A VPN is commonly used to provide secure connectivity to a site in order to share resources between two organisations or departments or to facilitate remote users with their corporate services as if they were in sitting at their desk in the office. This is a great alternative to private WAN connections since Internet access is usually cheaper and it’s available pretty much everywhere.

Authentication: verifying that the router/firewall or remote user that is sending VPN traffic is a legitimate device or router.

Anti-replay: preventing someone from capturing traffic and resending it, trying to appear as a legitimate device/user.

There are two key scenarios where you would deploy VPN technology, that are known as Site-to-Site VPN and Remote Access VPN.

Confidentiality: preventing anyone from reading your data. This is implemented with encryption.

Integrity: verifying that the VPN packet wasn’t changed somehow during transit.

When people hear about VPNs, sometimes they automatically start thinking about stuff like encryption, authentication, etc. This is not always the case…even something as simple as a VLAN could be considered a “VPN”. It’s virtual, and only the devices in the VLAN are able to communicate with each other (private). Another example good example is MPLS VPN which doesn’t offer any authentication or encryption.

In site-to-site VPN, data is encrypted from one VPN gateway to another VPN gateway, providing a secure link between two sites\organisations\departments over the internet. This would enable both sites to share resources such as documents and other types of data over the secure VPN link. The following figure illustrates a site-to-site VPN deployment, where an organisation has two offices and would like to provide a secure VPN link between the two offices to share resources.

In a remote access VPN scenario, which is sometimes known as mobile VPN, a secure connection would be made from an individual computer to a VPN gateway device that is situated at the organisation's data centre. This VPN device would enable a user to access their e-mail, files and other resources at work from anywhere in the world, providing they have an internet connection. There are two common forms of frameworks\technology that exists in remote access VPN known as IPsec and SSL that are covered further within this article. The following figure illustrates a remote access user VPN deployment.

VPN tunnels use one of four main networking protocols, which provide sufficient level of security as detailed below.

PPTP is a protocol or technology that supports the use of VPN technology. Using PPTP, remote users can access their corporate networks securely using the Microsoft Windows Platforms and other PPP (Point to Point tunnelling Protocols) enabled systems. This is achieved with remote users dialling into their local internet security providers to connect securely to their networks via the internet.

PPTP has its issues and is considered a weak security protocol according to many experts, although Microsoft continues to improve the use of PPTP and claims issues within PPTP have now been corrected. Although PPTP is easier to use and configure than IPsec, IPsec outweighs PPTP in other areas, such as being more secure and a robust protocol.

L2TP is an extension of the Point to point tunnelling protocol (PPTP), and used by internet service providers to provide VPN services over the internet. L2TP combines the functionality of PPTP and Layer 2 forwarding protocol (L2F) with some additional functions using some of the IPsec functionality. L2TP can be used in conjunction with IPsec to provide encryption, authentication and integrity. IPsec is considered better than the layer 2 VPN protocols such as PPTP and L2TP and this is why security vendors have integrated the IPsec framework into their technologies.

IPsec operates at layer 3 of the OSI model and for this reason can protect any protocol that runs on top of IP. IPsec is a framework consisting of various protocols and algorithms which can be added to the framework. IPsec provides flexibility and strength in depth, and is an almost perfect solution for securing VPN tunnels. The only drawback to IPsec is it requires setting up on the corporate network and on the client side devices, and is a complex framework to work with. IPsec is used for both site-to-site and remote user VPN connectivity.

SSL VPN provides excellent ease of use, flexibility and security for remote access users. SSL is already heavily used such as when you shop online, and when accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar.

When it comes to remote access VPN technology, one of the main differences between using SSL VPN and IPsec is with IPsec a remote user would require a preconfigured fat client software which would need installing and configuring where there has been known issues around the use of fat pre-configured clients and limited support through certain firewalls and public Internet services, i.e. Wireless Hot Spots. IPsec VPN requires a number of protocols to work, therefore the need to open multiple firewall rules. However with SSL client software, it is optional as to whether you download and install a client, and SSL uses a single port of 443. SSL VPN can be configured with a web portal with user defined resources. The portal is a GUI interface that is accessed via a web browser and contains tools and utilities in order to access applications on the network, for example applications such as RDP and Outlook. SSL can also imitate the way IPsec works by providing a secure tunnel via either installing lightweight client software, or by clicking on connect directly from the web VPN portal. If a user required client SSL software, it can be installed with very little effort via a browser which simplifies the process in securely accessing the corporate network.

Using SSL VPN, makes simple work of provisioning thousands of end users who would be able to access the corporate network resources with very little effort. The end user would need to know the web page address of the SSL VPN portal and the login credentials, and that's pretty much it. With SSL VPN, being a browser based technology, web portals can be created with links to corporate resources defined within the portals, and this is another advantage with SSL VPN technology in that users do not have to rely on a configured client side VPN software application and are able to connect from any client side device with a web browser.

EAP was designed specifically with PPTP and is meant to work as part of PPP. EAP works from within PPP’s authentication protocol. It provides a framework for several different authentication methods. EAP is meant to supplant proprietary authentication systems and includes a variety of authentication methods to be used, including passwords, challenge-response tokens, and public key infrastructure certificates.

What makes CHAP particularly interesting is that it periodically repeats the process. This means that even after a client connection is authenticated, CHAP repeatedly seeks to re-authenticate that client, providing a robust level of security.

As the name suggests, MS-CHAP is a Microsoft-specific extension to CHAP. Microsoft created MS-CHAP to authenticate remote Windows workstations. The goal is to provide the functionality available on the LAN to remote users while integrating the encryption and hashing algorithms used on Windows networks.

Kerberos is one of the most well-known network authentication protocols. It was developed at MIT and it’s named from the mythical three-headed dog that guarded the gates to Hades.

Shiva Password Authentication Protocol (SPAP) is a proprietary version of PAP. Most experts consider SPAP somewhat more secure than PAP because the username and password are both encrypted when they are sent, unlike with PAP. However, SPAP is still susceptible to playback attacks (that is, a person records the exchange and plays the message back to gain fraudulent access). Playback attacks are possible because SPAP always uses the same reversible encryption method to send the passwords over the wire.

Password Authentication Protocol (PAP) is the most basic form of authentication. With PAP, a user’s name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted. However, the transmissions of the passwords are in clear text, unencrypted, the main weakness with PAP. The basic authentication feature built into the HTTP protocol uses PAP. This method is no longer used and is only presented for historical purposes.