A VPN primer
A virtual private network (VPN) uses a public or shared network (such as the Internet or a campus intranet) to create a secure, private network connection between a client and a server.
A virtual private network (VPN) uses a public or shared network (such as
the Internet or a campus intranet) to create a secure, private network connection
between a client and a server. The VPN client cloaks each packet in a wrapper
that allows it to sneak (or tunnel) unnoticed through the shared network.
When the packet gets to its destination, the VPN server removes the wrapper,
deciphers the packet inside and processes the data.
There are two varieties of VPNs, and they differ primarily in their approach
to protecting your data: PPTP and L2TP. The oldest and simplest type of
VPN uses the point-to-point tunneling protocol (PPTP).
PPTP's data encryption algorithm — MPPE, or Microsoft point-to-point
encryption — uses the client's log-in password to generate the encryption
key. This is controversial because hackers are always finding ways to acquire
passwords. What's more, early versions of Microsoft PPTP had flaws that
could expose tunneled data to inspection by hackers. Microsoft has since
patched PPTP for all versions of Windows, but skeptics remain wary of it.
The more secure alternative to PPTP is L2TP (Layer 2 Tunneling Protocol).
L2TP is another Microsoft development merging elements of PPTP with Layer
2 Forwarding, a Cisco Systems Inc. packet encapsulation scheme. L2TP alone
is not secure, so it is almost invariably paired with a fast-growing encryption
standard called IPSec (Internet Protocol security).
Implemented properly, IPSec is virtually impenetrable. Ideally, IPSec
encryption employs triple Data Encryption Standard (3DES) based on ANSI
X.509 security certificates. Electronic certificates, issued internally
or by a public authority such as Verisign Inc., irrefutably identify the
client and server. 3DES encryption (ANSI X9.52) stiffens standard 56-bit
encryption keys — which can be broken only with considerable effort — by
applying the encryption algorithm three times.
NEXT STORY: Security limits Linux in government