Virtual privacy

Out on the road and need to access your office LAN? Worried about security? Fear not, Roger Gann can show you the way.

Remote access is now more of a necessity than a luxury for business users who need to access files on an office network when they're on the road or working from home. If the remote PC has Internet connectivity via modem, broadband or through a LAN (local area network), and the office network has a permanent connection to the Internet, the most cost-effective way for remote users to connect is by creating a VPN (virtual private network).

So, rather than laying your own personal network cable across the globe, you use a public network - the Internet - as your connection medium. As the Internet is by its very nature insecure, you place your private network traffic inside a secure "wrapper" to stop eavesdroppers accessing your data. The result is a VPN inside a physical public network, a great solution to wide area networking requirements.

VPN technologies use "tunnelling" protocols to create the connection and encryption protocols to provide the privacy on the public network. This allows you to securely access a VPN server and the rest of the company network. Once a VPN tunnel has been established, any application (Web, e-mail, even Voice over IP) can use it as though it were using a normal network connection.

So, if you need remote access, the question isn't whether to use VPN, but which VPN technology to use. There are four main protocols and each has pros and cons.

VPN choices

Because a VPN creates a secure virtual pipeline through the public network, the protocols used to create this connection are called tunnelling protocols. The most common VPN technologies available are: • PPTP • L2TP • IPSec • SSL

Choosing which one to use is tricky. A lot depends on factors such as server and client OS, the network resources to which access is needed, the level of security required and performance issues. Even inexpensive routers, such as Page Break

Layer, layer

The L2TP (Layer 2 tunnelling proto­col) was developed in co­operation between Cisco and Micro­soft, combining features of PPTP with those of Cisco's proprietary L2F (Layer 2 Forwarding) protocol. As you might guess, L2TP operates at the data link layer of the OSI (open systems interconnection) networking model. An L2TP client is built-in to Windows 2000, XP and 2003, but you can download software for older versions of Windows.

L2TP has several advantages over PPTP. The latter gives you data con­fidentiality, but L2TP goes further and also verifies data integrity and provides authentication of origin. However, the overhead involved in providing this extra security can result in slower performance than PPTP.

Windows XP has good support for VPNs - the New Connection Wizard makes it a doddle to set one up.

Wait a Sec

IPSec (the IP security protocol) actually provides the encryption for L2TP but it can also be used as a tunnelling protocol. Like PPTP and L2TP, IPSec provides a connection that terminates at the firewall and grants remote users access to the entire network. IPSec operates at a higher level of the OSI model, the network layer or Layer 3. Many hardware VPN appliances use an implementation of IPSec.

Authentication is accomplished via the IKE (Internet Key Exchange) protocol with either digital certificates or with a pre-shared key. IPSec VPNs can protect against many of the most common attack methods, including Denial of Service, replay, and "man-in-the-middle" attacks.

IPSec support is included in Windows 2000/XP/2003, but not in older Windows operating systems. If you have a VPN gateway you may have to buy client licenses for the client software. If you use multiple apps, IPSec can be a godsend.

The down side is that it leaves the network wide open if the remote access client has been compromised. IPSec clients often allow IT managers to specify that client PCs have security or antivirus software installed before permitting a VPN connection. IPSec is a good fit for "fixed" site-to-site VPNs, because it can be implemented in network hardware without client software support. For mobile users, however, it's more hassle - the cost of deploying the software, configuring it and supporting it can be significant.

The most simple VPNs employ SSL technology, which is widely employed in e-commerce. The padlock icon reveals I have a secure connection to Amazon (Click here to view).

Socket to 'em

If you've ever bought anything on the Internet you'll have come across SSL (secure socket layer) connections. And this is a big plus for SSL VPNs - you don't need special client software, you just use a Web browser to access the remote network.

With SSL VPNs, instead of giving VPN clients access to the whole network as with IPSec, you can restrict them to specific applications, which naturally have to be Web or Java-based. Less expensive, and easier to deploy than IPSec VPNs, SSL VPN technology provides remote access to Web applications such as e-mail and corporate intranets.

SSL VPNs operate at an even higher layer of the OSI model than IPSec VPNs: Layer 7 or the session layer, which permits much finer granularity when it comes to specifying access control. Because SSL VPNs work at the application layer, network administrators can specify access control sets and rules based on such criteria as application, TCP/IP port and user - something that the all-or-nothing nature of IPSec can't match without installing additional firewalls behind the tunnel end point and getting bogged down with lots of tedious rule sets.

Because SSL VPN access is browser-based, users can log on securely with a Web browser using almost any device. Firewalls usually don't cause any grief either, as SSL uses TCP ports that are usually left open.

SSL operates transparently across proxies and routers performing Network Address Translation, a major boon. SSL solves almost all remote access issues except one: providing access to client/server or other applications not accessible from a browser. Unlike IPSec VPNs, SSL VPN appliances don't typically allow direct access to network file shares.

SSL can also require multiple handshakes per session, which can increase the CPU load at both the client and the host, making SSL less easy to support multiple VPN connections, something that IPSec concentrators can handle with aplomb. So that's the theory. In next month's column, I'll step you through setting up a VPN connection. Don't worry - It's a lot easier than you think!

Connecting to site offices by VPN is best handled by dedicated VPN hardware, such as this Cisco VPN 3000 VPN Concentrator.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger Gann

PC Advisor (UK)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?