What is a Tunneling Protocol?
Information that flows over the Internet, or between any two digital devices, does so using protocols. These protocols divide the message into different parts (usually two): One containing the actual data being transmitted, and one containing information regarding the rules of the transmission. In order for a connection to be established, both sides have to understand and use the same communication protocol. A tunneling protocol is one that encloses in its datagram another complete data packet that uses a different communications protocol. They essentially create a tunnel between two points on a network that can securely transmit any kind of data between them.
Generally, these types of protocols are used to send private network data over a public network, usually when creating a virtual private network (VPN), but can also be used to increase the security of unencrypted data when it is sent over a public network. There are a number of popular tunneling protocols, such as Secure Socket (SSH), Point-to-Point Tunneling (PPTP) and IPsec, with each being tailored for a different specific tunneling purpose.
Because tunneling protocols hide a complete packet within the datagram, there is the potential for misuse. Tunneling is often used to get past unsophisticated or poorly configured firewalls by enclosing blocked protocols within protocols that the firewall allows through. The use of tunneling protocols also makes it difficult to complete tasks such as deep packet inspection, where network infrastructure looks at the datagram for suspicious data, or ingress/egress filtering, which sanity-checks data destination addresses to help ward off potential attacks. There are even reports of malware being transmitted using the new IPv6 technology, which has to use tunneling to transmit to or through devices that aren't IPv6-ready.
As a potential threat, tunneling protocols only need to be on the radar of networking or IT professionals, who have to ensure their systems can block unwanted tunnels and are configured to apply security protocols to data sent in using a known tunnel, like data sent through a VPN.