Virtuelne Privatne Mreže 1 Dr Milan Marković

VPN implementations  In the following sections we will discuss these popular VPN implementation methods, including how they are implemented, and their basic advantages and disadvantages:  GRE  IPsec  PPTP  L2TP  MPLS  SSL VPN

GRE  Generic Route Encapsulation (GRE) is a VPN technology originally developed by Cisco and later written up under two Internet Engineering Task Force (IETF) RFCs1701 and Cisco developed GRE as an encapsulation method to take a packet from one protocol, encapsulate it in an IP packet, and transport the encapsulated packet across an IP backbone.

GRE  Given its flexibility of encapsulating many protocols, you would think that GRE would be a great VPN solution, at least compared to other VPN solutions with limited protocol support. However, GRE has two main disadvantages:  From a Cisco-product perspective, GRE works only on Cisco IOS-based routers.  GRE lacks protection capabilities; in other words, it doesn't perform tasks such as identity authentication, encryption, and packet integrity checking.  Because of these two limitations, GRE is typically not used as a complete VPN solution; however, it can be combined with other solutions, such as IPsec, to create a more robust and scalable VPN deployment.

IPSec  Like GRE, IPsec (short for IP Security) is a Layer-3 protocol. However, there are very few similarities between the two protocols. One advantage of GRE over IPsec is that IPsec only supports TCP/IP protocols it can't natively transport protocols like IPX or AppleTalk. However, because GRE is an IP protocol, you can deploy a GRE tunnel through an IPsec VPN connection to protect non-TCP/IP traffic.  IPsec is actually a combination of standards defined in IETF RFCs. Where GRE doesn't provide any security, IPsec was designed specifically to deal with moving sensitive data, securely, across an unsecured network. The framework of IPsec deals with the following three main issues:  Data confidentiality  Data integrity  Data authentication

IPSec  Data confidentiality deals with protecting data from eavesdropping attacks. This is accomplished by using encryption. IPsec supports DES, 3DES, and AES encryption algorithms. Data integrity deals with verifying whether or not packet contents have been tampered with. This is accomplished by using hashing functions such as MD5 and SHA. Data authentication is used to perform packet and device authentication. Hashing functions are used to verify the identity of the device sending the IPsec packets. Device authentication is used to control which remote devices are allowed to establish IPsec connections to a local device. Three types of device authentication are supported: pre-shared keys, RSA encrypted nonces, and RSA signatures (digital certificates). For remote access connections, user authentication is typically employed.

IPSec  As compared to other VPN implementations, IPsec is the most popular and most widely deployednot because IPsec is easy to set up and troubleshoot, but because it is a set of open standards and has been pushed most often by networking vendors when the standards were first ratified. Most networking vendors, when offering a VPN solution, will minimally support IPsec. For example, all of the Cisco devices that support VPN functionality support IPsec.

PPTP  The Point-to-Point Tunneling Protocol (PPTP) was originally developed by Microsoft. Its operation is published in RFC Microsoft developed PPTP to provide a VPN solution for Windows-based systems, such as Windows 95, 98, ME, NT, 2000, and XP. Unlike IPsec, which supports all VPN connection types including site-to-site and remote access, PPTP was developed to allow Windows PC clients secure access to a network access server, such as a Windows remote access server (RAS). Therefore, PPTP is used primarily as a remote access protocol, but it does support site-to-site connectivity.

PPTP  PPTP is actually a combination of two standards:  Point-to-Point Protocol (PPP) This standard is used to define the encapsulation process: PPTP encapsulates PPP packets, containing the payload, within an IP packet, which is transported across a network.  Microsoft Point-to-Point Encryption (MPPE) This standard is used to provide for data confidentiality (encryption) for PPTP.  Unlike IPsec, which only supports TCP/IP protocols, PPTP supports multiple protocols: TCP/IP, IPX, and NetBEUI. Many of the Cisco products, including IOS routers, PIX firewalls, and VPN 3000 concentrators, support PPTP.

PPTP  PPTP is actually a combination of two standards:  Point-to-Point Protocol (PPP) This standard is used to define the encapsulation process: PPTP encapsulates PPP packets, containing the payload, within an IP packet, which is transported across a network.  Microsoft Point-to-Point Encryption (MPPE) This standard is used to provide for data confidentiality (encryption) for PPTP.  Unlike IPsec, which only supports TCP/IP protocols, PPTP supports multiple protocols: TCP/IP, IPX, and NetBEUI. Many of the Cisco products, including IOS routers, PIX firewalls, and VPN 3000 concentrators, support PPTP.

L2TP  One problem with using PPTP is that even though the process was defined later in an IETF RFC, PPTP was a semi-open standard. In other words, if you worked in a Microsoft environment, or with vendors that worked closely with Microsoft, deploying PPTP worked well. However, PPTP typically would not work in a mixed- vendor networking environment.  At that time, other vendors also had semi-open VPN types, including Cisco. The Cisco VPN type was called Layer-2 Forwarding (L2F). To provide an alternative solution to IPsec that fit better into smaller Windows PC- based environments, Microsoft, Cisco, and other vendors worked together to develop a VPN standard that would allow all network vendors to produce compatible VPN products.

