VPN Protocols are the rules and technologies used to secure VPN connections. Common protocols include OpenVPN, IPsec, L2TP, PPTP, SSL & TLS. Each of these protocols offers different features and levels of security.
The world of VPNs sure is full of acronyms and words that may make your eyes glaze over at first.
That's why we decided to throw this post together.
Today we are taking a look at VPN protocols.
In particular, we'll be looking at the pros and cons for each of the following protocols:
- L2TP & L2TP/IPsec
So read on now and get your dose of VPN protocol know how.
Point-to-Point tunnelling protocol was created through a consortium that was used by Microsoft in an attempt to create a VPN that could be used over a dial-up network.
Since that moment in time, it has become a standard protocol for internal business VPN.
While it is only a VPN protocol, it does rely on a number of different methods used for authentication in an attempt to offer security.
It is a popular choice for businesses as well as VPN providers and for every VPN capable platform or device, it comes as standard. Set up is efficient and simple and there is no requirement for extra software to be installed.
It now uses 128-bit encryption keys but since it was bundled with Windows 95 in 1999 a number of security weaknesses were found with the most serious being the chances of unencapsulated MS-CHAP V2 Authentication.
Through this weakness, PPTP was exploited within a couple of days but the weakness has been identified and fixed. However, with this came a recommendation from Microsoft that VPN users should now use LTP/IPsec or SSTP as an alternative.
It was common knowledge that PPTP was insecure, but PPTP encrypted communications are decrypted by NSA as standard. However, it is a concern that the NSA has gone so far as to decrypt large amounts of data that is stored, this is data that was encrypted at a time when PPTP was considered secure by security experts.
The advantages of using PPTP is that the client is built into a wide range of platforms but it is also very simple to set up and it works efficiently.
There are disadvantages and this is the lack of security and the fact that is has been exploited by the NSA.
L2TP and L2TP/IPsec
Layer 2 Tunnel Protocol is a VPN protocol which when used on its own does not offer any form of encryption or protection for traffic that flows through it. Therefore, it is commonly paired up with IPsec which is an encryptions suite that offers enhanced security as well as privacy.
Many operating systems no have L2TP/IPsec included with it and this is the case for VPN-capable devices. Just in the same way as PPTP, the setup can be completed quickly and easily.
There are possible problems and these are associated with the l2TP protocol using UDP port 500. This is a port that is commonly blocked by NAT firewalls and will mean that additional and advanced configuration will have to be implemented should it be used behind a firewall.
There are no known major weaknesses with IPsec and if it is applied correctly it will offer a certain level of security. Data is encapsulated twice with L2TP/IPsec and this causes the speed to decrease, however, this is balanced out when encryption or decryption takes place in the Kernel and L2TP/IPsec enables multi-threading.
Therefore, L2TP/IPsec offers a higher speed when compared to that of OpenVPN.
This is seen to be very secure when it comes to advantages and once again it is simple to set up. It's speed when in comparison to OpenVPN makes it favourable and it can be found on all modern platforms.
However, there is a possibility that it could be compromised by the NSA and this could also contribute to its weakness and firewalls that have strict restrictions can prove difficult.
This is a relatively new form of technology that relies on the OpenSSL library and SSLv3/TLSv 1protocols as well as other forms of technology in order to offer a VPN solution that is both reliable and secure.
It is very easy to configure and alter and even though it works more efficiently on a UDP port it is possible to configure it so that it can run on any port and that include TCP port 443. Traffic is difficult to block as it is hard to differentiate between it and traffic that uses standard HTTPS over SSL.
As it uses the OpenSSL library for encryption it means that it supports a number of cryptographic algorithms such as AES, Blowfish, 3DES, CAST-128 as well as others. Many VPN providers choose to use AES or blowfish and 128-bit blowfish is incorporated into OpenVPN. It is considered to be secure but there are some known security flaws.
The more recent technology is AES and this does not have any known security issues.
The US government have adopted it in an attempt to protect their secure data, therefore, it is seen as the main player when it comes encryption. It has the ability to deal with large files as a result of it using a 128-bit block size instead of the 64-bit block size used by Blowfish.
The encryption used does determine the speed of OpenVPN but IPsec is faster than OpenVPN as a result of encryption and decryption taking place in the kernel as well as it allowing multi-threading.
No platform openly supports OpenVPN but it is supported by most types of third party software and this means that it is now the default VPN connection type.
It can be a little tricky to setup when compared to PPTP and L2TP/IPsec, however, when using generic OpenVPN software it is a requirement that additional configuration files are also downloaded and setup. In order to deal with this issue of configuration, VPN providers no offer customised VPN clients.
The advantages of OpenVPN are that it is easily customisable and extremely secure. It does not have problems with firewalls in the same way as L2TP/IPsec and it can implement a varied range of encryption algorithms. As it is Open source it can be checked for any weaknesses or interference.
In order to work, it does require third party software and it can be difficult to setup. While it works well on desktop machines it is still not up to speed for use on mobile devices although this is changing.
Microsoft introduced Secure Socket Tunneling Protocol (SSTP) in Windows Vista and it still considered to be a Windows-only platform even though it is available on a number of other operating systems.
It has very similar advantages as OpenVPN as SSTP uses SSL v3 and it has greater stability as it is included with Windows which also makes it simpler to use.
SSTP is owned by Microsoft and this means that the code cannot be accessed by the public like OpenVPN. Microsoft has been linked with the NSA and co-operating with them while the possibility of backdoors being built into Windows operating systems does offer a cause for concern.
It does come with a number of advantages and the first has to be security because it is extremely strong. It comes as part of Windows which means it can benefit from Microsoft support when required. It can get around firewall problems fairly easily and there is the option to use Perfect Forward Secrecy.
There are some disadvantages such as the fact that it only works within a Windows environment and because Microsoft own it, unlike OpenVPN it cannot be checked independently for weaknesses.
Created jointly by Microsoft and Cisco, Internet Key Exchange Version 2 is an IPSec tunnelling protocol and it has been implemented into Windows 7. In a way, it is not a VPN protocol although it is treated as one but it acts as a protocol for controlling IPSec key exchange.
It is called VPN Connect by Microsoft and it helps to create a VPN connection when internet connections drop. It, therefore, benefits mobile users but it also benefits them because there is support for the Mobility and Multihoming protocol which makes it resistant to networks constantly changing.
Unlike IPSec, it is not as universal as it is supported by fewer platforms but it is seen to be on the same level as L2TP/IPSec or even better when it comes to security and the way in which it offers stability with increased speeds.
IKEv2 offers increased speed when compared to PPTP, SSTP and L2TP and its stability makes it perfect for switching networks or reconnecting when a connection has been lost. It supports a number of ciphers and is, therefore, extremely secure as well as being easy to setup.
However, there are not many platforms that support it and when it comes to using it with servers, it can be difficult which can lead to problems at a later stage.
There are a number of options available but you should always look to choose OpenVPN when possible although IKEv2 is the best option if you are working on a mobile device.
PPTP does not offer a huge amount of security and the fact that Microsoft has abandoned it should cause alarm bells to ring, therefore, this should not be chosen. SSTP is very similar to OpenVPN in terms of advantages but these can only be seen in a windows environment.
If you are looking for a quick fix in an attempt to protect your device from criminal activity when you are connecting up to a public WiFi hotspot then L2TP/IPsec will do the job perfectly well. Given the fact that OpenVPN is open source and is becoming increasingly more available then it is more than likely the right choice for most.