Nowadays it is hard to image an enterprise without a virtual private network. This is not a new development that arose with the onset the global crisis triggered by the coronavirus. Even before the pandemic, the technology was used to securely link up remote branch offices, for example. Which encryption protocols play a role here?
About 25 years ago the concept of the virtual private network (VPN) was developed to protect confidential data transmitted via open networks such as the internet. All data that passes through such a VPN is encrypted before transmission and not decrypted until it reaches its destination. This “tunnel” protects it against attackers who would otherwise be able to easily spy on or manipulate data during transmission.
Over the years, various protocols have been developed for encrypting communication via a VPN. Some, such as IKE and its advanced version IKEv2, have been particularly successful in establishing themselves in enterprises. Others, such as PPTP, have been found to contain security flaws and have declined in significance. The development of new encryption protocols has not stood still. WireGuard, for example, is pursuing an interesting concept, but it is not yet ready for deployment in companies.
The fundamentals of network protocols
A network protocol regulates the exchange of data between a number of computers. The best-known include TCP/IP and UDP. Whereas the Internet Protocol (IP) ensures that a data packet really reaches its destination, the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) monitors data transmission. Although these protocols have established themselves on a broad scale, they do have multiple disadvantages in terms of security:
- Data is transmitted unencrypted
- Each node the packet passes through can read and manipulate the content
- Neither sender nor recipient can be authenticated
- It cannot be determined whether data is transmitted without error nor whether it has indeed reached the recipient
- Last but not least, the sender’s address can be easily falsified by means of IP spoofing
These are therefore referred to as plain text protocols. They allow an attacker to read confidential data such as passwords or other sensitive information or even make clandestine changes. Encryption protocols were therefore developed to protect data during transmission. The following sections take a look at them in greater detail.
The six major encryption protocols for VPNs
Protocols used for VPNs can be divided into two categories. In Category One, just one protocol is used for both transport through the tunnel and protection of the data. Category Two takes a different approach, using a combination of two protocols for both transportation and protection of the data.
PPTP (Point-to-Point Tunnelling Protocol) is one of the oldest VPN protocols. It was originally developed by Microsoft and 3Com in the 1990s for use in dial-up networks. However, with vulnerabilities having been repeatedly found in the protocol, PPTP is hardly used any more nowadays. Back in 1998, Bruce Schneier, a well-known security expert, published an analysis revealing numerous security flaws.
Layer 2 Tunnel Protocol (L2TP) has no encryption or authentication functions of its own and is therefore usually deployed together with IPSec. L2TP is regarded as very secure in this combination. IPSec itself is not one single protocol but a suite comprising several protocols with which data can be transmitted securely via public networks, for example. IPSec provides the encryption and authentication not included in L2TP.
OpenVPN is a free software for establishing VPN connections. It is usually connected to OpenSSL or TLS to encrypt the data being transmitted. In spite of its numerous proven security functions, OpenVPN is only used in a relatively small number of enterprises. In the private sphere however, the protocol is fairly widespread.
The abbreviation SSTP stands for Secure Socket Tunnelling Protocol, another protocol developed by Microsoft and introduced with Windows Vista. However, its tight intermeshing with the Windows environment is both a curse and a blessing at the same time. On the one hand, its integration in Windows makes it relatively easy to use; on the other hand it works almost exclusively with Windows PCs and servers.
5) IKE or IKEv2 with IPSec
The Internet Key Exchange encryption protocol, which is available in versions 1 and 2, is particularly widespread in enterprises. IKE is based on IPSec and so the two work very well together. Like L2TP, it is almost only deployed in combination with IPSec. HCD Consulting also opts for IKE or IKEv2 in combination with IPSec. They are fully supported by VPN-compatible products from Juniper Networks as well as from Cisco and Cisco Meraki.
One advantage of IKE is that interrupted connections can be restored automatically. That facilitates the handling of endpoints connected to the central hub via VPN for example, as it also applies to the handover from the WiFi to the mobile network. What is more, the protocol is easy to configure at the client end and is considered faster than L2TP, SSTP and even PPTP.
Version 1 of IKE is relatively difficult to configure at the server end. A connection cannot be established even if there are just minimal differences in the configurations of client and server. This is also a recurring issue with products from different vendors. IKEv2 is more tolerant in such cases. However, it is important to note that IKEv2 is not compatible with its predecessor. In particular setting up new VPNs has become simpler, more flexible and less prone to error with Version 2.
Like OpenVPN, WireGuard is a free software developed under an open source licence. However, it is currently still in a fast-moving development cycle. New versions are being published all the time. One of the key benefits is WireGuard’s very small codebase. This makes it much easier to find security-related bugs than in OpenVPN, for example. Like IKEv2, WireGuard supports a handover between various networks. This and the high level of energy-efficiency also make the protocol interesting for deployment in combination with mobile endpoints.
However, until recently, users needed admin rights on their computer to activate a VPN tunnel with WireGuard. But in most enterprises, there are good reasons why there is no provision for administrative rights for end-users. This problem was not resolved until an update was released at the end of 2020. It is now possible to start a VPN connection on an endpoint without extended rights.
VPN users are spoilt for choice among different encryption protocols. Whereas hardly anyone still uses PPTP in companies, SSTP, L2TP and OpenVPN are also limited to specific environments. The deployment of IKE or IKEv2 in combination with IPSec is therefore a good choice as it is widely used and provides a high level of security. Although WireGuard, the new software on the scene, is interesting in terms of its concept, it plays no role as yet in most enterprises. We will be happy to advise you on all questions concerning the topic of VPN.