Advantages and Disadvantages of PPTP, L2TP, SSTP, and OpenVPN
PPTP vs L2TP vs SSTP vs SSL/OpenVPN
If you've done some reading about VPN, you probably already know that it stands for Virtual Private Network and it's a popular way for businesses to provide a secure way for employees to remote into their servers. But did you know that there are different protocols available for VPN? These protocols are commonly referred to as PPTP, L2TP, SSTP and SSL/OpenVPN. Each operates by its own set of rules and each have their own unique advantages and disadvantages.
Point-to-Point Tunneling Protocol (PPTP) is one of the most commonly used forms of VPN because it is easy to set up and maintain. It encrypts data using a 128-bit key. Because of this, it is considered one of the weaker forms of VPN and is mostly used for personal tunneling purposes like sharing pictures. More recent versions of PPTP also use EAP authentication, an authentication protocol designed for use for wireless and point-to-point connections. EAP is designed to recognize most authentication methods. Positives include the fact that it uses TCP, which allows for retransmission of lost data.
PPTP was developed by Microsoft along with a few other companies and is natively supported by Windows. Firewalls like ISA Server, Cisco PIX and Sonic Wall recognize it. The biggest disadvantages include the fact that it is one of the least encrypted forms of VPN, data encryption starts after the computers have gone through the authentication process and made the point-to-point connection, and requires only user-level authentication.
Layer 2 tunneling protocol (L2TP) derives its name from the fact that it makes use of Layer 2 of the OSI networking model and was the result of a joint effort between Cisco and Microsoft to provide a more secure tunneling protocol. It works with the IPSec model to provide 168-bit encryption and requires two levels of authentication, making it a little more powerful on the encryption side than PPTP. L2TP prevents data from being altered while traveling between the sender and receiver and also requires either a shared key or a digital certificate before transmitting data. One of its biggest advantages is that it also encrypts the authentication process, making it more difficult for someone trying to "listen in" on your transmission to intercept and crack the data.
If you notice that your L2TP connections are down, one common cause might be your security certificate infrastructure. They do make use of pre-shared keys, so if something changes in the key at one end of the connection, the key at the other end will not work. So be sure to keep track of your security certificates to make sure your keys are the same at both ends of the connection.
Secure Socket Tunneling Protocol (SSTP) works in situations where most VPN connections would be blocked. This includes countries like Belize, which forbids the use of VPN technology, and certain companies that do not use or block VPN connections. It uses Port 443, the same port used by Secure Socket Layer (SSL) transmissions. This combines with a special method to form the packets to allow SSTP transmissions to pass through most proxies and firewalls. It is considered the most secure of VPN tunneling protocols because it uses SSL, authentication certificates and 2048-bit encryptions.
The major downside to SSTP is that it was created exclusively by Microsoft and only works on Windows Vista SP 1 and Windows 7. Because it is proprietary, there are no known plans to make it available to users of Mac OS, Linux and older versions of Windows. Because SSTP is such a secure protocol, it is possible to become complacent when remoting into your server from a public location. It is possible for your username and password to be intercepted at places like the airport, library or university, or even at your home if you make use of an unsecured or lightly secured wireless router. Your best bet is to use VPN connections along with a common-sense approach to security.
Whenever Microsoft releases any kind of proprietary, fully copyrighted software, you can almost count on lovers of Open Source software creating a free version that works about as well, and sometimes better than, the Microsoft version without the price tag. OpenVPN also makes use of SSL technology and works on Mac OS, Windows, Linux and some IP phones. It operates on both Layer 2 and Layer 3 and has extra features that can transport Ethernet frames, IPX packets and NETBIOS functionality. It can also be set up to share Port 443 with HTTPS transmissions. It can handle multiple channels over a single TCP or UDP port and can be managed through a Telnet setup. Some network administrators have been known to use OpenVPN to connect two network routers over an untrusted wireless network.
OpenVPN's biggest weakness is the amount of latency, or the amount of delay involved in the operation of a system. This weakness can be gotten around by using more powerful and newer computers for the VPN connection, keeping your security software updated, and making use of SSL certificates and trusted certificate authorities. It also has to connect to a single TCP port on the client end.