Site-to-site VPNs connect entire networks to each other -- for example, connecting a branch office network to a company headquarters network. In a site-to-site VPN, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway. The VPN gateway is responsible for encapsulating and encrypting outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet towards the target host inside its private network.
Remote access VPNs connect individual hosts to private networks -- for example, travelers and mobile workers who need to access their company's network securely over the Internet. In a remote access VPN, every host must have VPN client software. Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as described above for site-to-site VPNs. If the target host inside the private network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the Internet.
The most common secure tunneling protocol used in site-to-site VPNs is the IPsec Encapsulating Security Payload (ESP), an extension to the standard IP protocol used by the Internet and most corporate networks today. Most routers and firewalls now support IPsec and so can be used as a VPN gateway for the private network behind them. Another site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS), although MPLS does not provide encryption.
Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol (PPTP) has been included in every Windows operating system since Windows 95. The Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and is more secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to deliver remote access VPN services. All of these approaches require VPN client software on every host, and a VPN gateway that supports the same protocol and options/extensions for remote access.
Over the past few years, many vendors have released secure remote access products that use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs. These "SSL VPNs" are often referred to as "clientless," but it is more accurate to say that they use web browsers as VPN clients, usually in combination with dynamically-downloaded software (Java applet, ActiveX control, or temporary Win32 program that is removed when the session ends). Also, unlike PPTP, L2TP, and IPsec VPNs, which connect remote hosts to an entire private network, SSL VPNs tend to connect users to specific applications protected by the SSL VPN gateway.
To learn more about VPN protocols and topologies, watch my New directions in VPN SearchSecurity.com webcast.
This question was asked at Ask the Experts on SearchNetworking.com.
About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.