AAEC - Virtual Private Networks

VPNs - Virtual Private Networks

What is a VPN?

A VPN is a connection that has the appearance and many of the advantages of a dedicated link but occurs over a shared network. Imagine a secure and dedicated network without spatial boundaries, and you have a VPN, which simply makes use of public resources. Using a technique called "tunneling," data packets are transmitted across a public routed network, such as the Internet or other commercially available network, in a private "tunnel" that simulates a point-to-point connection. This approach enables network traffic from many sources to travel via separate tunnels across the same infrastructure. It allows network protocols to traverse incompatible infrastructures. It also enables traffic from many sources to be differentiated, so that it can be directed to specific destinations and receive specific levels of service.

The basic components of a tunnel are:

A tunnel initiator (TI)

A routed network

An optional tunnel switch

One or more tunnel terminators (TT)

Tunnel initiation and termination can be performed by a variety of network devices and software. A tunnel could be started, for example, by an end user's laptop equipped with an analog PC modem card and VPN-enabled dial-up software (basic tunneling and security capabilities are bundled into Windows 95 and Windows NT 4.0). It could also be started by a VPN-enabled extranet router on an enterprise branch or home office LAN, or by a VPN-enabled access concentrator at a network service provider point of presence (POP). A tunnel could be ended by a tunnel terminator or switch on an enterprise network or by a VPN gateway on an NSP's network extranet router.

In addition, there will usually be one or more security servers. Along with the conventional application of firewalls and address translation, VPNs can provide for data encryption, authentication, and authorization. Tunneling devices perform these functions by communicating with security servers. Such servers also usually provide information on bandwidth, tunnel end points, and, in some cases, network policy information and service levels.

VPN capabilities can be added to existing networking equipment through a software or board-level upgrade. Once installed, the capability can be used for multiple VPN applications, each delivering security, performance, management control, substantial cost and revenue benefits.

How do VPNs work?

Click for a diagram from 3Com

There is nothing exotic about VPNs. They are based on familiar networking technology and protocols.

In the case of a remote access VPN, for example, the remote access client is still sending a stream of Point-to-Point Protocol (PPP) packets to a remote access server. Similarly, in the case of LAN-to-LAN virtual leased lines, a router on one LAN is still sending PPP packets to a router on another LAN. What is new is that in each case instead of going across a dedicated line, the PPP packets are going across a tunnel over a shared network.

The effect of VPNs is like that of pulling a serial cable across a WAN cloud. PPP protocol negotiations set up a direct connection from the remote user to the tunnel termination device.

The most widely accepted method of creating industry-standard VPN tunnels is by encapsulating network protocols (IP, IPX, AppleTalk, etc.) inside the PPP and then encapsulating the entire package inside a tunneling protocol, which is typically IP but could also be ATM or Frame Relay.

Š1999 3Com Corporation

Network Integration | Security Products & Services | Virtual Private Networks | Remote Computing & Thin Clients
Energy Modeling | Programming & DB Development | Web Services & Design | Training & Support