Forwarded From: darek milewski <darekm@cmeasures.com>
http://www2.nwfusion.com:8001/cgi-bin/print.cgi?article=http://www.nwfusion.com/news/tech/0531tech.html
Protocols serve up VPN security
By GREG MARCOTTE
Network World, 05/31/99
As the need to securely open corporate LANs to telecommuters and disparate
corporate sites grows, virtual private networks (VPN) continue to meet the
demand. VPNs - which establish private, secure sessions between two or
more LANs or between remote users and a LAN - use the Internet or private
IP networks to distribute data and enable corporations to eliminate
additional, often expensive, dedicated lines or remote access servers.
Today, network executives must weigh two protocols that specify how VPNs
should be built. The Point-to-Point Tunneling Protocol (PPTP) and IP
Security (IPSec) protocol enable private sessions over the Internet and
securely link remote users to corporate networks. The protocols also
possess relative strengths and weaknesses in data security and ease of
deployment. Network managers must determine which VPN protocol best suits
the need of their organizations.
Diagram of how PPTP works
PPTP vs. IPSec security
Spearheaded by Microsoft and US Robotics, PPTP was first intended for
dial-up VPNs. The protocol was meant to augment remote access usage by
letting users dial in to local ISPs and tunnel into their corporate
networks. Unlike IPSec, PPTP was not intended to address LAN-to-LAN
tunneling when it was first created.
PPTP extends PPP - a protocol that defines point-to-point connections
across an IP network. PPP is widely used to connect dial-up and broadband
users to the public Internet or private corporate networks. Because PPP
functions at Layer 2, a PPTP connection that encapsulates PPP packets
allows users to send packets other than IP, such as IPX or NetBEUI. IPSec,
on the other hand, functions at Layer 3 and is only able to provide the
tunneled transport of IP packets.
The encryption method commonly used in PPTP is defined at the PPP layer.
Typically, the PPTP client is the Microsoft desktop, and the encryption
protocol used is Microsoft Point-to-Point Encryption (MPPE). MPPE is based
on the RSA RC4 standard and supports 40-bit or 128-bit encryption.
Although this level of encryption is satisfactory for many applications,
it is generally regarded as less secure than some of the encryption
algorithms offered by IPSec, particularly 168-bit Triple-Data Encryption
Standard (DES).
Protect and serve
Meanwhile, IPSec was built for secure tunneling over the Internet between
protected LANs. It was meant for a connection with a remote office,
another LAN or corporate supplier. For instance, a large automotive
company could use an IPSec VPN to securely connect its suppliers and
support purchases orders over the 'Net.
IPSec also supports connections between remote users and corporate
networks. Similarly, Microsoft added LAN-to-LAN tunneling support for PPTP
in its Routing and Remote Access Server for Windows NT Server 4.0.
When it comes to strong encryption and data integrity, IPSec is generally
regarded as superior. The protocol combines key management with support
for X.509 certificates, information integrity and content security.
Furthermore, 168-bit Triple-DES encryption, the strongest form of
encryption available in IPSec, is more secure than 128-bit RC4 encryption.
IPSec also provides packet-by-packet encryption and authentication and
prevents the "man-in-the-middle attack," in which data is intercepted by a
third party, reconstructed and sent to the receiver.
PPTP, however, is vulnerable to such assaults, primarily because it
authenticates sessions but not individual packets. Note, however, that
mounting a successful man-in-the-middle attack against a PPTP connection
would take considerable effort and know-how.
For many corporations, the ability to run PPTP from the Windows platform
(it supports Windows NT, 95 and 98) can make deploying and maintaining a
VPN seamless. For others, PPTP is perceived as less secure than IPSec.
It is important to bear in mind, however, if deploying a VPN for remote
users, IPSec requires an organization to load specialized client software
on each desktop. Client software deployment and maintenance are a weighty
undertaking that must be considered. In terms of simplicity, PPTP is
substantially easier to deploy.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
Received on Mon Jun 7 09:55:41 1999