Case Project 11-1: VPN Filtering Rules You work for a network consulting firm. Y
ID: 3862457 • Letter: C
Question
Case Project 11-1: VPN Filtering Rules You work for a network consulting firm. Your client wants to implement a VPN system that supports PPTP-, SSTP-, and L2TP-based VPNs. The system will be used primarily for remote client access. You need to prepare a report for the client that explains the implications of providing this functionality in terms of firewall configuration. Your report must address the protocols and ports that need to be considered as the firewall policy is created. Prepare a one- to two-page report that addresses these issues.
After receiving the report that you prepared in Case Project 11-1, your client has decided that an “all-in-one” product may be better than patching together a VPN infra- structure. You need to prepare a report that explains the features in the Microsoft Fore- front TMG 2010 product. Your client has some technical understanding, but she needs to have the TMG features explained in a practical way so that she can consider how the product could assist in lowering costs and improving business processes. Prepare a two- to three-page report that meets the stated requirements.
Explanation / Answer
PPTP
Point-To-Point-Tunneling Protocol (PPTP) is the most popularly VPN protocol and is supported by the most devices. PPTP stands for point to point protocol, is by far the easiest to configure and has low overhead that makes it faster than other VPN protocols. Firewalls such as ISA Server, Cisco PIX and Sonic Wall recognize the protocol.
PPTP encrypts data using a 128-bit key which puts it in the “weakest” category of VPN protocols. It has also had other weaknesses in the past, such as clear-text authentication prior to a connection being established and as such it is rarely used in sensitive business environments. However, the most recent implementations of this protocol have resolved some of the security issues – for example, the implementation of EAP authentication.
L2TP/IPSec
Layer 2 Tunneling Protocol (L2TP) came about through a partnership between Cisco and Microsoft with the intention of providing a more secure VPN protocol. L2TP is considered to be a more secure option than PPTP, as the IPSec protocol which holds more secure encryption algorithms, is utilized in conjunction with it. It also requires a pre-shared certificate or key. L2TP’s strongest level of encryption makes use of 168 bit keys, 3 DES encryption algorithm and requires two levels of authentication.
L2TP has a number of advantages in comparison to PPTP in terms of providing data integrity and authentication of origin verification designed to keep hackers from compromising the system. However, the increased overhead required to manage this elevated security means that it performs at a slower pace than PPTP.
SSTP
Secure Socket Tunneling Protocol (SSTP) is viewed as the VPN protocol with the highest security due to authenticating with 2048 bit key certificates and encrypting with 256 bit key. SSTP can be used in place of other VPN protocols (PPTP, L2TP), and is effective in locations where network access is restricted as it uses TCP port 443, the same port used by Secure Socket Layer (SSL) transmissions.
SSTP VPN is viewed as quicker and more reliable than OpenVPN. However, your operating system needs to be relatively up to date in order for it to function properly with SSTP.
The major disadvantage of SSTP is that since it was developed by Microsoft it only functions on Windows Vista / Windows 7 / Windows 8. Currently, there are no intentions to make the protocol available to users of Mac OS, Linux and older versions of Windows.
OpenVPN
OpenVPN was developed by Open Source software as a free alternative to Microsoft’s SSTP protocol. One major advantage of this particular protocol is that it functions on a variety of operating systems, such as, Mac OS, Windows, Linux and some IP phones. Similar to SSTP, OpenVPN has a higher encryption level than L2TP as it operates on both Layer 2 and Layer 3. Furthermore, it is accompanied with extra features such as transporting Ethernet frames, IPX packets and providing NETBIOS functionality.
A minor disadvantage with OpenVPN is that it provides insufficient support for mobile devices and the requirement to install a 3rd party client. This is not the case for SSTP.
A major disadvantage with VPN is the high overhead associated with the protocol due to its level of encryption. It may also be quite challenging to configure.
Final thoughts
The VPN protocols illustrated above all have distinct advantages and disadvantages. The easiest protocol to configure with the best device compatibility would be PPTP. SSTP and OpenVPN are the protocols least likely to be blocked by servers or firewalls and generally thought to be the most secure. In terms of speed, generally speaking, less encryption means greater speed but at the cost of less security. However, if your devices are of reasonable speed this should not be a major factor. Best to consider your security requirements and pick a protocol accordingly.