Virtual Private Network (VPN): A Primer

A Virtual Private Network, broadly defined, is a temporary, secure connection over a public network, usually the Internet. By leveraging the Internet VPN's offer significant cost savings, greater flexibility and easier management relative to traditional internetworking, such as leased lines and dial-up remote access. All VPN solutions offer varying levels of security, performance and usability, but each has benefits and drawbacks.

Encryption

A VPN should encrypt data over a dynamic connection on a public network to protect information from being revealed if intercepted. VPN features include tools for authentication, access control and authorization. Different VPN approaches lead to different solutions: products available offer varying degrees of encryption, authentication and access control.

While strong authentication and encryption are critical components of VPN, they are relatively simple to deploy and verify. Access control is relatively complex because its deployment is tied to every other security tool. The security of a VPN is a function of how tightly authentication, encryption and access controls are connected. If one component is lacking the VPN will be lacking. And, unfortunately, many vendors cannot implement all three components effectively.

Comprehensive Solution

A comprehensive VPN solution involves a firewall, router, proxy server, VPN software or all of these. A combination of tools will provide the most comprehensive solution. Companies need to consider all the benefits they hope to derive from a VPN, such as streamlined processes, better customer service and secured exchange of information.

Effective use of VPN's addresses three predominant internetworking scenarios between a corporation and its

• Branch offices - referred to as an "intranet VPN"
• Remote or traveling employees - referred to as a "remote access VPN"
• Business associates, customers or suppliers - referred to as an "extranet VPN"

An Intranet VPN is defined as a semi-permanent WAN connection over a public network to a branch office. This type of LAN to LAN connection is considered to carry the least security risk since corporations generally trust their branch offices. The corporation generally controls both the source and destination offices on the network.

A Remote Access VPN alleviates the need for large modem pools and the expense of long distance charges. Using the Internet for the backbone for remote access is more affordable and easier to implement. Usability is an important part of this technology: clients should not have to go through complex logon issues associated with getting to the network, like multiple user ids and passwords. On the server side centralized management is essential because monitoring a large number of users can become cumbersome and create a security risk.

Extranet VPNs are intended to reach partners, customers and remote employees. An extranet VPN needs to be able to provide a hierarchy of security, with access to the most sensitive data being nested under the tightest security control. A sound VPN solution should provide versatile interoperability with multiple platforms, protocols, authentication and encryption methods.

The most widely used networks for VPN are the Internet and public networks, generally Frame Relay and ATM networks. Using routers and switches enterprises are able to blend their private networks with public data networks through a network service provider. Using public network connections to extend the enterprise network provides businesses with the ability to control and scale the network as enterprise needs change.

Summary

Organizations need to find ways to build networks that address their concerns and provide the kind of flexibility, performance and reliability they have come to expect from their private networks. A true VPN allows the enterprise to maximize the inherent reliability and availability of a public network, using complete flexible solutions that let the organization choose the most effective technologies to use at different points in the network.

Dede Schultz, Communications Systems Division VP, Technology Services

Demo page