Page 894 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 894
CHAP)
Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP)
Extensible Authentication Protocol (EAP)
Shiva Password Authentication Protocol (SPAP)
The initial tunnel negotiation process used by PPTP is not encrypted.
Thus, the session establishment packets that include the IP address of
the sender and receiver—and can include usernames and hashed
passwords—could be intercepted by a third party. PPTP is used on
VPNs, but it is often replaced by the L2TP, which can use IPsec to
provide traffic encryption for VPNs. Most modern uses of PPTP have
adopted the Microsoft customized implementation which supports
data encryption using Microsoft Point-to-Point Encryption (MPPE)
and which supports various secure authentication options.
PPTP does not support TACACS+ and RADIUS.
Layer 2 Forwarding Protocol and Layer 2 Tunneling Protocol
Cisco developed its own VPN protocol called Layer 2 Forwarding
(L2F), which is a mutual authentication tunneling mechanism.
However, L2F does not offer encryption. L2F was not widely deployed
and was soon replaced by L2TP. As their names suggest, both operate
at layer 2. Both can encapsulate any LAN protocol.
Layer 2 Tunneling Protocol (L2TP) was derived by combining
elements from both PPTP and L2F. L2TP creates a point-to-point
tunnel between communication endpoints. It lacks a built-in
encryption scheme, but it typically relies on IPsec as its security
mechanism. L2TP also supports TACACS+ and RADIUS. IPsec is
commonly used as a security mechanism for L2TP.
IP Security Protocol
The most commonly used VPN protocol is now IPsec. IP Security
(IPsec) is both a stand-alone VPN protocol and the security
mechanism for L2TP, and it can be used only for IP traffic. IPsec
