SSTP

Secure Socket Tunneling Protocol

Tunneling روشی است که در آن با استفاده از Internet می توان میان دو site که از لحاظ مکانی با یکدیگر فاصله دارند ارتباط بر قرار کرد.

Tunneling انواع مختلف دارد مانند IP sec و VPN که یکی از شایع ترین روش های Tunneling  است.   (Virtual Private Networks) Vpn یکی از انواع مختلف tunneling می باشد.Vpnاز لحاظ امنیت و سرعت به چندین روش تقسیم بندی می شود :

Point-to-Point Tunneling Protocol

Layer Two Tunneling Protocol

Secure Socket Tunneling Protocol

Internet Key Exchange

VPN

PPTP

L2TP

SSTP

IKE v2

SECURITY

LOW

HIGH

SPEED

LOW

HIGH



SSTPنوع جدیدی از VPN می باشد که از روش  (Point-to-Point Protocol) PPPبرای Authenticationدر سطح user استفاده می کند و اطلاعات را بر روی کانال ssl (Secure Sockets Layer ) بصورت encryption و integrity ارسال می کند SSTP تنها از ویندوز ویستا به بعد پشتیبانی می شود.

SSTP برای برقراری ارتباط نیازمند درخواست CERTIFICAT از سمت CLIENT و تائید آن از سوی SERVER میباشد.یکی دیگر مزایای پرتکل SSTP نوع Port مورد استفاده است .SSTPاز پورت شماره 443 که پورت HTTPS می باشد استفاده میکند.به همین جهت مدلی مناسب از VPNبرای دور زدن فیلترینگ می باشد چرا که این پورت توسط فیلترینگ بسته نمی شودزیرا تمامی میل ها بر روی این پورت ارائه می شود و چنانکه این پورت بسته شود تمامی ایمیل ها بسته می شود ولی مدل های VPNهمچون PPTP  و L2TPقابلیت فیلتر شدن را دارند.

مدل SSTP در مقابل مدل IKEv2از مزیت چند OSبودن برخوردار است و برعکس تکنولوژیIKEv2که در هر دو سمت VPN یعنی هم سمتclient و هم سمت SERVERباید مایکروسافتی باشند این PORTOCOL بر روی تمامی OS ها اعم ازMicrosoft -Unix-Linux-Microtic کار میکند.

همچنین میزان MTU(Maximum Transmission Unit) در آن برابر 1400 می باشد .



        How SSTP based VPN connection works in seven steps

  1. The SSTP client needs internet connectivity. Once this internet connectivity is verified by the protocol, a TCP connection is established to the server on port 443.
  2. SSL negotiation now takes place on top of the already established TCP connection whereby the server certificate is validated. If the certificate is valid, the connection is established, if not the connection is torn down.
  3. The client sends an HTTPS request on top of the encrypted SSL session to the server.
  4. The client now sends SSTP control packets within the HTTPS session. This in turn establishes the SSTP state machine on both sides for control purposes, both sides now intiate the PPP layer communication.
  5. PPP negotiation using SSTP over HTTPS now takes place at both ends. The client is now required to authenticate to the server.
  6. The session now binds to the IP interface on both sides and an IP address assigned for routing of traffic.

Traffic can now traverse the connection being either IP traffic or otherwise


SSTP - an extension of VPN

The development of SSTP was brought about by the lack of capability of VPN. The main shortcoming of VPN is its unstable connectivity. This is a consequence of its insufficient coverage areas. SSTP increases the coverage area of VPN connection ubiquitously, rendering this problem no more. SSTP establishes a connection over secure HTTPS; this allows clients to securely access networks behind NAT routers, firewalls and web proxies, without the concern for typical port blocking issues.

SSTP is not designed for site to site VPN connections but is intended to be used for client to site VPN connections.

The success of SSTP can be found in the following features:

  • Typical port blocking is decreased
  • Blocking issues involving connections in relation to PPTP GRE port blocking or L2TP ESP port blocking via a firewall or NAT router preventing the client from reaching the server will no longer be a problem as ubiquitous connectivity is achieved. Clients will be able to connect from anywhere on the internet.
  • SSTP will be built into Longhorn server
  • SSTP Client will be built into Windows Vista SP1
  • SSTP won't require retraining issues as the end-user VPN controls remain unchanged. The SSTP based VPN tunnel plugs directly into current interfaces for Microsoft VPN client and server software.
  • Full support for IPv6. SSTP VPN tunnel can be established across IPv6 internet.
  • It uses integrated network access protection support for client health-check.
  • Strong integration into MS RRAS client and server, with two factor authentication capabilities.
  • Increases the VPN coverage from just a few points to almost any internet connection.
  • SSL encapsulation for traversal over port 443.
  • Can be controlled and managed using application layer firewalls like ISA server.
  • Full network VPN solution, not just an application tunnel for one application.
  • Integration in NAP.
  • Policy integration and configuration possible to help with client health checks.
  • Single session created for the SSL tunnel.
  • Application independent.
  • Stronger forced authentication than IPSec
  • Support for non IP protocols, this is a major improvement over IPSec.
  • No need to buy expensive, hard to configure hardware firewalls that do not support Active directory integration and integrated two factor authentication.