Virtual Private Networks (VPN)
Last updated
Last updated
Is an encrypted connection between private networks over a public network.
Remote Access VPN.
PPTP.
L2TP/IPsec.
SSL/TLS VPN.
Web VPN (client-less SSL VPN) – VPN client can be a standard browser.
SSH VPN.
Open VPN.
Site-to-Site VPN.
IPsec VPN.
With static or dynamic configuration.
IPsec + GRE VPN.
Dynamic Multipoint VPN.
Based on PPTP.
PPTP packages data within PPP packets.
Encapsulates the PPP packets within IP packets.
Uses a form of General Routing Encapsulation (GRE) to get data to and from its final destination.
Supports authentication based on protocols PAP, EAP, CHAP, MS- CHAPv1, and MS-CHAPv2.
Uses MPPE as a cipher.
Has two different keys (one for each direction).
Requires MS-CHAPv2 authentication.
Keys derived from the MS-CHAPv2's password hash and challenges.
PPTP creates a TCP control connection between the VPN client and the VPN server to establish a tunnel.
Uses TCP port 1723 for these connections.
PPTP can support only one tunnel at a time for each user.
Authentication can be performed with Digital Certificates (RSA) or with the same PPP authentication mechanisms as PPTP.
Provides data integrity, authentication of origin, and replay protection.
Encryption is provided by IPSec (ESP protocol).
Can support multiple, simultaneous tunnels for each user.
Slower performance than PPTP.
SSL/TLS VPN.
SSL/TLS protocol handles the VPN tunnel creation.
SSL/TLS is much easier to implement than IPSec and provides a simple and well-tested platform.
RSA handshake (or DH) is used exactly as IKE in IPSec.
SSH VPN.
VPN over an SSH connection.
SSH tunneling - port forwarding.
OpenVPN.
Implements an SSL/TLS VPN.
Allows PSK, certificate, and login/password-based authentication.
Encryption provided by OpenSSL (can use all ciphers available).
Compatible with dynamic and NAT addresses.
IPsec tunnels with static configuration.
Requires the knowledge of all peers (IP addresses and security parameters).
High configuration overhead.
IPsec tunnels with dynamic configuration (at the headend/hub).
Hub + spokes configuration.
Generic configuration at the headend/hub.
Easy to add new spokes
A basic IPsec tunnel can't protect multicast traffic.
IPsec + GRE tunnels.
Generic Routing Encapsulation (GRE) allows the protection of multicast traffic over IPsec.
Dynamic Multipoint VPN (DMVPN).
Relies on NHRP to create an overlay network.
Provides full meshed connectivity with a simple configuration of the hub and spoke.
Supports dynamically addressed spokes.
Facilitates zero-touch configuration for the addition of new spokes.
Features automatic IPsec triggering for building an IPsec tunnel.
Software Defined WAN.
Edge Connectivity Abstraction.
WAN Virtualization.
Policy-Driven, Centralized Management.
Elastic Traffic Management.
Advantages: Easy deployment and management.
Disadvantages: Completely dependence (present and future) on external providers.