L2TP  Basically, L2TP (Layer 2 Tunnel Protocol) is a combination of Cisco L2F and Microsoft's PPTP. L2TP tunnels PPP over a public network, providing services such as data confidentiality. And like GRE, L2TP supports multiple Layer-3 protocols. L2TP incorporates a modified version of Multi-chassis Multilink PPP, which allows a client to stack VPN gateways, making them appear as a single virtual VPN gateway device. L2TP can use MPPE for protection, but like PPTP, this is not as robust as IPsec's protection mechanisms. Because of this, L2TP typically uses IPsec as a protection transport, while still providing some of the same services that Windows environments might need via PPTP.  Cisco no longer supports L2F, but currently supports L2TP on the router, PIX, and concentrator platforms.

L2TP/IPSec  Both Microsoft Windows 2000 and Windows XP support the Layer Two Tunneling Protocol (L2TP) with Internet Protocol Security (IPSec) virtual private network (VPN) connection technology. The combination of L2TP and IPSec, known as L2TP/IPSec, is an alternative to the Point-to-Point Tunneling Protocol (PPTP), supported by all current Microsoft 32 and 64-bit operating systems with the latest updates.

L2TP/IPSec vs PPTP - similarities  L2TP/IPSec and PPTP are similar in the following ways:  They provide a logical transport mechanism to send PPP frames.  They provide tunneling or encapsulation so that PPP frames based on any protocol can be sent across an IP network.  They rely on the PPP connection process to perform user authentication, typically using a user name and password, and protocol configuration.

L2TP/IPSec vs PPTP - differences  L2TP/IPSec and PPTP are different in the following ways:  With PPTP, data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed. With L2TP/IPSec, data encryption begins before the PPP connection process, so that the user authentication process is encrypted.  PPTP connections use MPPE, which uses the Rivest-Shamir- Aldeman (RSA) RC-4 encryption algorithm and 40, 56, or 128-bit encryption keys. L2TP/IPSec connections use the Data Encryption Standard (DES) algorithm, which uses either a 56-bit key for DES or three 56-bit keys for Triple DES (3DES). Block ciphers encrypt data in discrete blocks (64-bit blocks, in the case of DES). Microsoft L2TP/IPSec VPN Client supports only DES encryption.  PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require two levels of authentication. To create the IPSec security associations (SAs) to protect the L2TP-encapsulated data, an L2TP/IPSec client must perform a computer-level authentication with a certificate or a pre-shared key. After the IPSec SAs are successfully created, the L2TP portion of the connection performs the same user-level authentication as PPTP.

MPLS  Multi-Protocol Label Switching (MPLS) specifies how packets are sent to a destination in an efficient manner, similar to how traffic is managed in a Frame Relay or ATM network, where QoS is supported. MPLS VPNs are sometimes referred to as an enhancement to MPLS; however the term "MPLS VPN" can be very confusing because an MPLS VPN isn't encrypted and the actual data circuit doesn't even traverse a public network such as the Internet!

MPLS  MPLS circuits are commonly referred to as a VPN. Where IPsec creates a secure connection (tunnel) across a public network, MPLS uses a virtual circuit (VC) across a private network to emulate the VPN function. If you think about the term "virtual private network," a PVC or SVC emulates this type of function in a Frame Relay or ATM network. With MPLS, the tagging information in the MPLS label added to the data provides the segregation function. MPLS can even provide this function in Ethernet backbones. In other words, your traffic is segregated from other people's traffic in the MPLS network. Therefore, your traffic in the carrier's network can be considered "private." Of course, if you're concerned about whether the carrier is eavesdropping on your traffic, an MPLS solution won't solve this problem; you'll have to complement it with another VPN solution, such as IPsec over MPLS.

MPLS  MPLS is similar to VLAN tagging in Ethernet networks; however, unlike Ethernet VLANs, MPLS supports multiple protocols. In other words, you can use MPLS to tag IP packets, Ethernet frames, IPX packets, and much more. And unlike VLAN tagging, MPLS supports broad QoS abilities.

SSL VPN  Secure Socket Layer (SSL) is an existing technology to encrypt data sent via a web browser connection. Until recently, it was used solely to secure web connections and transactions. However, networking vendors have enhanced SSL to provide SSL-based VPNs. SSL VPNs are used as a remote access VPN solution. One issue with other types of VPNs, such as IPsec, PPTP, and L2TP/IPsec, is that they require special client software to be installed on the remote access client. This requires special configuration and additional management.

SSL VPN  With clientless SSL VPNs, a user uses a web browser as the client software. And because most users have a web browser already installed on their PCs and are very comfortable with web browser applications, there is basically no special client software nor any learning curve involved to use the SSL VPN. SSL VPNs, however, have one limitation: because they are implemented at the application layer, only web-based applications (those via a web browser) can be protected. Other applications, by default, are not protected. In some instances, an SSL VPN vendor can write special code on the SSL VPN gateway device to handle additional applications. But as to what applications are actually supported, this will vary from vendor to vendor. In this instance, a Layer-3 VPN solution, such as IPsec or L2TP/IPsec, would be better because they can protect all traffic from the network layer and above; in other words, these VPNs are not application-specific.

HVALA NA PAŽNJI