Virtual private network (VPN) is defined as a private computer network that utilize public network such as Internet to provide a secure remote connection between hosts. This commonly use for remote users to connect to their organization network. Virtual private network often encrypted to keep data from being analyzed by third party thus providing secure communication between hosts. Different from normal private network, the virtual private network encapsulates data transfer to tunnel the traffic. For example, in the Internet these tunnel are not physically entities but is created by using encryption, protocols and security standards. This will make the hosts virtually connect to each other directly. By using public network infrastructure, the cost of the system can be reduced since the network did not require any special point to point connection such as leased line.
Internet Protocol Security(IPSec) is the protocol that make sure the internet protocol(IP) is secured during the communication. This is done by authenticating and encrypting each of the packet IP during the communication session. IPSec also have the other function that is provided a protocol for establishing authentication communication between hosts at the beginning of the session and make the negotiation of cryptographic key that need to be used during the communication.
The other definition of IPSec is an end-to-end security scheme operating in the one of the layer in internet protocol suite that is Internet Layer. IPSec can be used for protecting data flows between a pair of hosts, between a pair of security gateways or between a security gateway and a host. Secure Socket Layer(SSL), Secure Shell(SSH) and Transport Layer Security(TLS) is the example of layer that operate in the upper layers of the TCP/IP model. IPSec will protect any application of traffic across an IP network. IPSec VPNs is one of the latest issues in VPN technologies
IPSec VPNs establish secure tunnels through the public Internet.
The benefits of IPSec VPN are the connection through the internet result is secured in tremendous savings over the cost of private network connection dedicated for private network such as leased line, private WAN connection or long distance dial-up connection. IPSec VPNs also will be increased in organizationâ€™s productivity. From IPSec VPN, the organization can grant restricted network access with customers, vendors or business partners which can improve the efficiency of work related to remote access and networking. For home-office workers, telecommuters and service workers, they can access their corporate network by using IPSec VPN remote access through the internet. The security services offered by IPSec is standards for a range of services to address a security risks for all IP traffic which is in the public network such as confidentially, access control, authentication, rejection of replayed packets, and limited traffic flow identity. The explanation of the security services as follow:
Data transmitted between hosts are encrypted thus they are protected even being intercepted by third party.
Only authorized users are allow to participate in the private communication.
Verifies the source of received data is not modified when in transit and the received data is from the intended source.
Rejection of replayed packets.
An anti-replay service prevent the attacker from replaying the intercepted packet
Limited traffic flow confidentiality.
The inner IP header of private network can be encrypted to hide the traffic source and destination.
The working principle of IPSec is simple. Before two devices can establish the tunnel that is IPSec VPN tunnel and communicate by using it, both of them must agree for the security parameters. The function of security parameters during the communication is to establish the security association (SA). The function of security association is to specify the algorithm or method for authentication and encryption need to be used. It is also define the encryption key during the session,the expire time of the keys and the security association to it are maintained. The Internet Key Exchange (IKE) protocol is used to determine the association of security needed to make sure that the communication through an IPSec VPN is secured.
Layer 2 Tunneling Protocol (L2TP)
The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol based on the Point to Point Tunneling Protocol (PPTP). L2TP act as Data Link Layer Protocol (Layer 2 in OSI model) but it is actually a Session Layer protocol. L2TP does not provide any encryption by itself and only rely on the other encryption protocol to provide confidentiality. Thus it is commonly use along with IPSec which can provide encryption to the data transfer. Both protocol use together to establish a virtual private network is called L2TP/IPSec VPN.
L2TP packet structure have the following
Bits 0 - 15
Bits 16 - 31
Flags and Version Info
Offset Size (optional)
Offset Padding (Optional)
Flags and Version Info
Control flags that indicate the presence of the other field (Length, Sequence, and offset fields)
Total length of the message in bytes.
Identifier for the control connection.
Identifier for a session within a tunnel.
