Microsoft develops new tunneling protocol

March 8, 2008 – 6:43 PM

Microsoft is working on a new tunneling protocol for Vista and Longhorn that will provide secure network access from anywhere on the Net.

The Secure Socket Tunneling Protocol (SSTP) creates a VPN tunnel that travels over Secure-HTTP, eliminating issues associated VPN connections based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) that can be blocked by some Web proxies, firewalls and Network Address Translation (NAT) routers that sit between clients and servers.

The protocol, however, is only for remote access and will not support site-to-site VPN tunnels.

Microsoft hopes SSTP will help reduced help desk support calls associated with IPSec VPNs when those connections get blocked by firewalls or routers. The protocol will also use the same controls as previously so retraining shouldn’t be needed. The SSTP-based VPN tunnel plugs directly into current interfaces for Microsoft VPN client and server software.

Microsoft plans to ship SSTP support in Vista Service Pack 1 and in Longhorn Server. The ship date for Vista SP1 has not been set, but Longhorn is expected to ship in the second half of this year. SSTP will be included in Longhorn Server Beta 3, which will available in the first half of this year.

Despite incorporating the SSL 3.0 and HTTP 1.1 with 64 -it content length encoding standards, Microsoft does not plan to seek standardisation of SSTP, according to officials. Because SSTP is only a tunneling protocol it cannot be directly compared to SSL VPNs, the company said.

“However, since SSTP provides full-network VPN access over SSL, RRAS can provide customers with a baseline SSL VPN solution or be a building block in a more comprehensive SSL VPN solution by providing a generic SSL tunnel,” said Samir Jain, lead program manager for RRAS at Microsoft. “SSTP also provides support in the server to block specific IPs and subnets.”

On his blog , Jain has provided a step-by-step description of how SSTP works , and how to configure it on the client side. In general, he says SSTP creates a thin layer to “allow Point-to-Point Protocol (PPP) traffic, which is datagram oriented to be encapsulated over an SSL session, which is stream oriented — hence giving firewall traversal. The encryption is done over SSL and user authentication is done using PPP.”

http://www.techworld.com/security/news/index.cfm?RSS&NewsID=7814