Client-Based Remote Access VPN Protocol Overview

Introduction

The new Celestix Edge E Series Security solution is a comprehensive remote access platform that includes support for both managed and non-managed devices. For managed clients, the remote access solution of choice is DirectAccess. However, traditional client-based remote access VPN can be enabled to support non-managed devices such as Windows computers that aren’t joined to a domain, tablets, and smartphones. The E Series provides support for most common VPN protocols, such as PPTP, L2TP/IPsec, SSTP, and IKEv2. These protocols can all be deployed simultaneously or selectively as required. Careful consideration must be made when choosing which VPN protocols to support. The following is an overview of each protocol along with the pros and cons for enabling them.

VPN Protocols

PPTP – The Point to Point Tunneling Protocol (PPTP) has been around for ages. It was the first remote access protocol supported by Windows Dial-Up Networking back in Windows 95, and it is showing its age. Although this protocol is easy to configure and support, it is not secure in its default state and should not be deployed without additional configuration. The problem lies not with the protocol itself, but in the default authentication method used for PPTP, which is MSCHAP-v2. A few years ago, security researches revealed that MSCHAP-v2 could be cracked with 100% effectiveness in relatively short periods of time. With the public availability of tools to automate the process of cracking MSCHAP-v2, all communication that takes places over PPTP using MSCHAP-v2 authentication should be considered unencrypted. PPTP can still be used if MSCHAP-v2 is replaced with an authentication protocol that is more secure, such as the Extensible Authentication Protocol (EAP) with smart cards or certificates. This makes configuring and deploying PPTP in a secure fashion much more time consuming and difficult, and a better choice might be to simply choose a more secure remote access VPN protocol. PPTP uses the Microsoft Point-to-Point Encryption (MPPE) with keys generated from the MSCHAP-v2 or EAP-TLS authentication process, and requires TCP port 1723 and IP protocol 47 to be open through firewalls for proper operation.

L2TP/IPsec – The Layer Two Tunneling Protocol with IPsec is an effective and secure remote access VPN protocol that provides much better security than PPTP. In its most secure configuration, certificates are used to authenticate endpoints and encrypt communication. Pre-shared keys (passwords) can also be used, although they require manual configuration on the client. L2TP/IPsec uses the Advanced Encryption Standard (AES) for encryption and requires UDP port 500 and IP protocol 50 to be open through firewalls for proper operation.

SSTP – The Secure Sockets Tunneling Protocol is fundamentally a client-based SSL VPN protocol. It is supported in Windows Vista SP1 and later and leverages SSL/TLS to authenticate and encrypt network communication. SSTP is easy to configure and provides firewall-friendly remote access as it only requires the ubiquitous TCP port 443 to be open through firewalls for proper operation.

IKEv2 – The Internet Key Exchange version 2 remote access protocol is another very secure remote access protocol that is supported by clients running Windows 7 and later. IKEv2 uses IPsec for authentication and encryption, and has the added benefit of being more NAT friendly than L2TP/IPsec. In addition, IKEv2 provides more resilience for brief periods of network connectivity loss, such as when a mobile client moves from one wireless access point to another or switches from a wired to a wireless network connection. IKEv2 uses AES for encryption, and UDP port 500 and IP protocol 50 are required to be open through firewalls for proper operation.

DirectAccess – Technically this is not a remote access protocol by itself. DirectAccess is a collection of platform technologies that provide seamless and transparent, always on, bi-directional corporate network connectivity for remote clients. At its core, DirectAccess leverages IPsec for encryption using AES. In addition, a combination of computer certificates, NTLM, and Kerberos are used for authentication. Depending on the configuration, DirectAccess may require some or all of the following protocols and ports to be open through firewalls for proper operation – IP protocol 41, IP protocol 50, UDP port 500, UDP port 3544, and TCP port 443.

Conclusion

The Celestix Edge E Series Security Appliances, with its support for client-based VPN, provides broad client support using a variety of remote access VPN protocols. Not all protocols are created equal, with some being more secure than others and some being more firewall and/or NAT friendly as well. By considering client support needs and evaluating which protocols most effectively support those, security administrators can make informed decisions regarding the configuration of their remote access solution.

For more information about Celestix Edge E Series Security Appliances, call us at +1 (510) 668 0700 or email us at info@celestix.com.

more blogs