Sequence number for this data or control message, beginning at zero and incrementing by one (modulo 216) for each message sent.
Sequence number for expected message to be received. Nr is set to the Ns of the last in-order message received plus one (modulo 216)
Offset Size (optional)
Locate the payload starting data.
Offset Padding (optional)
As filler, length is as specified by the offset size.
The payload data
Secure Socket Layer (SSL)
Secure Socket Layer, SSL is a cryptographic protocol which provide secure communication over the internet. It is a transport layer security provides end-to-end security for application. Until now, web pages are delivered using HTTP (Hypertext Transfer Protocol) and this type of protocol did not provide encryption or any kind of information protection between hosts. SSL emerge into the world wide web combined with Hypertext Transfer Protocol becoming the Hypertext Transfer Protocol Secure, HTTPS. HTTPS is a standard protocol today and often used for communication that require transaction of sensitive information such as internet banking. HTTPS should not be confused with S-HTTP (Secure Hypertext Transfer Protocol).
The fundamental flow of SSL Service is:
The data is divided into blocks of 214 bytes or less.
Each fragment of data is compressed using lossless compression. This service is optional.
SSL uses a keyed-hash function to protect the data from corruption.
The original data and keyed-hash are encrypted using symmetric-key cryptology.
A header is added the encrypted payload and passed to a reliable transfer layer protocol.
The Goal of SSL are:
Confidentiality of communications
Integrity of Data
Authentication of Server and Client
Secure Socket Layer Virtual Private Network, SSL VPN is a form of virtual private network that utilize the SSL to establish connection. Since the SSL use standard protocol widely in web browser, it is more versatile than the IPSec VPN. With SSL VPN, user can use SSL VPN using their web browser. The communication between the web browser and their device is encrypted by SSL.
SSL VPN technology until now did not have any official standards other than SSL, HTTP and other SSL VPN subcomponents. With highly competitive environment in SSL VPN market, vendors often disclose the details of how their product work. Although SSL VPN offer user to establish secure remote-access from virtually any Internet connected web browser, SSL VPN have a very complex and advanced technology.
SSL VPN products can be a form of appliances or software. SSL VPN product that are sold as appliances or device such as Safenet, Whale Communication and Juniper Network act like a black box, providing easy setup despite of being complex technology behind it. They function required no administrators understanding of how the internal work. Appliance SSL VPN product can reduce the overhead costs of installing, configuring and maintaining a system since it is not require much expertise to adapt the technology. Appliance SSL VPN often come with default settings with their operating system hardened, SSL VPN installed and rudimentary configuration option set. This will reduce the human error during the installation and configuration of the device that will likely to leave security holes.
SSL VPN product that come as a software require more knowledge on how it is work. Setting up the network can be tedious job and can lead to human error during the installation and configuration. But, in organization with expert in system hardening and network security prefer a software based product which enable them to customize their system even more suiting their need.
With SSL, a secure tunnel between computer can be established in an unsecure network such as the Internet. Communication tunnel allows communications between two computers over networks securely so that the other computers connected in the network cannot access the communication.
SSL VPN create tunnels by performing two functions which are:
Authentication of the users
Encrypting all the data transfer between hosts
These process involving encryption protocols, key exchange and so on. Compare to the other tunneling performed by the other such as IPSec which work on Network Layer (Layer 3), SSL VPN function at Level 4-5 in OSI model.
Typical tunneling VPN
Data Link Layer
Since the IPSec VPN operate at the lower level in OSI model, to establish such connection require installation and configuration of complicated client software on user's computer. This client software manage the network-level communication tunneling. IPSec VPN also harder to implement in restricted network such as university network as most of the protocol is blocked.
SSL VPN work at higher level in OSI model. SSL VPN encapsulate information at Level 6-7 and communicate at Application Layer. To some extent, some SSL VPN can even tunnel network level information over SSL showing that the capabilities and flexibilities of SSL VPN over traditional VPN such as IPSec VPN.