{"id":11531,"date":"2016-03-10T09:00:56","date_gmt":"2016-03-10T14:00:56","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=11531"},"modified":"2017-09-24T08:08:23","modified_gmt":"2017-09-24T12:08:23","slug":"vpn-implementations","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/vpn-implementations\/11531\/","title":{"rendered":"VPN implementations and their peculiarities"},"content":{"rendered":"<p>In a previous post, we discussed <a href=\"https:\/\/www.kaspersky.com\/blog\/vpn-explained\/\" target=\"_blank\" rel=\"noopener nofollow\">the definition of VPN<\/a> (Virtual Private Network), its purpose and various use cases. Today we will review its most prevalent implementations, and their advantages and drawbacks.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/03\/06022733\/vpn-impementations-FB.jpg\" rel=\"attachment wp-att-11532\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-11532\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/03\/06022733\/vpn-impementations-FB.jpg\" alt=\"VPN implementations and their peculiarities\" width=\"1280\" height=\"1280\"><\/a><\/p>\n<p>By definition VPN is a versatile concept, and it\u2019s hard to understand straight away whether some implementation is a VPN or not. To a certain extent, the Internet\u2019s forerunner, <a href=\"https:\/\/en.wikipedia.org\/wiki\/ARPANET\" target=\"_blank\" rel=\"noopener nofollow\">ARPANET<\/a>, could also be considered a VPN. Curiously, almost all of the networking concepts and, more evidently, protocols, started as corporate technologies and only then became commodity for average users.<\/p>\n<p>Well, neither history nor corporate infrastructure are of interest for us today. In this post we\u2019re going to analyze common <a href=\"https:\/\/www.kaspersky.com\/blog\/vpns-use\/\" target=\"_blank\" rel=\"noopener nofollow\">VPN<\/a> implementations, which a user with no technical acumen might come across.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">What exactly is VPN? <a href=\"https:\/\/t.co\/yxKQu3fWG1\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/yxKQu3fWG1<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/IT101?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#IT101<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/VPN?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#VPN<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"https:\/\/t.co\/B3Ca9qYXIK\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/B3Ca9qYXIK<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/692730306999291904?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 28, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>First, we will see into those implementations which help to protect users when they are connecting to <a href=\"https:\/\/www.kaspersky.com\/blog\/dangerous-public-wi-fi\/\" target=\"_blank\" rel=\"noopener nofollow\">a public Wi-Fi network<\/a>, or to bypass certain IP-based restrictions imposed by a service provider. As a rule, consumer-class VPN services leverage popular operating system capabilities and provide a step-by-step instructions necessary for establishing a secure connection.<\/p>\n<p>Lately VPN has made a huge step forward in terms of simplifying this process: an average user does not have to go through all those techy gibberish and only needs to follow primitive instructions like \u2018pay here, download app here, press here and enjoy.\u2019 But in some cases it would make sense to at least know how VPN implementations differ from each other.<\/p>\n<div id=\"attachment_11534\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/03\/06022729\/vpn-implementations-settings-en.png\" rel=\"attachment wp-att-11534\"><img decoding=\"async\" aria-describedby=\"caption-attachment-11534\" class=\"size-full wp-image-11534\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/03\/06022729\/vpn-implementations-settings-en.png\" alt=\"VPN implementations and their peculiarities\" width=\"640\" height=\"480\"><\/a><p id=\"caption-attachment-11534\" class=\"wp-caption-text\">VPN settings in Android (left) and Windows (right)<\/p><\/div>\n<h3>Popular VPN implementations<\/h3>\n<p><strong>PPTP<\/strong> (Point-to-Point Tunneling Protocol) was developed about 20 years go, which is both its advantage and major drawback. The most important benefit is, its compatibility with almost all of operating systems, even legacy ones, which makes the protocol highly universal and available. Also, it\u2019s not demanding in terms of computing power, if compared to newer solutions.<\/p>\n<p>But its major drawback is also explained by its old age: by today\u2019s security realities it offers a considerably lower level of protection. Its encryption methods were absolutely fine in mid-90s, but today are not secure enough \u2014 a problem which is amplified by a flawed <a href=\"https:\/\/www.schneier.com\/cryptography\/pptp\/faq.html\" target=\"_blank\" rel=\"noopener nofollow\">architecture<\/a> and a number of weaknesses in the most popular <a href=\"https:\/\/technet.microsoft.com\/library\/security\/2743314\" target=\"_blank\" rel=\"noopener nofollow\">Microsoft implementation<\/a>.<\/p>\n<p>Moreover, with regard to PPTP, encryption is not offered by default, and it would take an adversary <a href=\"https:\/\/threatpost.com\/new-tool-moxie-marlinspike-cracks-some-crypto-passwords-073012\/76860\/\" target=\"_blank\" rel=\"noopener nofollow\">less than 24 hours<\/a> to crack the password with the production hardware available today. However, in scenarios which don\u2019t require a super secure connection or when other VPN connections are not available, it\u2019s better to use PPTP with weak encryption rather that to go completely unprotected.