Problem solve Get help with specific problems with your technologies, process and projects.

Are there any architectures of IPsec VPN apart from lookaside and flow-through?

In an IPsec VPN, learn what architectures exist apart from lookaside and flow-through, in this expert response from Sampath Ramaswami.

Are there any architectures of IPsec VPN apart from lookaside and flow-through?

Those two terms refer specifically to two mechanisms for performing the encryption function in a network device. Essentially, the lookaside architecture has the primary processor performing all functions, including IPsec, with certain compute-intensive tasks (such as the actual encryption) offloaded to security co-processors. In the flow-through model, all aspects of the IPsec VPN are handled in a pre-processor so that the primary processor does not have to concern itself with whether the packets were native or encrypted from a VPN. The flow-through architecture can allow higher performance, since the network processor performing the firewall, IDS, virus scanning, and other functions is now insulated from the IPsec processing.

An alternative approach, if high performance is not required, or if the general processor is fast enough, is to simply perform all functions in software. Your PC uses this model when you use a VPN client -- the primary processor is running your software firewall, quality of service, anti-virus, and IPsec functions without a separate security processor.

This was last published in April 2007

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.