Point-to-Point Tunneling Protocol, Layer 2 Tunneling Protocol...

11.8.1. Point-to-Point Tunneling Protocol

This tunnel protocol is a "point-to-point" type. allows the computer to establish a secure connection to the server by creating a special tunnel in a standard unprotected network. The PPTP protocol makes it possible to encapsulate (pack or hide) Point-to-Point Protocol packets in Internet Protocol (IP) protocol packets and transfer them over IP networks, including over the Internet.

11.8.2. L2TP (Layer 2 Tunneling Protocol)

This tunneling protocol for layer 2 (link layer) is more advanced than the PPTP protocol. It combines the L2F (Layer 2 Forwarding) protocol developed by Cisco, and the PPTP protocol of Microsoft Corporation . Data encryption is performed using the IPSec protocol. Encapsulation of data occurs by adding L2TP and IPSec headers to data processed by the Point-to-Point Protocol (PPP). The PPP protocol is used to establish a direct connection between two nodes of the network, and it can provide connection authentication, encryption (using ECP, RFC 1968), and data compression.

The advantages of L2TP:

- a variety of protocols. Remote users can use a large number of different protocols to access the corporate node, such as IP, IPX, etc .;

- creating tunnels in different networks. L2TP can work both in IP networks, and in networks ATM, Frame Relay, etc.;

- Security of data transmission. In this case, the user should not have any special software;

- the ability to authenticate users.

11.8.3. IPSec (IP Security) Protocol

This set of protocols dealing with data protection issues in the transport of IP packets also includes protocols for secure Internet key exchange. IPSec protocols operate at the network layer (layer 3 of the OSI model). When using IPSec, all transmitted traffic can be protected before transmission over the network. IPSec VPN is used to connect local networks of different offices via the Internet. The advantages of such a protocol for remote users are:

- an integrated security solution;

- no need for additional software;

- Simplicity of configuration.

Advantages of this protocol for collective users are:

- cost-effective solution for remote users and branch offices

- compatibility with the decisions of most of their suppliers for virtual private networks.

The scheme of interaction of the enterprise with the branch, mobile employees and employees of the enterprise of medium and small business using the IPSec protocol is presented in Fig. 11.4.

Interaction Scheme Using IpSec Protocol

Fig. 11.4. Scheme of interaction using IpSec protocol

If you use IpSec VPN protocol on each mobile device and each LAN server, you need to install a VPN client. However, not all mobile devices used in the company have VPN clients. Another problem is closed ports in the local subnets of the partner or the customer. To open them, additional reconciliation is required.

11.8.4. SSL VPN (Secure Socket Layer)


This protocol of interaction of information servers and universal clients over a secure communication channel provides authentication and identification of the server and client for two interacting applications, data encryption, message integrity control. The client and server identification (identification) and authentication (authentication) of the client and the server are realized as a result of the exchange of public keys and the creation of session cryptographic keys. After that, two-way exchange of encrypted messages is possible.

SSL uses security protocols RC4 , MD5, RSA , and other data protection algorithms. SSL uses two keys to protect data - public and private, or private, known only to the recipient of the message. Secure communication is established as follows.

1. The client sends a CLIENT-HELLO message to the server, where it places the name and version number of the client program installed, information about the encryption system that it can support, and so on.

2. The server program sends a SERVER-HELLO response message. In it, the server tells the client similar information about its program and setting up the encryption system.

3. Both sides compare their encryption software and choose the best algorithms available.

4. The server program sends the client a public key of the server and a key certificate, certified by the certifying center, and also receives its public key from the client.

5. The client checks the server key certificate. After successful identification of the server, it forms a random sequence of binary numbers (0 and 1). It will be used as the master key (premaster secret) of the session.

6. The client generates a CLIENT-MASTER-KEY message, where the created master key is placed. The message is encrypted with the client's private key and sent to the server.

7. If necessary, the customer is identified. To do this, he signs his private key to the known server the sequence of data received during the initial contact and sends it to the server. And he opens these data with the client's public key and verifies its authenticity.

8. The server responds with a SERVER-VERIFY message, in which it confirms its authenticity. Authentication is carried out by the identity of the master key decrypted by the server and the client's master key. To do this, the server, using the client's public key, decrypts the message CLIENT-MASTER-KEY. The received master key is encrypted by the server with a secret (secret) key of the server and sends it to the client, who receives this message and opens it with the server's public key and compares it with the previously generated master key. When the master keys match, authentication ends. Then, two-way data exchange is possible, encrypted using the master key created for this session.

There are many websites on the Internet that use SSL to secure user data, such as websites that provide commercial and banking services. Almost all the most popular browsers, email clients and Internet applications support working with SSL. To access pages protected by SSL, the URL is replaced by the https prefix (port 443) instead of the usual http prefix. It indicates that an SSL connection will be used. SSL can also provide protection for application layer protocols (level 7 of the OSI model), such as POP3 or FTP. SSL requires that the server has an SSL certificate. A secure connection between the client and the server when using SSL performs two functions - authentication and data protection. The advantages of SSL include secure remote access, ease of use, and the fact that no additional software is needed.

Using the protocol allows remote enterprise employees to access corporate data without even having a mobile device. They can use any computer of the organization, where they arrive on a business trip, or a computer in an Internet cafe. The level of security will be sufficient to work with important information. In this case, the employee types the address of the SSL VPN device, and immediately the Java applet or ActiveX component that automatically authenticates is automatically copied and launched. And after it, the relevant security policies are applied.

1. A check is performed for malicious code, which, if detected, is blocked.

2 . A closed information processing environment is created-all data, including temporary files transferred from the internal network, will be removed from the computer from which the access was made after the end of the session.

In addition, additional security and control measures are used during the session.

After successfully passing security procedures, an employee can access:

- to file servers with the ability to transfer files to the server;

- to the company's web applications, for example, to the internal portal, Outlook Web Access, etc.

- terminal - MS, Citrix;

- to tools for administrators;

- to the possibility of a full-fledged VPN through the https protocol without the need to preinstall and configure the VPN client. The configuration is transmitted directly from the office in accordance with the authentication data.

In the SSL VPN market, the hardware solutions of such active network equipment manufacturers as Cisco, Huawai, Juniper, Nokia prevail. Among the software implementations, a solution based on SSL Explorer from 3SP Ltd. Pa Fig. Figure 11.5 shows the interaction diagram using SSL VPX protocol.

Interoperability Schema Using SSL VPN Protocol

Fig. 11.5. Scheme of interaction when using SSL VPN protocol

thematic pictures

Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)