Comparing PPTP, L2TP, SSTP, and OpenVPN
Advantages and Disadvantages of PPTP, L2TP, SSTP, and OpenVPN: Advantages and Disadvantages of PPTP, L2TP, SSTP, and OpenVPN
PPTP vs L2TP vs SSTP vs SSL/OpenVPN
If you've done some reading about VPN, you probably already know that it stands for Virtual Private Network
and it's a popular way for businesses to provide a secure way for
employees to remote into their servers. But did you know that there are
different protocols available for VPN? These protocols are commonly
referred to as PPTP, L2TP, SSTP and SSL/OpenVPN. Each operates by its own set of rules and each have their own unique advantages and disadvantages.
PPTP
Point-to-Point Tunneling Protocol (PPTP)
is one of the most commonly used forms of VPN because it is easy to set
up and maintain. It encrypts data using a 128-bit key. Because of this,
it is considered one of the weaker forms of VPN and is mostly used for
personal tunneling purposes like sharing pictures. More recent versions
of PPTP also use EAP authentication, an authentication protocol designed
for use for wireless and point-to-point connections. EAP is designed to
recognize most authentication methods. Positives include the fact that
it uses TCP, which allows for retransmission of lost data.
PPTP was developed by Microsoft along with a few other companies and is natively supported by Windows. Firewalls like ISA Server, Cisco PIX and Sonic Wall recognize it. The biggest disadvantages include the fact that it is one of the least encrypted forms of VPN, data encryption starts after the computers have gone through the authentication process and made the point-to-point connection, and requires only user-level authentication.
PPTP was developed by Microsoft along with a few other companies and is natively supported by Windows. Firewalls like ISA Server, Cisco PIX and Sonic Wall recognize it. The biggest disadvantages include the fact that it is one of the least encrypted forms of VPN, data encryption starts after the computers have gone through the authentication process and made the point-to-point connection, and requires only user-level authentication.
L2TP
Layer 2 tunneling protocol (L2TP)
derives its name from the fact that it makes use of Layer 2 of the OSI
networking model and was the result of a joint effort between Cisco and
Microsoft to provide a more secure tunneling protocol. It works with the
IPSec model to provide 168-bit encryption and requires two levels of
authentication, making it a little more powerful on the encryption side
than PPTP. L2TP prevents data from being altered while traveling between
the sender and receiver and also requires either a shared key or a
digital certificate before transmitting data. One of its biggest
advantages is that it also encrypts the authentication process, making
it more difficult for someone trying to "listen in" on your transmission
to intercept and crack the data.
If you notice that your L2TP connections are down, one common cause might be your security certificate infrastructure. They do make use of pre-shared keys, so if something changes in the key at one end of the connection, the key at the other end will not work. So be sure to keep track of your security certificates to make sure your keys are the same at both ends of the connection.
If you notice that your L2TP connections are down, one common cause might be your security certificate infrastructure. They do make use of pre-shared keys, so if something changes in the key at one end of the connection, the key at the other end will not work. So be sure to keep track of your security certificates to make sure your keys are the same at both ends of the connection.
SSTP
Secure Socket Tunneling Protocol (SSTP)
works in situations where most VPN connections would be blocked. This
includes countries like Belize, which forbids the use of VPN technology,
and certain companies that do not use or block VPN connections. It uses
Port 443, the same port used by Secure Socket Layer (SSL)
transmissions. This combines with a special method to form the packets
to allow SSTP transmissions to pass through most proxies and firewalls.
It is considered the most secure of VPN tunneling protocols because it
uses SSL, authentication certificates and 2048-bit encryptions.
The major downside to SSTP is that it was created exclusively by Microsoft and only works on Windows Vista SP 1 and Windows 7. Because it is proprietary, there are no known plans to make it available to users of Mac OS, Linux and older versions of Windows. Because SSTP is such a secure protocol, it is possible to become complacent when remoting into your server from a public location. It is possible for your username and password to be intercepted at places like the airport, library or university, or even at your home if you make use of an unsecured or lightly secured wireless router. Your best bet is to use VPN connections along with a common-sense approach to security.
The major downside to SSTP is that it was created exclusively by Microsoft and only works on Windows Vista SP 1 and Windows 7. Because it is proprietary, there are no known plans to make it available to users of Mac OS, Linux and older versions of Windows. Because SSTP is such a secure protocol, it is possible to become complacent when remoting into your server from a public location. It is possible for your username and password to be intercepted at places like the airport, library or university, or even at your home if you make use of an unsecured or lightly secured wireless router. Your best bet is to use VPN connections along with a common-sense approach to security.
OpenVPN
Whenever Microsoft releases any kind
of proprietary, fully copyrighted software, you can almost count on
lovers of Open Source software creating a free version that works about
as well, and sometimes better than, the Microsoft version without the
price tag. OpenVPN also makes use of SSL technology and works on
Mac OS, Windows, Linux and some IP phones. It operates on both Layer 2
and Layer 3 and has extra features that can transport Ethernet frames,
IPX packets and NETBIOS functionality. It can also be set up to share
Port 443 with HTTPS transmissions. It can handle multiple channels over a
single TCP or UDP port and can be managed through a Telnet setup. Some
network administrators have been known to use OpenVPN to connect two
network routers over an untrusted wireless network.
OpenVPN's biggest weakness is the amount of latency, or the amount of delay involved in the operation of a system. This weakness can be gotten around by using more powerful and newer computers for the VPN connection, keeping your security software updated, and making use of SSL certificates and trusted certificate authorities. It also has to connect to a single TCP port on the client end.
OpenVPN's biggest weakness is the amount of latency, or the amount of delay involved in the operation of a system. This weakness can be gotten around by using more powerful and newer computers for the VPN connection, keeping your security software updated, and making use of SSL certificates and trusted certificate authorities. It also has to connect to a single TCP port on the client end.
Which VPN protocol is best?
After reading this lens, which VPN protocol do you consider to use in the future?