In a site-to-site VPN, a VPN gateway is deployed at the edge of each private office network, facing the public network used to transport data between sites. The VPN gateway can be a router, firewall, or VPN appliance. If your office network is connected to the Internet by a broadband or T1 access router, you may be able to purchase a software upgrade for that router or use existing features in that router to support VPN tunnels. Many companies have a separate firewall attached to their access router. Since most firewalls can now support VPN tunnels, it is very common to use firewalls as VPN gateways for office networks. It's also possible to use a separate device as your VPN gateway -- for example, Microsoft Windows Servers can be used as VPN gateways -- but this topology is less common for site-to-site VPNs.
In a remote access VPN, a VPN gateway is still needed at the edge of the private office network that will be accessed by remote users. But something else is needed at the far end. Usually, a software VPN client is installed on the worker's desktop or laptop, tunneling data from the remote host to the private network as though the user were physically connected to that network. A less common option is to deploy a hardware VPN client -- a small security appliance -- in the user's home network, then connect the user's PC to that appliance. Software VPN clients can be included in host operating systems (e.g., Windows 2000/XP IPsec clients, Windows 98/ME/NT PPTP clients) or third-party software installed on remote hosts (e.g., SafeNet SoftRemote, Cisco VPN Client, Nortel Extranet Access Client). Recently, there's been a surge in "SSL VPN" products that use web browsers as VPN clients. The type of VPN client that you'll need depends on the type of VPN gateway that you use. It's possible to use the same VPN gateway for both site-to-site and remote access VPNs, but companies with large user populations often install a separate "remote access concentrator" for the latter.
Thus far I have described the hardware and software required for "roll your own" VPNs, but there's another option: purchasing a managed VPN service. With managed VPN services, your service provider may supply all the hardware and software for installation at your own site (a CPE VPN). Or your firewall/router and remote users may access a VPN gateway located at the edge of the provider's network (a network VPN). Network-based VPNs can often be activated faster and with lower initial cost, but you'll pay monthly/annual fees for using the VPN service.
To learn more about VPN hardware and software, visit these searchNetworking pages:
- VPN Tips:
- VPN chapter downloads:
- VPN white papers:
This was first published in April 2004