VPNs: Fundamentals and basics

More on this topic IPSec VPN clients Crash Course: VPNs Crash Course: SSL VPNs More VPN tips

Several methods of configuration can be used with VPNs. One method is an intranet-based VPN, which is defined as a network that links remote locations to create a single private network. This type of network connects LANs. A single department's network may be physically connected to the intranet but separated by VPN servers. These servers do not provide a directly routed connection. Only users on the corporate intranet with the appropriate rights can establish a remote-access VPN connection with the server. There is another enhanced level of security provided by VPN -- all communication is encrypted. If users do not have rights to establish a VPN connection, the network is completely hidden from them.

Another way of setting up a VPN network is to use routers for the VPN connections. In this example, departments must be connected to an intranet with computers that act as VPN routers. Once the connections are established, PC users on each network can exchange information over the Internet.

As shown in the diagram, each branch office has PC clients connected to a switch that also functions as a VPN router. This in turn connects to a firewall, which then sends its information encrypted through a tunnel that is linked with the VPN connection. The laptop user is a home-based user who does not need a router or a firewall. He uses a VPN client to establish his tunnel. The beauty of using VPN for this solution is that -- depending on the hardware purchased -- it should be possible to support hundreds of users across the public network, with just the client software. This solution provides significant cost savings over traditional toll-free numbers. It also supports broadband, giving dramatic performance improvements over dial-up. Security is improved as well, since the connections go through encrypted tunnels.

An important concept to understand regarding VPNs is tunneling. Tunneling is the transmission of data intended for use only within a private network through a public network in such a way that the nodes in the public network (the Internet) are not even aware that the transmission is part of a private network. The way this is done is to encapsulate the private network data and protocol information within the public network transmission. This is done so that the private network protocol information appears to the public network as data. This allows one to use the public network to transmit data from a corporate private network.

There are many VPN protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). IPsec (Internet Protocol Security), a framework for a set of security protocols at the packet processing layer is also used with VPNs. IPSec has two encryption modes: tunnel and transport. Tunnel is more secure because it encrypts the header and the payload of each and every packet, whereas transport will encrypt only the payload. IPSec provides very strong security features, such as complex encrypting algorithms and strong authentication. The only drawback here is that the hardware devices must support IPSec, and this is not a given.

Finally, before purchasing a VPN solution, look carefully at all the products on the market. Don't just jump at the first solution. Look at everything you want your VPN to do. If all you'll ever need it for is connectivity for your work-from-home users, you may not need all the features of an enterprise-wide type of hardware solution offered by one of the top vendors. Think carefully before you purchase a solution in which the VPN is also the router or the firewall. All-in-one solutions have a certain appeal, but think about what would happen if someone were to break into that device -- there is no other barrier between you and your private network. A separate router gives you another barrier. Similarly, many vendors offer hybrid firewall/VPN solutions. Don't forget that the firewall provides the barrier between your private network and the public network, which is the Internet. Any way you slice it, separating devices gives you another layer of protection.

About the author:
Ken Milberg is the founder of Unix-Linux Solutions. He is also a board member of Unigroup of NY, the oldest Unix users group in NYC. Ken regularly answers user questions on Unix and Linux interoperability issues as a site expert on SearchOpenSource.com.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >>: Crash Course: VPNs VIEW ALL IN THIS CATEGORY RELATED CONTENT Wide Area Networks WAN optimization: A market update Remote Desktop troubleshooting How the NetFlow protocol monitors your WAN Network design: Five ways to lower your costs Remote office backup, archiving and disaster recovery for networking pros Troubleshooting WAN performance issues Cisco CCIP MPLS certification: Introduction Distribution of labels -- Cisco CCIP MPLS certification: Lesson 3 Label imposition -- Cisco CCIP MPLS certification: Lesson 4 Configuring MPLS -- Cisco CCIP MPLS certification: Lesson 5 VPN overview Can you recommend a company to handle our remote access VPN services? Clientless VPN: Artful misnomer, useful technology Concentrator Remote Access Connections with PPTP, L2TP and WebVPN - Chapter 8 of Complete Cisco VPN Configuration Guide Crash Course: VPNs Selling and explaining VPNs What are the differences between a site-to-site VPN and a VPN client connecting to a VPN server? What protocols are used for these? Letting telecommuters in -- your VPN alternatives VPN Design Creating Remote Access and Site-to-Site VPNs with ISA Firewalls: from 'The Best Damn Firewall Book Period, Second Edition' A basic virtualized enterprise -- from 'Network Virtualization' How can I get our VPN to work on Windows Vista? To set up a VPN server, do you need two NIC cards? MPLS technology overview How do I connect my VLANs to the Internet using NAT and the appropriately configured ACL? What equipment do I use to connect two LANs in different cities? What are the steps? Are there any architectures of IPsec VPN apart from lookaside and flow-through? How can I access each device from my network while keeping the companies' networks secure? VPN operating system interoperability -- Configure VPNs with Linux VPN Design Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary extranet  (SearchNetworking.com) Layer Two Tunneling Protocol  (SearchNetworking.com) virtual private LAN service  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.