<\/p>\n<p>Once I found myself in a tricky situation: I was travelling to a country which is notorious for certain Internet regulations (if you know what I mean). I used our corporate PPTP server located in my home country to email, and my mails were delivered with a lag varying from two days to about two weeks. One can only guess where those emails were all that time. At the same time, the use of an alternative and thus more secure VPN connection was restricted. This story illustrates that PPTP by far isn\u2019t strong enough to protect you from powerful guys like governments or corporations.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Researchers Uncover \u2018Terracotta\u2019 Chinese <a href=\"https:\/\/twitter.com\/hashtag\/VPN?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#VPN<\/a> Service Used by <a href=\"https:\/\/twitter.com\/hashtag\/APT?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#APT<\/a> Crews <a href=\"https:\/\/t.co\/rqSo3Xp0hB\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/rqSo3Xp0hB<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@Threatpost<\/a> <a href=\"http:\/\/t.co\/nVCLMb6QvC\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/nVCLMb6QvC<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/628622440210526208?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 4, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>L2TP<\/strong> (Layer 2 Tunneling Protocol) is quite similar to PPTP. These two standards were developed and certified practically at the same time, yet L2TP is considered more efficient for virtual networks, but at the same time is a bit more demanding in terms of computing power. Usually it is preferred by ISPs and enterprise users. By the way, L2TP does not provide default encryption and is bundled with other protocols (usually IPSec).<\/p>\n<p><strong>IPSec<\/strong> (Internet Protocol Security) is a collection of protocols, standards and recommendations. This bundle is purpose-made for various types of secure connections. The first elaborations of IPSec date back to early 90s, but the basis of its concept is constant improvement and updating in accordance with developments in tech, so it\u2019s not a static specification.<\/p>\n<p>It\u2019s obvious what type of entities it was developed for. IPSec included a dozen of standards (each of them having more than one implementation), which could be used for facilitating secure connections at all levels. It\u2019s admittedly good in terms of architecture, reliability of its encryption algorithms, and capabilities.<\/p>\n<p>With all due respect, IPSec has its downsides as well. First, it\u2019s not easy to configure for an average PC user, and if it\u2019s configured improperly, its security can be compromised. Also, as was noted before, it\u2019s used in a bundle with several other protocols.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Security concerns arise as subways get wi-fi. <a href=\"http:\/\/t.co\/sEcNTlSqwX\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/sEcNTlSqwX<\/a> Surf safe, but also consider using a <a href=\"https:\/\/twitter.com\/hashtag\/VPN?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#VPN<\/a> <a href=\"http:\/\/t.co\/BR1cYmrIjl\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/BR1cYmrIjl<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/334428011266985986?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 14, 2013<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Second, it\u2019s demanding in terms of computing power. Partially, this drawback is compensated by the use of hardware acceleration of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Advanced_Encryption_Standard\" target=\"_blank\" rel=\"noopener nofollow\">AES encryption algorithms<\/a> (which are usually offered in today\u2019s implementations of IPSec, among other algorithms). This AES hardware acceleration feature is deployed in current <a href=\"http:\/\/www.intel.com\/content\/www\/us\/en\/intelligent-systems\/wireless-infrastructure\/aes-ipsec-performance-linux-paper.html\" target=\"_blank\" rel=\"noopener nofollow\">processors<\/a> for both mobile and desktop devices, as well as in Wi-Fi routers and so on.<\/p>\n<p>To our dismay, technologies created by theoreticians (mainly, math think tanks), are brought to life by practical minds which at times lack knowledge and understanding of science. <a href=\"https:\/\/weakdh.org\/imperfect-forward-secrecy-ccs15.pdf\" target=\"_blank\" rel=\"noopener nofollow\">Research<\/a> published in <a href=\"https:\/\/threatpost.com\/fewer-ipsec-vpn-connections-at-risk-from-weak-diffie-hellman\/115189\/\" target=\"_blank\" rel=\"noopener nofollow\">October 2015<\/a> states that up to 66% IPSec connections are crackable with quite moderate effort, and NSA is likely to possess suitable hardware resources to compromise encryption.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/ICYMI?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ICYMI<\/a> Prime Diffie-Hellman Weakness May Be Key to Breaking Crypto: <a href=\"https:\/\/t.co\/uI1hDBqsvz\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/uI1hDBqsvz<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/sLynrjtcu7\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/sLynrjtcu7<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/656143168929439748?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 19, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The issue here is the incorrect use of protocols which are used to initiate a secure connection. This problem is applicable not only to IPSec, but to TLS (which we\u2019ll discuss below) and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Secure_Shell\" target=\"_blank\" rel=\"noopener nofollow\">SSH<\/a>, as well as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Tor_(anonymity_network)\" target=\"_blank\" rel=\"noopener nofollow\">TOR<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Off-the-Record_Messaging\" target=\"_blank\" rel=\"noopener nofollow\">OTR<\/a>. In other words, there is likelihood of compromise for both VPN connection and other types of secure connection for certain websites, mail servers, messengers and the likes of those.