VPN solutions for a secure data communication

  • OpenVPN and IPsec enable the data transfer of telecontrol protocols via secure communication lines, so-called VPN tunnels. Even if the public network is used for the data transfer, the methods ensure the confidentiality, integrity and authenticity of the data and prevent data access by unauthorized participants. The two key aspects are a secure encryption of the user data using approved cryptographic encryption algorithms and the reliable identification of the communication partner.

    IPsec is a standardized add-on of the internet protocol and thus an integral part of the operating system.
    OpenVPN, however, is an open source VPN implementation. The OpenVPN application runs independently of the operating system and works between the transport and application layer.
    Both approaches have their advantages and disadvantages.

    IPsec

    IPsec currently provides maximum safety, but requires an increased configuration effort and offers a low bandwidth for user data. Security experts criticize above all the high complexity and thus the error rate. The penetration rate of well-known producers and the definition by standards are beneficial.

    Open VPN

    OpenVPN is a relatively new VPN solution which is becoming increasingly accepted because of the high flexibility, simple configuration and the use of established security protocols (e.g. TLS).

    IPsec and OpenVPN provide different mechanisms for authentication.
    ipConv supports the following authentication mechanisms:

    „pre shared key“:
    With this method, the key to be used is pre-installed on all participants. So that all participants have an identical secret which they use to encrypt the user data or to generate other cryptographic data. With a small number of participants this method is simple to configure. However, it scales badly and offers no functionality for key management.

    Digital certificates
    Digital certificates are digital data records with identity information (person or object), that can be checked for integrity and authenticity with cryptographic techniques. A public and a private key are created for each participant. The public key is embedded into the digital certificate and is thus bound to certificate information. Only the X.509 certificates are supported. A PKI environment is required to use digital certificates, i.e., an increased configuration effort on the one hand, but on the other hand it enables a better scalability, a key management and a clear identification of the participants.

    Precondition:
    The remote station must offer a VPN connection with IPsec or OpenVPN and needs to support the requested VPN configuration.

    When using digital certificates, an X.509 certificate with its related private key as well as the X.509 certificates of the root respectively the intermediate certification authorities of the PKI environment are required for each VPN endpoint. These PKI data should be loaded on to the system before VPN configuration is done.