|
The
Future of VPN
The
success of VPNs in the future depends mainly on industry
dynamics. Most of the value in VPNs lies in the potential
for businesses to save money.
Should the cost of
long-distance telephone calls and leased lines continue to
drop, fewer companies may feel the need to switch to VPNs
for remote access. Conversely, if VPN standards solidify and
vendor products interoperate fully with other, the appeal of
VPNs should increase.
The
success of VPNs also depends on the ability of intranets and
extranets to deliver on their promises. Companies have had
difficulty measuring the cost savings of their private
networks, but if it can be demonstrated that these provide
significant value, the use of VPN technology internally may
also increase.
VPN
technology is based on the idea of tunneling. Network
tunneling involves establishing and maintaining a logical
network connection (that may contain intermediate hops). On
this connection, packets constructed in a specific VPN
protocol format are encapsulated within some other base or
carrier protocol, then transmitted between VPN client and
server, and finally de-encapsulated on the
For
Internet-based VPNs, packets in one of several VPN protocols
are encapsulated within IP packets. VPN protocols also
support authentication and encryption to keep the tunnels
secure.
Two
Types of VPN Tunneling
VPN
supports both voluntary and compulsory tunneling. Both types
of tunneling can be found in practical use.
In
voluntary tunneling, the VPN client manages connection
setup. The client first makes a connection to the carrier
network provider (an ISP in the case of Internet VPNs).
Then, the VPN client application creates the tunnel to a VPN
server over this live connection.
In
compulsory tunneling, the carrier network provider manages
VPN connection setup. When the client first makes an
ordinary connection to the carrier, the carrier in turn
immediately brokers a VPN connection between that client and
a VPN server. From the client point of view, VPN connections
are set up in just one step compared to the two-step
procedure required for voluntary tunnels.
Compulsory VPN tunneling authenticates clients and
associates them with specific VPN servers using logic built
into the broker device. This network device is sometimes
called the VPN Front End Processor (FEP) (also Network
Access Server (NAS) or Point of Presence (POS) servers).
Compusory tunneling hides the details of VPN server
connectivity from the VPN clients and effectively moves
control over the tunnels from clients to the ISP. In return,
service providers must take on the additional burden of
installing and maintaining FEPs.
VPN
Tunneling Protocols
Several interesting network protocols have been implemented
specifically for use with VPN tunnels. The three most
popular VPN tunneling protocols listed below continue to
compete with each other for acceptance in the industry.
These protocols are generally incompatible with each other.
Point-to-Point Tunneling Protocol (PPTP)
Several corporations worked together to create the PPTP
specification. People generally associate PPTP with
Microsoft because nearly all flavors of Windows include
built-in client support for this protocol. The initial
releases of PPTP for Windows by Microsoft contained security
features that some experts claimed were too weak for serious
use. Microsoft continues to improve its PPTP support,
though.
Layer
Two Tunneling Protocol (L2TP)
The original competitor to PPTP for VPN tunneling was L2F, a
protocol implemented primarily in Cisco products. In an
attempt to improve on L2F, the best features of it and PPTP
were combined to create new standard called L2TP. Like PPTP,
L2TP exists at the data link layer (Layer Two) in the OSI
models -- thus the origin of its name.
Internet Protocol Security (IPsec)
IPsec is actually a collection of multiple related
protocols. It can be used as a complete VPN protocol
solution, or it can used simply as the encryption scheme
within L2TP or PPTP. IPsec exists at the network layer
(Layer Three) in OSI.
Virtual private networks (VPN) provide an encrypted
connection between a user's distributed sites over a public
network (e.g., the Internet). By contrast, a private network
uses dedicated circuits and possibly encryption. This page
describes IP-based VPN technology over the Internet, though
an organization might deploy VPN's on its internal nets
(Intranets) to encrypt sensitive information. We also have
some peformance members. The basic idea is to provide an
encrypted IP tunnel through the Internet that permits
distributed sites to communicate securely. The encrypted
tunnel provides a secure path for network applications and
requires no changes to the application.
|