A VPN primer

A virtual private network (VPN) uses a public or shared network (such as

the Internet or a campus intranet) to create a secure, private network connection

between a client and a server. The VPN client cloaks each packet in a wrapper

that allows it to sneak (or tunnel) unnoticed through the shared network.

When the packet gets to its destination, the VPN server removes the wrapper,

deciphers the packet inside and processes the data.

There are two varieties of VPNs, and they differ primarily in their approach

to protecting your data: PPTP and L2TP. The oldest and simplest type of

VPN uses the point-to-point tunneling protocol (PPTP).

PPTP's data encryption algorithm — MPPE, or Microsoft point-to-point

encryption — uses the client's log-in password to generate the encryption

key. This is controversial because hackers are always finding ways to acquire

passwords. What's more, early versions of Microsoft PPTP had flaws that

could expose tunneled data to inspection by hackers. Microsoft has since

patched PPTP for all versions of Windows, but skeptics remain wary of it.

The more secure alternative to PPTP is L2TP (Layer 2 Tunneling Protocol).

L2TP is another Microsoft development merging elements of PPTP with Layer

2 Forwarding, a Cisco Systems Inc. packet encapsulation scheme. L2TP alone

is not secure, so it is almost invariably paired with a fast-growing encryption

standard called IPSec (Internet Protocol security).

Implemented properly, IPSec is virtually impenetrable. Ideally, IPSec

encryption employs triple Data Encryption Standard (3DES) based on ANSI

X.509 security certificates. Electronic certificates, issued internally

or by a public authority such as Verisign Inc., irrefutably identify the

client and server. 3DES encryption (ANSI X9.52) stiffens standard 56-bit

encryption keys — which can be broken only with considerable effort — by

applying the encryption algorithm three times.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.