How does it work?

There are two basic ways to create a VPN connection (See above diagram):

• Gateway to gateway
• Host to gateway

A gateway is a device that features VPN server capabilities. An example of a gateway is the Cable/DSL VPN Router. The Router functions as a VPN server, creating a “tunnel” or channel between itself and a remote location, so that data transmissions between them are secure. A host is a device, such as a computer, with VPN host software installed. Microsoft 2000 and XP have built-in VPN host software; other versions of Microsoft operating systems require additional, third-party software applications to be installed.

Gateway to Gateway

 An example of a gateway-to-gateway VPN would be a Cable/DSL VPN Router (gateway) linked to the central office's VPN server (gateway). At home, a telecommuter uses his Cable/DSL VPN Router for his always-on Internet connection. His Router has a built-in VPN server configured with his office’s VPN settings. He starts up the Router’s utility and connects to the VPN server at the central office 40 miles* away. Using the VPN, the telecommuter now has a secure connection to the central office’s network, as if he were physically connected.

Host to Gateway

 An example of a host-to-gateway VPN would be a notebook computer (host) linked to the central office’s VPN server (gateway). In her hotel room, a traveling businesswoman dials up her ISP. Her notebook computer has VPN host software configured with her office’s VPN settings. She starts up the VPN host software and connects to the VPN server at the central office 4000 miles* away. Using the VPN, the businesswoman now has a secure connection to the central office’s network, as if she were physically connected.

*Distances are examples only; VPNs have no distance limitations.

VPN Types

There are three broad categories of VPN products: hardware-based systems, firewall-based VPNs and standalone VPN application packages.

The majority of hardware-based VPN systems are encrypting routers. They are secure and easy to use, since they provide the nearest thing to "plug and play" encryption equipment available. Since they don't waste processor overhead in running an operating system or applications, they provide the highest network throughput of all VPN systems. However, they may not be as flexible as software-based systems. The best hardware VPN packages offer software-only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices.

Firewall-based VPNs take advantage of the firewall's security mechanisms, including restricting access to the internal network. They also perform address translation; satisfy requirements for strong authentication; and serve up real-time alarms and extensive logging. Most commercial firewalls also "harden" the host operating system kernel by stripping out dangerous or unnecessary services, providing additional security for the VPN server. OS protection is a major plus, since very few VPN application vendors supply guidance on OS security. Performance may be a concern, especially if the firewall is already loaded - however, some firewall vendors offer hardware-based encryption processors to minimize the impact of VPN management on the system.

Software-based VPNs are ideal in situations where both endpoints of the VPN are not controlled by the same organization (typical for client support requirements or business partnerships), or when different firewalls and routers are implemented within the same organization. Currently, standalone VPNs offer the most flexibility in network traffic management. Many software-based products allow traffic to be tunneled based on address or protocol, unlike hardware-based products, which generally tunnel all the traffic they handle, regardless of protocol. Tunneling specific traffic types is advantageous in situations where remote sites may see a mix of traffic - some that may need transport over a VPN (such as entries to a database at headquarters) and some that do not (such as Web surfing). In situations where performance requirements are modest (such as users connecting over dial-up links), software-based VPNs may be the best choice.

However, software-based systems are generally harder to manage than encrypting routers. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms. And some software VPN packages require changes to routing tables and network addressing schemes.

As the VPN market evolves, the distinctions between VPN architectures are becoming less clearly defined. Some hardware vendors have added software clients to their product offerings, and extended their server capabilities to include some of the security features more "traditionally" offered by software or firewall-based VPNs. A few stand-alone products have added support for hardware-based encryptors to improve their performance. And for all types of VPNs, further implementation of the proposed IPSec protocol is making it easier (tho' not trivial) to mix and match VPN products. So please remember that these VPN categories are becoming less meaningful as time goes on.

In a summary, a VPN is a private connection between two machines or networks over a shared or public network. In practical terms, VPN technology lets an organization securely extend its network services over the Internet to remote users, branch offices, and partner companies. In other words, VPNs turn the Internet into a simulated private WAN.

The Internet's appeal is its global presence, and its use is now standard practice for most users and organizations. As the need for communication links continue to grow, VPNs become increasingly relevant as they provide security, are cost-efficient and quick to implement.