Skip to content

Page222

VPN

Virtual Private Networks (VPNs) secure data sent via insecure networks such as the Internet. The goal is to provide the privacy provided by a circuit such as a T1, virtually. The nuts and bolts of VPNs involve secure authentication, cryptographic hashes such as SHA-1 to provide integrity, and ciphers such as AES to provide confidentiality.

Note
The cryptographic details of the VPN protocols discussed here are covered in depth in Chapter 4, Domain 3: Security Architecture and Engineering.

SLIP and PPP

SLIP (Serial Line Internet Protocol) is a Layer 2 protocol that provides IP connectivity via asynchronous connections such as serial lines and modems. When SLIP was first introduced in 1988, it allowed routing packets via modem links for the first time (previously, modems were primarily used for non-routed terminal access). SLIP is a bare-bones protocol that provides no built-in confidentiality, integrity, or authentication. SLIP has largely faded from use, replaced with PPP.

PPP (Point-to-Point Protocol) is a Layer 2 protocol that has largely replaced SLIP. PPP is based on HDLC (discussed previously), and adds confidentiality, integrity, and authentication via point-to-point links. PPP supports synchronous links (such as T1s) in addition to asynchronous links such as modems.

PPTP and L2TP

PPTP (Point-to-Point Tunneling Protocol) tunnels PPP via IP. A consortium of vendors, including Microsoft, 3COM, and others, developed it. PPTP uses GRE (Generic Routing Encapsulation) to pass PPP via IP and uses TCP for a control channel (using TCP port 1723).

L2TP (Layer 2 Tunneling Protocol) combines PPTP and L2F (Layer 2 Forwarding, designed to tunnel PPP). L2TP focuses on authentication and does not provide confidentiality; it is frequently used with IPsec to provide encryption. Unlike PPTP, L2TP can also be used on non-IP networks, such as ATM.

IPsec

IPv4 has no built-in confidentiality; higher-layer protocols such as TLS are used to provide security. To address this lack of security at Layer 3, IPsec (Internet Protocol Security) was designed to provide confidentiality, integrity, and authentication via encryption for IPv6. IPsec has been ported to IPv4. IPsec is a suite of protocols; the major two are Encapsulating Security Protocol (ESP) and Authentication Header (AH). Each has an IP protocol number: ESP is protocol 50; AH is protocol 51.

Note
This chapter describes the network aspects of IPsec, SSL, and TLS: see Chapter 4, Domain 3: Security Architecture and Engineering, for the cryptographic aspects of these protocols.

IPsec Architectures

IPsec has three architectures: host-to-gateway, gateway-to-gateway, and host-to-host. Host-to-gateway mode (also called client mode) is used to connect one system that runs IPsec client software to an IPsec gateway. Gateway-to-gateway (also called point-to-point) connects two IPsec gateways, which form an IPsec connection that acts as a shared routable network connection, like a T1. Finally, host-to-host mode connects two systems (such as file servers) to each other via IPsec. Many modern operating systems, such as Windows 10 or Ubuntu Linux, can run IPsec natively, allowing them to form host-to-gateway or host-to-host connections.