One of the most common types of encrypted communication is the Transport Layer Security (TLS). TLS was formerly called Secure Sockets Layer (SSL). It was originally introduced to secure web application communication. TLS provides the secure channel for the Hypertext Transfer Protocol Secure (HTTPS) protocol for secure web pages. TLS creates an encrypted tunnel between a web client, most commonly a web browser, and a web server. All data sent back and forth between the server and the client are encrypted. The client and server negotiate a cipher and then exchange a key using public key cryptography. Once the key has been securely exchanged, both sides use the symmetric key for subsequent communications. FIGURE 4-12 shows a secure connection between a web client and a web server.

Although SSL/TLS was created for web application communication, it is commonly used in many applications, including Remote Desktop, database connections, and any network connections that require exchanging encrypted data.

Internet Protocol Security (IPSec) is another secure network protocol suite. IPSec operates at a lower level than SSL/TLS and is used to provide encryption for IPv4 traffic. IPSec can be used to encrypt traffic between hosts (host-to-host), two networks (network-to-network), or between a gateway and a host (network-to-host). IPSec authenticates each end point and then encrypts all IPv4 traffic between the end points. IPSec was designed to overcome the weaknesses of IPv4, is recommended for use anytime IPv4 traffic needs to be secured, and is integrated into Active Directory. Administrators can set up and manage IPSec through Local or Group Policies.

Another type of encrypted communication is a virtual private network (VPN). This type of communication exists between a client and a server or between two servers. Once the VPN is established, all messages exchanged between the computers are encrypted. The difference between a VPN and a standard TLS connection is the number of applications each can handle. The TLS connection is generally limited to a single application, while the VPN may transport data from many different applications.

A client must initiate a VPN. During negotiation, the client and the server agree on a protocol and set up an encrypted tunnel. The tunnel looks like a regular network connection to local applications, but doesn’t require any special processing. Applications send unencrypted messages to one another while the VPN end points take care of the encryption and decryption. FIGURE 4-13 shows a VPN.

Several protocols are commonly used in VPNs. The most common VPN protocol pair is the IPSec with Layer 2 Tunneling Protocol (L2TP). This protocol pair, often referred to as L2TP/IPSec, provides end-to-end tunneling with optional encryption and is supported both with and without a preshared key option. Internet Key Exchange (IKEv2) is a tunneling protocol based on IPSec. Version 2 was developed by Microsoft and Cisco and is part of the Windows operating system. IKEv2 doesn’t support as many platforms as other popular VPN protocols, but it is very secure and fast. The other common VPN protocol used in legacy systems is the Point-to-Point Tunneling Protocol (PPTP). Windows supports both IPSec/L2TP and PPTP when setting up VPNs. One drawback to both protocols is that they can have problems with firewalls and web proxies, among other things. Each of these protocols uses specific ports that must be open through network devices for the protocol to work.

Microsoft introduced a new VPN protocol for Windows Vista Service Pack 1 and Windows Server 2008—Secure Socket Tunneling Protocol (SSTP). It establishes an encrypted tunnel over an SSL/TLS connection. The advantage of using SSL/TLS is that only port TCP/443 is required for the protocol to operate. Since this is the same default port for secure webpages using SSL/TLS protocol, it is commonly open through most network devices that connect to the outside world. Although SSTP provides more flexibility than the other two common protocols, it does not support site-to-site tunnels.

More and more devices are connected to a network using wireless connections. These connections are often temporary. They allow authorized users to connect to enterprise resources from insecure locations, such as coffee shops. Although VPNs can secure all traffic flowing between the client computer and enterprise network, all other traffic will be transmitted in the clear unless another form of encryption is employed.

It is cumbersome to enable encryption for transient public wireless networks because it makes connecting more difficult. This generally conflicts with the provider’s purpose of installing a wireless access point in the first place. Despite this, you should use encryption for all wireless entry points into your network. The original wireless security protocol, Wired Equivalent Privacy (WEP), has been shown to be easily compromised. A determined attacker can hack a WEP key in just a few minutes. The successor to WEP is Wi-Fi Protected Access (WPA). The original WPA implemented only a portion of the IEEE 802.11i standard. The successor to WPA, WPA2, is a full 802.11i implementation. While the full WPA2 protocol requires an 802.11X server, the pre-shared key (PSK) mode bypasses the complexity of the authentication server. Simpler WPA implementations, including most homes and small businesses, use WPA-PSK or WPA2-PSK. The Wi-Fi Alliance has announced the availability of WPA3, the latest technology to secure wireless communication. WPA3 focuses on making general use devices on wireless networks easier to secure and harder to compromise.