOS clients exist. OpenVPN uses a TLS transport over a single UDP or TCP port, and all sessions are originated by the client. This makes the protocol extremely NAT friendly. Initially configuring OpenVPN requires patience. Several algorithm, key length, and authentication options are available. These include certificate-based and username/password authentication. Many servers provide options for local, RADIUS, or Active Directory authentication, which can in turn be used to enable one-time password systems. When appropriately deployed, OpenVPN provides a high level of security and better performance than LT2P/IPSec. Many servers, including open source firewalls, include the functionality to create certificates and configuration files for various OpenVPN clients.
Proprietary VPN solutions also exist. Many leverage IPSec or TLS under the covers to claim a high level of security, and promise features that make the product easy to deploy. This can be attractive, but the proprietary approach is usually an attempt to create vendor lock-in and charge a per-client licence. If vendors respond slowly to security issues in underlying libraries, or the release of new operating system versions, it has the potential to adversely impact the organization or force migration to a different VPN product. Most organizations should avoid proprietary VPN implementations and choose a standard instead.
Built-in IPSec is a good solution for static firewall-to-firewall and router-to-router applications across the Internet such as branch office connectivity. It is also useful within the corporate perimeter to secure sensitive information that would otherwise flow within insecure protocols. For example, a Windows server could use IPSec to secure all communications with an IPSec-capable multifunction printer to protect print and scan jobs from interception.
OpenVPN is the best solution for remote access across the Internet. It also works well for point-to-point applications. Optimal performance is usually obtained over UDP, but a good practice is to deploy both a UDP server on standard port 1194 and a TCP server on port 443. The latter will usually allow connectivity from hotels and other networks with port restrictions on outbound traffic. Most products allow multiple OpenVPN servers to run simultaneously, eliminating the need for additional hardware. L2TP/IPSec is a reasonable second choice for remote access if OpenVPN is not supported.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…