Determining efficient VPN solutions, encryption options

Various virtual private network solutions based on different network protocols are outlined for easy comparison in determining the most efficient solution and encryption scheme.

There are many definitions of "virtual private network," and not all VPNs use end-to-end encryption. For example:

  • VPNs based on Multi-Protocol Label Switching (MPLS) carve virtual switched paths out of the provider's network to carry customer traffic between edge routers. MPLS does not provide data encryption, but can be used in conjunction with IPsec when encryption is required.
  • VPNs based on the Layer Two Tunneling Protocol (L2TP) relay dial-up (PPP) sessions terminated by an ISP's Network Access Server to an L2TP Gateway at the customer's network. L2TP does not provide data encryption, but is commonly used over IPsec transport mode to provide confidentiality (for example, within Windows XP/2000).
  • Network-based IPsec VPN services often use a carrier-class VPN switch at the provider's point of presence (POP) to initiate and terminate VPN tunnels across the provider's backbone. The "tail circuit" between the customer's premises and the provider's POP (for example, a dedicated T1 link or a Frame Relay PVC) may or may not be encrypted.

If you require end-to-end confidentiality from your VPN service -- that is, encryption from customer premises to customer premises, without any point in the middle at which your data is cleartext -- then it's important to explicitly look for a secure VPN service that provides this. For example, most managed IPsec VPN services can deliver end-to-end encryption. But whether or not they actually do encrypt end-to-end is determined by the VPN's security policy configuration.

This question was asked at Ask the Experts on SearchNetworking.com.

Lisa Phifer, Contributing expert
About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.


This was first published in June 2009

Dig deeper on VPN design

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchNetworking

SearchUnifiedCommunications

SearchTelecom

SearchSDN

Close