A virtual private network (VPN) allows a connection to a private network over a public network. VPNs provide remote access to an internal network for mobile users. Firewall ACLs include rules to allow VPN traffic based on the tunneling protocol. If you’re planning to take the Security+ exam, you should have a basic understanding of implementing common protocols and services.
For example, can you answer this question?
Q. A network administrator needs to open a port on a firewall to support a VPN using PPTP. What ports should the administrator open?
A. UDP 47
B. TCP 50
C. TCP 1723
D. UDP 1721
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Virtual Private Network Over Open Wireless
Public wireless hot spots typically have little or no security. Their goal is to provide users with free wireless access and often include a warning indicating that the network doesn’t have any security. Attackers with wireless sniffers can typically capture any traffic sent over the network.
The best protection for users, especially when entering confidential data, such as usernames and passwords, is to ensure data is encrypted. One method is to ensure that connections are using Hypertext Transfer Protocol Secure (HTTPS) connections.
Another method is to use a VPN service that provides secure VPN connections over open wireless connections. For example, Private Internet Access and TunnelBear are two applications that provide this service, and applications are available for most platforms, including smartphones.
Using TLS and SSL
Some tunneling protocols use either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to secure the VPN channel. As an example, Secure Socket Tunneling Protocol (SSTP) encrypts VPN traffic using SSL over port 443. Using port 443 provides a lot of flexibility for many administrators and rarely requires opening additional firewall ports. It is a useful alternative when the VPN tunnel must go through a device using NAT, and IPsec is not feasible. OpenVPN and OpenConnect are two open source applications that can use TLS to create a secure channel.
Using PPTP
Many Microsoft implementations used Point-to-Point Tunneling Protocol (PPTP) for VPNs. PPTP uses Microsoft’s Point-to-Point Encryption to create the secure channel, but PPTP is rarely used today because of known vulnerabilities. PPTP uses TCP port 1723.
Remember this
L2TP is a VPN tunneling protocol and it is commonly combined with IPsec (as L2TP/IPsec). L2TP uses UDP port 1701. PPTP uses TCP port 1723.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Site-to-Site VPNs
A site-to-site VPN includes two VPN servers that act as gateways for two networks separated geographically. For example, an organization can have two locations. One is its headquarters and the other is a remote office. It can use two VPN servers to act as gateways to connect the networks at the two locations together.
A benefit of the site-to-site model is that it connects both networks without requiring additional steps on the part of the user. Users in the remote office can connect to servers in the headquarters location as easily as if the servers were in the remote office. Connecting to the remote server may be slower than connecting to a local server, but otherwise it’s transparent to end users.
In contrast, in a host-to-gateway model, the end user makes the direct connection to the VPN server and is very much aware of the process.
Q. A network administrator needs to open a port on a firewall to support a VPN using PPTP. What ports should the administrator open?
A. UDP 47
B. TCP 50
C. TCP 1723
D. UDP 1721
Answer is C. A virtual private network (VPN) using Point-to-Point Tunneling Protocol (PPTP) requires Transmission Control Protocol (TCP) port 1723 open.
It would also need protocol ID 47 open, but the protocol ID is not a port.
Internet Protocol security (IPsec) uses protocol ID 50.
You might also like to view the Implementing VPNs blog post.
