virtual private network (VPN)
A technology for securely connecting a computer or network to a remote
network over an intermediate network such as the Internet.
Overview
The term virtual private network (VPN) is used in various senses in
the industry to describe a variety of technologies, but in essence it
can have one of two meanings:
? Using an insecure public network such as the Internet to connect two
networks (or to connect a network and a remote computer)
? Making this connection secure by employing technologies such as
tunneling, authentication, and encryption
The two main types of VPNs are
? Network-network: A branch office network of an enterprise is
connected by a VPN to corporate headquarters. Network-network VPNs
offer a low-cost alternative to deploying expensive dedicated leased
lines such as T1 lines at all branch offices (corporate headquarters
still requires a leased line for its VPN gateway, however, to provide
enough bandwidth for its branch office VPN connections). In spite of
the cost advantage, however, networknetwork VPNs have been slow to
gain a foothold in the enterprise due to the proven reliability of
leased lines and the relative unreliability of the Internet in
comparison.
? Host-network: A mobile knowledge worker uses his or her laptop or
Personal Digital Assistant (PDA) and modem to dial in to a local
Internet service provider (ISP) to connect securely to a company
intranet or portal using an encrypted VPN connection. Using VPNs this
way has proliferated in the enterprise as it is more cost-effective
than traditional remote access solutions involving modem pools,
dedicated phone lines, and toll-free numbers. virtual private network
(VPN) virtual private network (VPN)
Architecture
VPNs are based on a client/server architecture:
VPN client: This system initiates the VPN connection with the VPN
server. For a typical host-network VPN scenario, the remote user first
establishes a dial-up connection with a local ISP to connect to the
Internet, and then once online, the client contacts the VPN server to
connect to the corporate intranet.
VPN server: This system authenticates the VPN client, negotiates
which tunneling and encryption protocols to use, and establishes the
secure VPN connection. The result is the formation of a secure
encrypted tunnel that connects the VPN client to the VPN server. The
effect is transparent—that is, as if both client and server were on
the same local area network (LAN). For the connection to work,
however, the VPN client must be assigned an Internet Protocol (IP)
address that makes it appear to the VPN server as if it is on the same
LAN as the server. VPN clients thus generally have two IP addresses,
one for the VPN connection and one for the intermediate or transit
network (the Internet).
Two VPN tunneling protocols are in use today: Microsoft
Corporation’s Point-to-Point Tunneling Protocol (PPTP) and Cisco
Systems’ Layer 2 Tunneling Protocol (L2TP). Both protocols are
essentially extensions of the industry standard Point-to-Point
Protocol (PPP) and are used to encapsulate PPP frames within IP
datagrams for transmission over the Internet. In other words, VPNs
employ two layers of encapsulation:
? First the IP datagrams from the client and server are encapsulated
with PPP headers to form PPP frames for transmission through the
serial interface to the modem or leased line.
? Then the PPP frames are encapsulated again with IP headers (and PPTP
or L2TP headers) to form IP packets for routing over the Internet.
The result of using PPTP or L2TP is to create a virtual PPP connection
between the VPN client and server. In short, the VPN connection
behaves as if it were a dedicated point-to-point serial link but
packets are actually routed across the Internet. How a VPN connection
works between a network and a remote host. Note that L2TP does not
include a mechanism for encrypting VPN communications, so it must be
combined with Internet Protocol Security (IPsec) when used to create a
VPN connection.
Implementation
VPNs are typically implemented in one of two ways:
Customer premises equipment (CPE): Here the VPN server is owned and
operated by the private company and is located at the periphery of
their corporate LAN. Such VPN servers may be routers, access servers,
firewall appliances, or standard PC servers running VPN-enabled
software such as Microsoft Windows 2000 Server.
? Service provider: Corporate VPN needs can also be outsourced to VPN
service providers, typically telcos, ISPs, or application service
providers (ASPs). The service provider maintains the VPN server at the
edge of its own network and parcels out VPN services to companies on a
monthly leased basis. In this scenario the customer only requires a
standard “dumb” router for Internet access at its end, not a
VPN-enabled router.
A third kind of VPN implementation involves using permanent virtual
circuits (PVCs) carrying IP over public frame relay networks. This
method is employed mainly for enterprise network-network VPNs.
Marketplace
A popular Linux-based VPN/firewall appliance is VelociRaptor from
Cobalt Networks, which employs Cobalt’s hardware and Raptor’s
firewall software to provide a secure VPN solution for the small
business and remote office markets. Another popular VPN appliance is
the Alcatel 7137 Secure VPN Gateway, originally developed by TimeStep
(now part of Alcatel). Cisco Systems offers many different
VPN-enabled routers and access servers, including the Cisco VPN 3005
Concentrator, which supports up to 100 concurrent users. For the Small
Office/Home Office (SOHO) business environment, the Cisco PIX Firewall
506 is a small unit the size of a pocketbook that can support 10
simultaneous VPN connections. Another market contender is the VPN-1
Appliance from Check Point Software Technologies, which includes their
widely used Firewall-1 product bundled in a Nokia appliance. Check
Point also offers a VPN-1 Gateway for high-end corporate VPN
connectivity. 3Com Corporation, Avaya, CoSine Communications, Data
Fellows Corporation, Indus River Networks, Intel Corporation, Lucent
Technologies, RadGuard, RedCreek Communications, and many other
companies offer VPN solutions ranging from VPN gateways and appliances
to software products.
Examples of service providers offering standard IP VPN services
include Aventail Corporation, Genuity, UUNET, Qwest Communications
International, and others. Providers of frame relay-based VPN services
include AT&T, Equant, Infonet, MCI/Worldcom, Sprint Corporation, and
others. Telera offers a nationwide Voice over IP (VOIP)-enabled
managed VPN that employs VPN gateways stationed at colocation centers
around the United States.
Prospects
The future of network-network VPNs and corporate host-network VPN
gateways may be Digital Subscriber Line (DSL), a technology that
provides high-speed Internet access at costs vastly lower than leased
lines such as T1 lines. The main issue with most enterprises is that
DSL has yet to prove itself as reliable a technology as the more
costly leased lines, which are a mature technology that has been
around for many years. Nevertheless, the combination of a DSL
connection with VPN software to provide security is a tantalizing one
for IT departments in times of shrinking budgets.
Notes
Although VPNs typically use the Internet as their transit network, it
is also possible to run a VPN over a corporate IP LAN to create a
“LAN within a LAN” for secure communications across the network.
For More Information
Visit the VPN Consortium at www.vpnc.org. See Also: application
service provider (ASP), Digital Subscriber Line (DSL), firewall, frame
relay, Internet, Internet Protocol Security (IPsec), Internet service
provider (ISP), Layer 2 Tunneling Protocol (L2TP), permanent virtual
circuit (PVC), Point-to-Point Protocol (PPP), Point-to-Point Tunneling
Protocol (PPTP), T1, wide area network (WAN)