}
Chapter 10. VPN Menu
10.1 Introduction to VPN Technologies
PPTP and IPSec are the two most popular VPN tunneling protocols. Tunneling
protocols are at the heart of all VPN implementations. VPN tunneling involves
establishing and maintaining a logical network connection, on which the encapsulated
packets are transmitted securely.
Tunneling protocols operate at the data link layer (Layer 2) or network layer (Layer 3)
of the OSI model. Layer 2 tunneling protocols, such as PPTP, use frames as their unit
of exchange, and encapsulate the original packets inside PPP frames before sending
them through a VPN tunnel over the Internet. Layer 3 tunneling protocols, such as
IPSec (in tunnel mode), use packets as their unit of exchange, and encapsulate IP
packets in an additional IP header before sending them through a VPN tunnel over the
Internet.
To implement secure data transmission, VPN tunneling protocols also need support
one or more security measures to ensure data confidentiality and integrity. Although
PPTP have their own advantages, they don’t provide effective security measures to
thoroughly solve the problem of tunnel and data encryption. Compared with PPTP,
IPSec provides a higher level of security including data confidentiality (encryption),
network-level peer authentication, data origin authentication, data integrity, as well as
replay protection. IPSec provides two security mechanisms: encryption and
authentication. Encryption mechanism is used to ensure data confidentiality (prevent
eavesdropping); and authentication mechanism is used to ensure that data is from the
initial sender and not destroyed or tampered during transmission. In short, IPSec
provides transparent security services to protect communications over IP networks
against eavesdropping and tampering and other network attacks.
Although PPTP are not as secure as IPSec, they still can meet the security
requirements of most organizations; in addition, they have several advantages over
IPSec, such as ease of use, low-cost and ease of deployment. On the other hand,
although IPSec has a higher security and reliability, it is usually more complicated to
deploy;
and it is subjected to certain restrictions, for example, some NAT devices don’t
support IPSec pass-through. Therefore, before building your VPN infrastructure, you
should choose an appropriate tunneling protocol for your VPN according to the actual
needs.
Because most Windows operating systems (such as Windows 2000, XP, Vista, 7, etc.)
have built-in PPTP client software, a Windows 2000/XP/Vista/7-based computer can
act as a PPTP client to establish an end-to-site VPN tunnel (also known as remote
access or dial up VPN) with a VPN appliance acting as a PPTP server. In addition,
Windows 2000 and newer versions of Windows have built-in support for IPSec.
