This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------6AED26D80A41153B697F49BE Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.990605091207.593Vat_private> Forwarded From: darek milewski <darekmat_private> http://www2.nwfusion.com:8001/cgi-bin/print.cgi?article=http://www.nwfusion.com/news/tech/0531tech.html Protocols serve up VPN security By GREG MARCOTTE Network World, 05/31/99 As the need to securely open corporate LANs to telecommuters and disparate corporate sites grows, virtual private networks (VPN) continue to meet the demand. VPNs - which establish private, secure sessions between two or more LANs or between remote users and a LAN - use the Internet or private IP networks to distribute data and enable corporations to eliminate additional, often expensive, dedicated lines or remote access servers. Today, network executives must weigh two protocols that specify how VPNs should be built. The Point-to-Point Tunneling Protocol (PPTP) and IP Security (IPSec) protocol enable private sessions over the Internet and securely link remote users to corporate networks. The protocols also possess relative strengths and weaknesses in data security and ease of deployment. Network managers must determine which VPN protocol best suits the need of their organizations. Diagram of how PPTP works PPTP vs. IPSec security Spearheaded by Microsoft and US Robotics, PPTP was first intended for dial-up VPNs. The protocol was meant to augment remote access usage by letting users dial in to local ISPs and tunnel into their corporate networks. Unlike IPSec, PPTP was not intended to address LAN-to-LAN tunneling when it was first created. PPTP extends PPP - a protocol that defines point-to-point connections across an IP network. PPP is widely used to connect dial-up and broadband users to the public Internet or private corporate networks. Because PPP functions at Layer 2, a PPTP connection that encapsulates PPP packets allows users to send packets other than IP, such as IPX or NetBEUI. IPSec, on the other hand, functions at Layer 3 and is only able to provide the tunneled transport of IP packets. The encryption method commonly used in PPTP is defined at the PPP layer. Typically, the PPTP client is the Microsoft desktop, and the encryption protocol used is Microsoft Point-to-Point Encryption (MPPE). MPPE is based on the RSA RC4 standard and supports 40-bit or 128-bit encryption. Although this level of encryption is satisfactory for many applications, it is generally regarded as less secure than some of the encryption algorithms offered by IPSec, particularly 168-bit Triple-Data Encryption Standard (DES). Protect and serve Meanwhile, IPSec was built for secure tunneling over the Internet between protected LANs. It was meant for a connection with a remote office, another LAN or corporate supplier. For instance, a large automotive company could use an IPSec VPN to securely connect its suppliers and support purchases orders over the 'Net. IPSec also supports connections between remote users and corporate networks. Similarly, Microsoft added LAN-to-LAN tunneling support for PPTP in its Routing and Remote Access Server for Windows NT Server 4.0. When it comes to strong encryption and data integrity, IPSec is generally regarded as superior. The protocol combines key management with support for X.509 certificates, information integrity and content security. Furthermore, 168-bit Triple-DES encryption, the strongest form of encryption available in IPSec, is more secure than 128-bit RC4 encryption. IPSec also provides packet-by-packet encryption and authentication and prevents the "man-in-the-middle attack," in which data is intercepted by a third party, reconstructed and sent to the receiver. PPTP, however, is vulnerable to such assaults, primarily because it authenticates sessions but not individual packets. Note, however, that mounting a successful man-in-the-middle attack against a PPTP connection would take considerable effort and know-how. For many corporations, the ability to run PPTP from the Windows platform (it supports Windows NT, 95 and 98) can make deploying and maintaining a VPN seamless. For others, PPTP is perceived as less secure than IPSec. It is important to bear in mind, however, if deploying a VPN for remote users, IPSec requires an organization to load specialized client software on each desktop. Client software deployment and maintenance are a weighty undertaking that must be considered. In terms of simplicity, PPTP is substantially easier to deploy. --------------6AED26D80A41153B697F49BE-- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:24:26 PDT