|< Day Day Up >|
Alternative VPN Implementations
In addition to standard VPN protocols, customized VPN solutions also exist. We will briefly guide you through some of the well-known open source solutions, such as cIPe, OpenVPN, and VTun.
Claiming to provide nearly the same level of security as IPSec, cIPe works on the IP level and allows tunneling of the higher layer protocols (e.g., ICMP, TCP, UDP). The operation mechanism is pretty similar to the PPP, but cIPe does encapsulate transmitted IP packets within UDP datagrams. The development of cIPe was focused on provision of a lightweight protocol that uses reasonably secure Blowfish and IDEA cryptographic algorithms for data encryption, but at the same time is easy to set up and manage and offers a slightly better performance than IPSec. The use of a single UDP port for tunnel encapsulation allows cIPe an easy traverse through NAT and stateful firewalls, making it an ideal solution for less experienced VPN users who need a great level of interoperability. Both UNIX and Windows cIPe clients are available for free. Unfortunately, numerous flaws in the design of cIPE surfaced in 2003 and are likely to stay unfixed until the new version of the cIPE protocol is released.
OpenVPN is another open source solution similar in functionality to cIPe. The package is easy to install and configure and is known to work on most UNIX-like systems that support TUN/TAP virtual network drivers. Because it runs in user space, kernel-level modifications are not required. OpenVPN has been built with a strongly modular design, where all cryptographic functions are handled through the OpenSSL library, including support for the latest ciphers, such as 256-bit AES. Thus, it fully supports the OpenSSL PKI for session authentication, the TLS protocol for key exchange, the cipher independent EVP interface for data encryption, and HMACs for data authentication (revisit the applied cryptography chapters if you find this terminology confusing). Similarly to cIPe, the use of a single UDP port for tunnel encapsulation allows an easy traverse through NAT and stateful firewalls. At the time of writing, the package has not been ported to Windows.
VTun is another package that uses the TUN/TAP virtual network driver for IP tunneling. It supports all common Layer 3 protocols, including IPX and AppleTalk, protocols that run over serial lines such as PPP and SLIP, and all programs that support UNIX pipes. The built-in traffic shaper allows limiting inbound and outbound speed of the tunnels and makes this solution different from the rest. In terms of data confidentiality, VTun does not claim to be the most secure; instead it focuses on speed, stability, and usability. At the same time, it supports 128-bit Blowfish for data encryption and MD5 for 128-bit hash generation. There is no Windows version available, so you are generally limited to the UNIX-like platforms that support the TUN/TAP driver.
|< Day Day Up >|