|
Two
Types of VPN Tunneling
VPN
supports both voluntary and compulsory tunneling. Both types
of tunneling can be found in practical use.
In
voluntary tunneling, the VPN client manages connection
setup. The client first makes a connection to the carrier
network provider (an ISP in the case of Internet VPNs).
Then, the VPN client application creates the tunnel to a VPN
server over this live connection.
In
compulsory tunneling, the carrier network provider manages
VPN connection setup. When the client first makes an
ordinary connection to the carrier, the carrier in turn
immediately brokers a VPN connection between that client and
a VPN server. From the client point of view, VPN connections
are set up in just one step compared to the two-step
procedure required for voluntary tunnels.
Compulsory VPN tunneling authenticates clients and
associates them with specific VPN servers using logic built
into the broker device. This network device is sometimes
called the VPN Front End Processor (FEP) (also Network
Access Server (NAS) or Point of Presence (POS) servers).
Compusory tunneling hides the details of VPN server
connectivity from the VPN clients and effectively moves
control over the tunnels from clients to the ISP. In return,
service providers must take on the additional burden of
installing and maintaining FEPs.
VPN
Tunneling Protocols
Several interesting network protocols have been implemented
specifically for use with VPN tunnels. The three most
popular VPN tunneling protocols listed below continue to
compete with each other for acceptance in the industry.
These protocols are generally incompatible with each other.
Point-to-Point Tunneling Protocol (PPTP)
Several corporations worked together to create the PPTP
specification. People generally associate PPTP with
Microsoft because nearly all flavors of Windows include
built-in client support for this protocol. The initial
releases of PPTP for Windows by Microsoft contained security
features that some experts claimed were too weak for serious
use. Microsoft continues to improve its PPTP support,
though.
Layer
Two Tunneling Protocol (L2TP)
The original competitor to PPTP for VPN tunneling was L2F, a
protocol implemented primarily in Cisco products. In an
attempt to improve on L2F, the best features of it and PPTP
were combined to create new standard called L2TP. Like PPTP,
L2TP exists at the data link layer (Layer Two) in the OSI
models -- thus the origin of its name.
Internet Protocol Security (IPsec)
IPsec is actually a collection of multiple related
protocols. It can be used as a complete VPN protocol
solution, or it can used simply as the encryption scheme
within L2TP or PPTP. IPsec exists at the network layer
(Layer Three) in OSI.
Virtual private networks (VPN) provide an encrypted
connection between a user's distributed sites over a public
network (e.g., the Internet). By contrast, a private network
uses dedicated circuits and possibly encryption. This page
describes IP-based VPN technology over the Internet, though
an organization might deploy VPN's on its internal nets
(Intranets) to encrypt sensitive information. We also have
some peformance members. The basic idea is to provide an
encrypted IP tunnel through the Internet that permits
distributed sites to communicate securely. The encrypted
tunnel provides a secure path for network applications and
requires no changes to the application.
|