PoPToP, a Secure and Free VPN Solution
Traditionally, remote access for employees has been through dedicated lines or a remote access server (RAS). A RAS typically consists of a collection of modems and telephone lines connected to a central machine. RAS can be quite reliable and secure, but it is expensive in its setup and long-distance-call costs. A Virtual Private Network (VPN) offers a secure, flexible and cheap solution in place of RAS and dedicated lines. PoPToP, the PPTP (point-to-point tunneling protocol) VPN solution for Linux, is a free VPN solution that businesses can take advantage of now.
A virtual private network is a private network capable of communicating over the public Internet infrastructure with a defined level of security. VPNs can exist between two or more private networks, often referred to as a server-server VPN, or between individual client machines and private networks, often referred to as a client-server VPN (see Figure 1). VPNs overcome the need for expensive dedicated lines or RAS dial in call and setup costs.
In Figure 1, the remote client is handed a real IP address from their local ISP. This remote client can log into the VPN server, and hence gain access to the private network behind the firewall. The remote client can then browse and use other network services on the private network as if it were a machine on that network.
VPNs may also exist between multiple private networks (server-server VPN). For example, suppose your company has an R&D office in Australia and a sales and marketing office in the United States. Both locations have private networks that are connected to the Internet (the method, modem, DSL or something else, is transparent to the VPN). Traditionally, if the offices wish to share files on their networks, they would either have to e-mail the files to each other, dial in to each other or have some form of dedicated link between them. VPNs offer a cost-effective solution for joining these two networks seamlessly, without compromising system security.
The most popular VPN technologies available today are PPTP and IPsec. Much debate and analysis has occurred recently between proponents of these competing VPN technologies. Both PPTP and IPsec have an important role to play in VPN solutions. But neither PPTP nor IPsec is without flaws.
PPTP is an open-documented standard published by the Internet Engineering Task Force (IETF) as RFC 2637, available at ftp.ietf.org/rfc/rfc2637.txt.
The operation of PPTP as a VPN is performed by encapsulating the point-to-point protocol (PPP) in IP and tunneling it through an IP network. All communication, authentication and encryption is handled almost exclusively by PPP, which currently supports PAP, CHAP, MSCHAP and MSCHAPv2 authentication. PPP encryption is performed through compressor modules, and available patches under Linux allow PPP to support RC4-compatible 40-128-bit encryption. Some people make the mistake of assuming that since PPTP uses PPP, you need a modem. This is not the case. In fact, the connection mechanism to the IP network is transparent to PPTP.
PPTP is widely deployed in both client and server forms due to its default existence in Microsoft Windows platforms.
IPsec is a new series of authentication and encryption security protocols that can be employed for sending data securely over IP networks. IPsec offers encryption, authentication, integrity and replay protection to network traffic. IPsec also specifies a key management protocol for establishing encryption keys. IPsec, like PPTP, is an open standard developed by the IETF.
PPTP is transparent to the authentication and encryption mechanism. Microsoft's version of PPTP was recently upgraded to include MSCHAPv2 and MPPE-enhanced (and more secure) security protocols. Patches are available for the Linux PPP daemon that allow PPTP solutions such as PoPToP to take advantage of Microsoft's enhanced VPN security.
Bruce Schneier, Chief Technical Officer of Counterpane Internet Security, Inc., and perhaps the chief guru of Internet security, recently analyzed Microsoft's MSCHAPv2 and MPPE security protocols. Schneier concluded that this release of MSCHAPv2 from Microsoft addressed the major security weaknesses found in MSCHAP.
IPsec was also recently analyzed by Schneier (with the help of Niels Ferguson). In their analysis, they concluded that IPsec's complexity effectively makes it impossible to implement a secure solution. They believe IPsec will never result in a secure operational system. They emphasize that although IPsec has its flaws, it is a more secure solution than PPTP.
IPsec remains a new technology, and future improvements are sure to enhance its security further and increase its attractiveness to business. Additionally, with its default presence in Windows 2000, IPsec will offer small to medium-sized businesses a more secure and affordable solution.
Affordable PPTP VPN (with MSCHAPv2 and 40-128-bit RC4 encryption) is available now. With the countless Windows machines already out there supporting PPTP VPN, the cost-effective solution is obvious. Windows 98 has VPN client software as an install option. Windows NT 4.0 comes with PPTP (server and client) by default. Patches (Microsoft Dial-up Networking patch) exist for upgrading Windows 95 machines to include a PPTP client. Windows 2000 has PPTP by default.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- RSS Feeds
- Tech Tip: Really Simple HTTP Server with Python
- I like your topic on android
34 min 9 sec ago
- Reply to comment | Linux Journal
55 min 19 sec ago
- This is the easiest tutorial
7 hours 9 min ago
- Ahh, the Koolaid.
12 hours 48 min ago
- git-annex assistant
18 hours 47 min ago
- direct cable connection
19 hours 10 min ago
- Agreed on AirDroid. With my
19 hours 20 min ago
- I just learned this
19 hours 24 min ago
19 hours 54 min ago
- not living upto the mobile revolution
22 hours 46 min ago
Enter to Win an Adafruit Prototyping Pi Plate Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Prototyping Pi Plate Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- Next winner announced on 5-21-13!
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.