Understanding VPN technologies and capabilities
Virtual Private Networks (VPNs) are the mainstay of the mobile environment. Enterprises across the world are looking for and finding a multitude of ways to provide the remote, mobile end user with secure access to corporate computing facilities and mission-critical applications. Here, Robbie Harrell explains how SSL and IPsec, as well as MPLS, are being used for secure, remote VPN access.
Virtual Private Networks (VPNs) are the mainstay of the mobile environment. Enterprises across the world are looking for and finding a multitude of ways to provide the remote, mobile end user with secure access to corporate computing facilities and mission-critical applications. VPN technologies allow organizations to build remote-access capabilities for at-home workers, global travelers, guests, partners, contractors and many other varieties of end-user profiles.
For the longest time, VPN merely meant access for site-to-site connectivity over a provider's backbone that was shared with other customers (e.g., the traditional ATM/Frame WAN backbones). Yes, those old legacy WAN networks were VPNs. The latest and greatest today is the Multiprotocol Label Switching (MPLS) VPN for site-to-site VPN connectivity over an IP-enabled, QoS-capable WAN that can support real-time applications such as voice and video. These applications, along with data, can now be delivered via site-to-site MPLS VPNs.
As I mentioned above, however, mobility is the key -- and today's VPN focus is on end-user access through remote-access VPNs. A great deal of our VPN All-in-One Guide is dedicated to remote-access VPNs. A remote-access VPN is characterized by the ability to deliver secure traffic over a shared infrastructure (such as the Internet) via tunneling services. "Tunneling" is just a phrase to indicate that there is a virtual connection between the end user's device and the customer premises where the applications reside.
 |
||||
|
|
|||
|
||||
IPsec has been the dominant protocol for providing secure remote-access services. The topology of IPsec architecture consists of tunnel termination platforms (router or server) and agents loaded onto remote devices. This was deemed a bring-your-own Internet service, because as long as you had Internet access and could reach the VPN server, you were hooked up to the corporate network. There are tons of vendors who support IPsec remote-access products and technologies (Cisco, Juniper, Microsoft and a host of others). These solutions are well known and work well, but the need to deploy a software agent onto the end-user device limited the types of access available.
With IPsec, end users had to have a company laptop or PDA in order to access the corporate network. The requirement for clientless access is pushing remote-access services built on Secure Sockets Layer (SSL) technologies that utilize Web interfaces such as Internet Explorer to provide the same capabilities (secure, remote access) as an IPsec VPN without the hassles of an agent -- or a laptop, for that matter. This allows remote users to gain access to corporate applications (with email being a major application) from any device that supports a Web browser. This allows folks to communicate even when they do not have their VPN-enabled laptops. Email, order status, order entry and many other functions can be accomplished from almost anywhere.
IPsec and SSL VPN primarily provide the same function: secure, remote access. The capabilities of each differ primarily in how the access is facilitated.
About the author:
Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has more than 10 years of experience providing strategic, business and technical consulting services. Robbie lives in Atlanta and is a graduate of Clemson University. His background includes positions as a principal architect at International Network Services, Lucent, Frontway and Callisma.
