Another way of setting up a VPN network is to use routers for the VPN connections. In this example, departments must be connected to an intranet with computers that act as VPN routers. Once the connections are established, PC users on each network can exchange information over the Internet.
As shown in the diagram, each branch office has PC clients connected to a switch that also functions as a VPN router. This in turn connects to a firewall, which then sends its information encrypted through a tunnel that is linked with the VPN connection. The laptop user is a home-based user who does not need a router or a firewall. He uses a VPN client to establish his tunnel. The beauty of using VPN for this solution is that -- depending on the hardware purchased -- it should be possible to support hundreds of users across the public network, with just the client software. This solution provides significant cost savings over traditional toll-free numbers. It also supports broadband, giving dramatic performance improvements over dial-up. Security is improved as well, since the connections go through encrypted tunnels.
An important concept to understand regarding VPNs is tunneling. Tunneling is the transmission of data intended for use only within a private network through a public network in such a way that the nodes in the public network (the Internet) are not even aware that the transmission is part of a private network. The way this is done is to encapsulate the private network data and protocol information within the public network transmission. This is done so that the private network protocol information appears to the public network as data. This allows one to use the public network to transmit data from a corporate private network.
There are many VPN protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). IPsec (Internet Protocol Security), a framework for a set of security protocols at the packet processing layer is also used with VPNs. IPSec has two encryption modes: tunnel and transport. Tunnel is more secure because it encrypts the header and the payload of each and every packet, whereas transport will encrypt only the payload. IPSec provides very strong security features, such as complex encrypting algorithms and strong authentication. The only drawback here is that the hardware devices must support IPSec, and this is not a given.
Finally, before purchasing a VPN solution, look carefully at all the products on the market. Don't just jump at the first solution. Look at everything you want your VPN to do. If all you'll ever need it for is connectivity for your work-from-home users, you may not need all the features of an enterprise-wide type of hardware solution offered by one of the top vendors. Think carefully before you purchase a solution in which the VPN is also the router or the firewall. All-in-one solutions have a certain appeal, but think about what would happen if someone were to break into that device -- there is no other barrier between you and your private network. A separate router gives you another barrier. Similarly, many vendors offer hybrid firewall/VPN solutions. Don't forget that the firewall provides the barrier between your private network and the public network, which is the Internet. Any way you slice it, separating devices gives you another layer of protection.
About the author:
Ken Milberg is the founder of Unix-Linux Solutions. He is also a board member of Unigroup of NY, the oldest Unix users group in NYC. Ken regularly answers user questions on Unix and Linux interoperability issues as a site expert on SearchOpenSource.com.
This was first published in May 2006