Question

Explain in your own words how SSL/TLS VPN works, products that are based on the technologies and its weakness or drawbacks. Also compare PPTP and SSL/TLS VPN and , L2TP over IPsec VPN technologies. Please include all reference use.

Answer 1

An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. In contrast to the traditional Internet Protocol Security (IPsec) VPN, an SSL VPN does not require the installation of specialized client software on the end user's computer. It's used to give remote users with access to Web applications, client/server applications and internal network connections.

A virtual private network (VPN) provides a secure communications mechanism for data and other information transmitted between two endpoints. An SSL VPN consists of one or more VPN devices to which the user connects by using his Web browser. The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol.

An SSL VPN offers versatility, ease of use and granular control for a range of users on a variety of computers, accessing resources from many locations. There are two major types of SSL VPNs:

SSL Portal VPN

SSL Tunnel VPN

SSL Portal VPN: This type of SSL VPN allows for a single SSL connection to a Web site so the end user can securely access multiple network services. The site is called a portal because it is one door (a single page) that leads to many other resources.

SSL Tunnel VPN: This type of SSL VPN allows a Web browser to securely access multiple network services, including applications and protocols that are not Web-based, through a tunnel that is running under SSL.

When selecting a VPN-solution three basic requirements must be assessed:

Confidentiality Is necessary to protect the information that is being sent between the communicating parties. A strong encryption algorithm is necessary to prevent an eavesdropper in reading confidential information in clear text.

Integrity It is important to verify that the received information is the same as it was when it was sent to you. In the digital world this is solved through digital signatures and hash functions. Authentication It is necessary to verify that the information has come from whom it is supposed to, and that it is received by who is supposed to receive it, i.e. mutual authentication.

Limitations TLS/SSL lack support for UDP traffic, like SSH it require a stateful connection. There are also some limitations on the applications that support TLS/SSL, mainly web browsers and e-mail applications support TLS/SSL as standard. Another issue with TLS/SSL is that not all setups have implemented both server and client authentication. This is an aspect that should be taken into consideration if it is necessary to authenticate both the server and the client in a connection. When using TLS/SSL in tunnel mode it can become expensive if the setup requires an external certification authority to sign many digital certificates.

SSL and its successor TLS is just a generic security layer for other protocols; you could say "the pure technology". But it is not a VPN by itself – HTTP and VPN are two distinct applications of TLS.

• HTTPS is HTTP secured using TLS.
• SMTPS is SMTP – a mail transfer protocol – secured using TLS.
• FTPS is FTP secured using TLS.
• OpenVPN is a VPN protocol secured using TLS.
• SSTP is another VPN protocol secured using TLS.
  PPTP OpenVPN IKEv2 . Fast * Typically considered secure. Available on all moden devices and operating . Has the ability to bypass Has the ability to supports a variety of ciphers such as 30ES, AES, Client almost all Easy to set * Highly configurable. The level of security Since it is open source, it can be easily be vetted for Easy to set up. . Comes with support for *It is compatible a variety Entirely integrated losing a connection or Microsoft support. It's easy to set up, at least L2TP, PPTP and SSTP e It's * Can be a little tricky to set It requires third party . Support for desktop is Slower than OpenPN. ed by the May be compromised by The UDP port 500 used is Not great, but on mobile Can be problematic if used * Not an open source with restricthe firewalls. *Al the server-end, *It's likely that the NSA has tricky, which can cause a delibrately weakened the