Types of VPNs used for vmForge VDC
If you have a customer managed vmForge firewall option with the Fortigate Firewall in front of your VDC, there are several types of VPNs to securely connect over an encrypted tunnel back into your VDC.
What is a VPN?
A VPN (Virtual Private Network) is a way of creating a secure connection to and from a network (site to site or LAN to LAN) or computer (node based VPN). It is usually encrypted end-to-end and lets you route traffic securely over a direct channel into the remote network. There are usually separate policies applied on the VPN connection letting more remote services in that you wouldn’t let in through the primary internet facing connection (ie. MS-SQL server administrative access, FTP services, etc).
IPSec PPTP vs. L2TP over IPSec vs. SSL/VPN vs. many others.
is the basis of many modern secure VPNs. It is the most complex, and feature-full of the choices. It also usually requires special client software loaded on the remote client workstation. Example client software either comes from the Firewall Vendor directly (either as a purchase, or bundled in software), or other software vendors and freeware solutions exist. Popular commercial client software is VPN Tracker for the Mac, or The Greenbow for Windows. Free client software for the Mac is IPSecuritas or Shrew for Windows. Other options are setting up the connection site-to-site in your local firewall to your VDC network. This assumes you already have a pre-existing site firewall that supports site-to-site VPNs though.
With an IPSec tunnel, the client software can be setup to automatically connect as needed, or you can also bring up the tunnel on-demand with whatever controls the software gives you.
Otherwise, it sits in the background without you having to interact with it.
PPTP is a solution developed by USR and expanded on by Microsoft for Remote Access VPNs. There have been some security concerns with both the length of the hash of the LANMAN password hash used with this solution, as well the actual encryption algorithms employed. You can read up more on the problems encountered here.
L2TP over IPSec
L2TP merges two different technologies from different areas of Networking into a solution that has replaced PPTP. This solution has client software built into Windows (XP and up) and Mac OS X (10.3 and up) that makes it simple to choose, although the real setup can get a little complex. Troubleshooting this solution can be difficult, as the windows client gives basically one error code for any problem.
This is a Dial Up on Demand connection at the client end. Each time that you want to connect, you’ll have to initiate the VPN tunnel setup and make sure it connects before doing what you want across the VPN tunnel.
SSL/VPN is a VPN solution running over SSL/TLS encrypted HTTP traffic. I think the perceived acceptance of this solution is that it is easy because it is just SSL and it is just HTTP. The reality of this solution is that it depends a lot on what you want to do, what software is installed on the client end (ie. Java may be required, which not many people install by default any longer), and it operates in 3 different modes.
The first mode is connecting to the VPN gateway as a web proxy into the internal network (ie. so you can access an internal web site). Depending on software version, telnet proxy and ssh proxy may be available. This is all that is allowed though.
The second mode is download a JAVA app that will let you do port forwarding through the VPN tunnel. Ie. More like a traditional VPN that you can access restricted services such as MSSQL server that you wouldn’t let out publicly.
The third mode is via special client software installed on the workstation (is very vendor specific), which again will let you do port forwarding through the VPN tunnel like a regular IPSec client and access remote protocols like RDP and MS-SQL over the encrypted VPN tunnel.
Other solutions exist such as OpenVPN, ssh port forwarding, OpenSWAN, etc.
Our firewalls only support the methods I talked about above, not these alternatives, although that doesn’t mean that you can’t deploy a firewall gateway virtual machine utilizing your favorite software within your local VDC as well (I’m sure I’ll be doing a blog post about this kind of setup later).
Overall, the IPSec VPN is the most secure and easiest to use, but is the hardest to setup and required client software to be installed. L2TP over IPSec is popular because the client software is already installed and easy enough to use.
Either solution does work well, I’ll be detailing more details on setting up either in further blog posts.