“iOS 10 no longer supports the PPTP VPN protocol. If you have deployed any custom profiles in Intune that use the PPTP protocol, iOS 10 will remove the PPTP connections from any VPN profiles when a user upgrades their device. Intune supports alternatives to PPTP from the IT Admin console.”Apple has always been taken the security a top priority, which could be seen by the recent question and answers session attended by the company’s CEO, Tim Cook. There, he described encryption as "one of the things that make the public safe.” He further said:
"We feel we have a responsibility to protect our customers." "We believe the only way to protect both your privacy and safety from a cyber attack is to encrypt. We throw all of ourselves into this and are very much standing on principle in this."While departing from a PPTP connection may seem a frustration for some and a cumbersome process for organizations to update their protocols, it is also a step forward to ensure the security of those who are using VPNs for Mac and iOS devices.
Understanding the said protocolsL2TP/IPsec L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used in VPN connection. It does not have its own encryption algorithm but relies on the encryption suite of IPsec, which authenticates and encrypts each IP packet of a communication taking place. This protocol offers a balance of speed and security as compared to PPTP. However, L2TP is not compatible with NAT, port-forwarding becomes a necessity in some cases, and if the IP of the IPsec server changes, all clients needs to be informed of the change. IKEv2/IPsec (VPN Reconnect) IKEv2 (Internet Key Exchange version 2) is a tunneling protocol that uses IPsec encryption protocol over UDP port 500. Jointly developed by Microsoft and Cisco, also dubbed as “VPN reconnect,” IKEv2 provides resilience to the VPN connection. When the VPN client moves from one wireless hotspot to other, it automatically disconnects all internet activities when a VPN connection is lost and re-establishes the connection upon successful connectivity. Mobile users specifically can benefit from such a protocol. However, it is not supported on many platforms as it is fairly new to VPN services. In many cases, they just offer a “kill switch option” as a feature in their VPN client. Cisco IPsec Cisco IPsec is a tunneling protocol typically used in the network infrastructure of organizations to secure the communications between Cisco routers and VPN clients. Cisco IPsec applies without affecting the individual workstations, which typically occurs in IPsec. The benefits of Cisco IPsec technology over typical IPsec protocol is that it applies to all the traffic cross the perimeter of the company’s network. There is no need to change the software on the server system. It supports remote access of offsite workers. SSL VPN SSL (Secure Socket Layer) VPN works similar to traditional VPN. The SSL VPN technology has grown in popularity as compared to its counterpart IPsec and allows users to connect remotely to their organizations, obtaining access to the restricted network. It adds advanced encryption technology of SSL and transmits data through an encrypted tunnel to a VPN concentrator, which gives the appearance of a user as that of the local network regardless of the actual location of the user.
Choosing Between Tunneling ProtocolsWhen choosing between L2TP, Cisco IPsec, SSL VPN, and IKEv2/IPsec VPN solutions, consider the following:
- PPTP, unlike other protocols, does not require PKI (Public Key Infrastructure). PPTP VPN provides data confidentiality (captured packets cannot be decoded without encryption key). However, PPTP VPN does not offer data integrity (data was not modified in transit) or data origin authentication (data sent by authorized user).
- L2TP supports either preshared key or computer certificates as the authentication method for IPSec encryption protocol. Computer Certificate Authentication is the recommended method, which requires the PKI to issue computer certificates at each communication step between VPN server and VPN client. L2TP offers data confidentiality, data authentication, and data integrity. Unlike other protocols, L2TP facilitates machine authentication at IPsec layer and authentication at user level at PPP layer.
- Cisco IPsec is suitable for organizations to secure network infrastructure.
- IKEv2 support is limited to systems running Windows 7 and Windows Server 2008 R2. IKEv2 supports latest IPsec encryption ciphers. It supports mobility (MOBIKE), which handles the VPN connectivity issues, and it is a good choice for users. It provides data integrity, confidentiality, and authentication.
- SSL VPN supports the latest technology of SSL as compared to its counterpart IPsec. It is widely used in OpenVPN client. OpenVPN is an open-source software application that applies VPN techniques to create secure connections. It utilizes TLS/SSL for key exchange. It is NAT- and firewall-friendly. Though it offers strong security but it slows down the speed as compared to its counterparts.