Now let’s get acquainted with specific implementations of this technology and briefly talk about their advantages and disadvantages.
So, last time we looked at what VPN technology is, where it’s needed, and why it’s used. This time we’ll get acquainted with its specific implementations and briefly talk about their advantages and disadvantages.
The definition of VPN (virtual private network) itself is quite broad, and it is difficult to say in passing what can be considered a VPN and what cannot. It is a stretch to call the Internet’s progenitor, ARPANET, a VPN. Interestingly, almost all technologies, and more often still protocols, originally used to build distributed corporate networks, gradually became the main ways of access to the Web for ordinary users.
However, we do not care about the business of the past, nor about corporate concerns. From a purely practical point of view, we should briefly acquaint ourselves with the variations of VPN that an unprepared and not particularly versed in networking technology user can meet on his way.
First of all, it is worth considering those that will help protect you when using public Wi-Fi access and allow you to bypass blocking of certain resources. As a rule, VPN-services available to private users rely on the capabilities of popular operating systems and offer to set up a connection to them using step-by-step instructions.
Recently, VPN services have simplified this process even more – they hide the technical details and bring it to the level of “put money here, download the program from here, press this button and enjoy life, not forgetting to top up your personal account balance”. Nevertheless, in some cases it can be useful to understand how some variations of VPN differ from others.
PPTP (Point-to-Point Tunneling Protocol) appeared 20 years ago, and therein lies both its advantages and disadvantages. The undoubted advantage of this protocol is that it is supported by literally all operating systems, even very old ones. Due to this a certain universality and availability is achieved. In addition, by modern standards it is very undemanding to computing resources.
The flip side of the coin – because of such a solid age, it now offers a low level of protection for the user. The encryption methods that seemed secure enough in the mid-1990s are weak by today’s standards, combined with not the most successful architecture and a number of bugs in Microsoft’s most popular implementation of the protocol.
In addition, encryption is not offered at all by default, and password cracking on modern hardware is possible in less than a day. Nevertheless, in cases when connection protection is not so important or when there are no other options for VPN connections, it is better to use PPTP with encryption than without it at all.
I once managed to get into a not so pleasant situation in one of the countries with a special (if you know what I mean) attitude to the Internet. Sending e-mails via the corporate PPTP server in my home country ended up with a delay of a couple of days to a couple of weeks for e-mails sent within one day. Where and why they “traveled”, the reader can guess for himself. The use of other, more reliable VPN options was suppressed.
L2TP (Layer 2 Tunneling Protocol) is similar to PPTP in many ways. These standards were developed and adopted almost simultaneously, but L2TP is considered more effective for building virtual networks, although it is a bit more demanding on computing resources compared to PPTP. In fact, it is used by Internet Service Providers and corporate users. Note that L2TP by default also offers no encryption and is used concurrently with other protocols – usually IPSec.
IPSec (Internet Protocol Security) is a set of protocols, standards, and guidelines specifically designed to create secure connections on the Web. The first developments also appeared in the early 1990s, but the original goal was not to “carve IPSec into the granite”, but to refine it regularly to keep up with the spirit of the times.
It is not hard to guess what kind of agencies these developments were for. The IPSec set consists of dozens of standards (and each of them has more than one version within it), describing different stages of working with secure connections. It is really good in terms of architecture, in terms of the reliability of the algorithms used, and in terms of capabilities.
For all the advantages of IPSec, it has disadvantages. First, it is very difficult for the untrained user to configure, which in turn risks reducing the level of protection if something is done incorrectly. In addition, as noted, it is often used in conjunction with other technologies.
Second, it is much more demanding on computing resources. This disadvantage is partly compensated by the use of hardware acceleration of some variants of the AES encryption algorithm – it is offered in modern versions of IPSec, although there are other variants of algorithms. Such gas pedals are already available in modern processors for both desktop and mobile devices, as well as for Wi-Fi routers.
Unfortunately, what theorists (mathematicians, first and foremost) have thought out well is put into practice by practitioners who do not always have a sufficient level of knowledge and understanding of the subject area. A study published in October 2015 shows that up to 66% of IPSec connections can be hacked relatively easily and that the U.S. NSA may have the right hardware to do so.
The problem lies in the incorrect use of algorithms to initialize secure connections. And it concerns not only IPSec, but also TLS with SSH, as well as TOR and OTR. That is, there is a potential possibility of reading not only VPN connections, but also secure connections for a number of sites, mail servers, messengers and so on.
Yes, such an attack requires quite a lot of preparation and good computing resources, but in this case it is noteworthy that the researchers used Amazon cloud technology and, apparently, spent an amount quite affordable for a private person.
After such preparation, the time to attack is reduced to a minute at best, or to a month at worst. However, some experts are skeptical about the study – they claim that in reality the percentage of vulnerable systems is not that high, although some aspects of the study should indeed be taken very seriously, and developers of potentially vulnerable software have already released or are planning updates and have warned users.
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) VPNs, as the name implies, represent a whole class of solutions based on the corresponding SSL and TLS protocols, sometimes supplemented by other security methods. As a matter of fact, SSL/TLS is the first thing everyone encountered on websites, including the one you’re reading right now: the prefix https and the green lock in the address bar indicate the use of these connection security protocols.
The first versions of the protocol appeared in the last century, but have only become actively used in this one. Widespread use of these protocols contributed to their detailed study and consistent identification of more and more vulnerabilities in both architecture and specific implementations. SSL 3.0 was discontinued in June 2015, the current version is TLS 1.2, but it cannot be considered completely secure – again, much depends on the implementation (see IPSec). In addition, both protocols have to bear the heavy burden of backward compatibility.
The advantage of SSL/TLS VPNs is that because of the widespread use of these protocols on the Internet, they pass through almost all public networks unhindered. The disadvantage is that they do not perform very well in practice and are difficult to configure, as well as the need to install additional software.
Popular implementations of SSL/TLS VPNs are OpenVPN (SSL 3.0/TLS 1.2) and Microsoft SSTP (SSL 3.0). SSTP is actually tied to the Windows platform. OpenVPN, due to its openness, has numerous implementations for almost all platforms and is currently considered the most reliable VPN option.
We have listed only the most popular types of VPN for private users. However, over the years this technology has evolved into a myriad of variations. Solutions for the corporate and telecom sectors alone are worth a look.
And three top tips from our expert for last: encrypt your data, use a VPN and update your software regularly
For the average user, I recommend using, if at all possible, only OpenVPN because of its openness, reliability and security. However, for it, and for other types of VPN, there are a number of other technical and legal subtleties, which we will talk about in the next article.