<\/p>\n<p>Of course, long lead-in times and significant computing resources are required to carry out such an attack, but in this very case the researchers used Amazon\u2019s common cloud technologies and, evidently, spent a realistic amount of money, technically available for a private actor.<\/p>\n<p>With such resources at hand, the prep time for an attack can be a minute in the best case scenario and up to a month in a worst-case scenario. At the same time, some experts were skeptical about this Proof-of-Concept: as they say, in real life the number of vulnerable systems is much lower. Anyway, certain aspects of the research should be taken seriously; meanwhile the developers of potentially vulnerable software are preparing or have already developed patches and have alerted their users.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Fewer IPsec VPN Connections at Risk from Weak Diffie-Hellman: <a href=\"https:\/\/t.co\/IMzm0qRYsj\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/IMzm0qRYsj<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/659474142413111296?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 28, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>SSL (Secure Sockets Layer)<\/strong> and <strong>TLS (Transport Layer Security)<\/strong> VPNs, as their names suggest, belong to a class of solutions based on corresponding SSL and TLS protocols, which are at times complemented by other means of protection. All of you should have come across SSL\/TLS when surfing the Internet; for example, this very website uses it as well: the \u2018https\u2019 prefix and the green lock header confirm that the website uses these protocols for secure connection.<\/p>\n<p>The first implementations of the protocol date back to as early as last century, yet the technology gained traction only in 2000s. The proliferation of the protocols allowed to study them thoroughly and find a number of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security#Attacks_against_TLS.2FSSL\" target=\"_blank\" rel=\"noopener nofollow\">vulnerabilities<\/a>, both in the architecture itself and in different implementations. SSL 3.0 was <a href=\"https:\/\/threatpost.com\/ietf-officially-deprecates-sslv3\/113503\/\" target=\"_blank\" rel=\"noopener nofollow\">phased out<\/a> in June 2015; the most up-to-date version is TLS 1.2, yet it is hardly totally secure: a lot really depends on configuration (see IPSec). Besides, both protocols are burdened by a need to offer backward compatibility.<\/p>\n<p>What can definitely be considered an advantage of this type of VPN is the prevalence of SSL\/TLS in the Internet, which means that most public networks let it pass through freely. In terms of drawbacks, these VPNs have low performance, are hard to configure and require additional software.<\/p>\n<p>Among the most popular SSL\/TLS VPN implementations are <strong>OpenVPN<\/strong> (SSL 3.0 \/ TLS 1.2) and Microsoft\u2019s <strong>SSTP<\/strong> (SSL 3.0). In fact, SSTP is integrated with Windows. OpenVPN, due to its open nature, has a lot of implementations for most platforms and is considered the most reliable VPN implementation to date.<\/p>\n<h3>Conclusion<\/h3>\n<p>We have reviewed the most popular VPN implementations known to date. However, as this technology evolved over the years, it saw a huge number of iterations. Think of all solutions developed for the enterprise and telecommunication sectors!<\/p>\n<p>As for average users, I would recommend sticking to OpenVPN due to its open nature, reliability and security. However, this and other VPN implementations have a number of tricky technical and legal peculiarities I\u2019m going to cover in a later installment in this series.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have previously discussed what VPN is. Now let&#8217;s review its implementations and their advantages and drawbacks.<\/p>\n","protected":false},"author":637,"featured_media":11533,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1788,1789,9],"tags":[261,1479,1481,1478,1480,43,97,131,1482,709],"class_list":{"0":"post-11531","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-privacy","9":"category-technology","10":"category-tips","11":"tag-encryption","12":"tag-ipsec","13":"tag-l2tp","14":"tag-openvpn","15":"tag-pptp","16":"tag-privacy","17":"tag-security-2","18":"tag-tips","19":"tag-virtual-networks","20":"tag-vpn"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/vpn-implementations\/11531\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/vpn-implementations\/6839\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/vpn-implementations\/6892\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/vpn-implementations\/6825\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/vpn-implementations\/7927\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/vpn-implementations\/7691\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/vpn-implementations\/6135\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/vpn-implementations\/7207\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/vpn-implementations\/10689\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/vpn-implementations\/11156\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/vpn-implementations\/11531\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/vpn-implementations\/11531\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/tips\/","name":"tips"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/637"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=11531"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11531\/revisions"}],"predecessor-version":[{"id":18660,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11531\/revisions\/18660"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/11533"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=11531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=11531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=11531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}