VPN Connection and Authentication Protocols
*CHAP* (remote authentication)
*Challenge Handshake Authentication Protocol* is a three-way handshake (challenge/response) authentication protocol. *CHAP uses Message Digest 5 (MD5) hashing of the shared secret for authentication. * Only the hash, and not the password, is sent during authentication. *CHAP does not protect against server impersonation, and a plaintext version of the password must validate the challenge response.* If your password expires, CHAP can't change passwords during the authentication process.
*EAP-TLS* (remote authentication)
*Extensible Access Protocol* allows the client and server to negotiate the characteristics of authentication. This means that the authenticator requests authentication information (name, PIN, card token value in the case of security token cards) from the client. To authenticate, the client must return the proper responses. *EAP is used for smart cards, biometric authentication, and certificate-based security environments.* An EAP authentication scheme is called an EAP type. Both the client and authenticator have to support the same EAP type for authentication to function. *Windows 7 supports the following EAP types:* -*EAP-TLS* uses client certificates, either on the local system or on a smart card. -Protected EAP (PEAP) MS-CHAP v2 uses simple passwords on the client for authentication. This method requires the installation of a computer certificate on the VPN server. Use this method when the client does not have a certificate. -PEAP-EAP-TLS uses client certificates, either on the local system or on a smart card.
*IKEv2* (common VPN technology)
*Internet Key Exchange version 2* is a VPN tunneling protocol that: *Supports IPv6, smart card authentication, and certificate authentication.* Supports data origin authentication, data integrity, replay protection, and data confidentiality. *Uses UDP ports 500 and 4500 for IKE traffic and protocol 50 for ESP traffic.* Enables the VPN connection to remain intact as a mobile client moves from one IP network to another. *Is the default protocol for a new VPN connection for Windows 7.*
*IPSec* (common VPN technology)
*Internet protocol security* provides authentication and encryption, and can be used in conjunction with L2TP or by itself as a VPN solution. IPSec: *Can encrypt any traffic supported by the IP protocol.* Requires either digital certificates or pre-shared keys. *Includes two protocols that provide different features.* Authentication Header (AH) provides authentication features. Use AH to enable authentication with IPSec. *Encapsulating Security Payload (ESP) provides data encryption. Use ESP to encrypt data.* If you use only AH, data is not encrypted. *IPSec can be used to secure the following types of communications:* -Host-to-host communications within a LAN. -VPN communications through the Internet, either by itself or in conjunction with the L2TP VPN protocol. -Any traffic supported by the IP protocol including Web, e-mail, Telnet, file transfer, and SNMP traffic as well as countless others.
*L2TP* (common VPN technology)
*Layer 2 tunneling protocol* is an open standard for secure multi-protocol routing that: *Uses IPSec for encryption.* Supports multiple protocols (not just IP). *Is not supported by older operating systems.* *Uses TCP port 1701 and UDP port 500.
*MS-CHAPv2* (remote authentication)
*Microsoft-CHAP* v2 is the highest level of authentication possible without using EAP. MS-CHAP v2: *Uses a challenge/response mechanism.* Encrypts the shared secret. *Allows for mutual authentication (where the server authenticates with the client).* Allows users to change the password.
*PAP* (remote authentication)
*Password Authentication Protocol* sends the username and password in plain text. You should use PAP only when no other form of authentication is supported. Vulnerabilities associated with PAP include: *With PAP, the password can be easily intercepted. * It does not protect against replay attacks, remote client impersonation, or remote server impersonation. *You cannot use Microsoft Point-to-Point Encryption (MPPE) with PAP.* If your password expires, PAP cannot change passwords during the authentication process. *A variation of PAP is SPAP, Shiva Password Authentication Protocol. Use SPAP when you have Shiva devices on your network.*
*PPTP* (common VPN technology)
*Point to point tunneling protocol* is a Microsoft VPN technology that: *Uses standard authentication protocols, such as Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP).* Supports TCP/IP only. *Encapsulates other LAN protocols and carries the data securely over an IP network.* Does not encrypt data. It must be used in conjunction with a Microsoft-supported encryption mechanism. MPPE is used for data encryption. *Is supported by most operating systems and servers.* Uses TCP port 1723.
*SSTP* (common VPN technology)
*Secure Socket Tunneling Protocol* uses HTTP over SSL to establish the VPN connection. SSTP: *Transports PPP traffic through an SSL channel.* Includes encryption through SSL. *Supports password and certificate-based authentication.* Uses port 443. *Works through most firewalls without a modification of the firewall rules.*