Virtual Private Networks (VPN) based on IPSEC protocols have been in use for several years now. What is a VPN exactly and why has it changed the way we think about networking? Essentially, a VPN is a secure connection between one location and another that uses the public Internet for transport. The primary reason to consider a VPN connection is that bandwidth to the public Internet is often less expensive to buy than bandwidth for a private data circuit between two sites. There are several categories of VPN's which are discussed below. In addition, a few of the pitfalls related to VPN deployment are discussed.
There are two general categories of VPN. The first is a "LAN-to-LAN" VPN, which is a VPN that connects two office LAN's together through the public Internet. Each remote office has its own connection to the public Internet. Generally, a VPN gateway "appliance" device is installed at each office between the "inside" part of the office LAN and the "outside" part of the LAN next to the Internet router. Often the VPN gateway also acts as the firewall to protect the inside LAN. The VPN gateway encrypts packets that are destined to the other office, but not packets that are going to the public Internet. The figure below shows a remote office connected to the corporate network through a VPN.
The second type of VPN is a "Remote Access" VPN. This type of VPN connects an individual remote user on a PC to a central site LAN through the public Internet. Special client software on the user PC provides the VPN encryption function for packets destined to the central site LAN. A VPN gateway appliance located at the central site provides the VPN termination for that end. The remote PC can be connected to the public Internet (and thus, the VPN) via a dial connection, DSL, ISDN, or cable modem. The figure below shows a home user with a cable modem using a VPN to connect to the corporate network.
The above scenarios have assumed that the VPN gateway equipment is located in your office. That is not the only option for setting up a VPN. Today, many long-haul carriers (such as Sprint and WorldCom) offer their own value-added VPN services. In this case, the carrier provides the VPN gateway equipment (which is located on their premises) and manages it for you -- for a fee.
The technical underpinnings of a VPN are extensive. The current standard for VPN connectivity is based on IPSEC, which provides a means for negotiation of key exchange and selection of encryption methods (DES, 3DES, AES, etc.). New standards are emerging in an attempt to reduce the complexity of IPSEC.
There are many possible pitfalls related to VPN deployment. They fall into the general categories of VPN management, security, and performance. Management issues may arise if there are many individual dial clients (such as traveling laptops) dialing into the Internet to access your VPN. A mechanism must be in place to provide the technical support to install and configure the VPN client, and provide ongoing end-user support.
Security is also a concern. Your organization must develop a policy that outlines the conditions for connecting to the organization's network. For example, should end-users be allowed to install a VPN client on a home PC -- or just on PC's owned by the organization? Should split-tunneling be allowed? In any event, the remote access VPN should be designed to provide an additional layer of authentication beyond just the preshared key. If you use pre-shared keys without any additional authentication and a laptop is stolen, security may be compromised.
Performance issues can occur if there are too many router hops on the public Internet between two sites connected by a VPN. VPN's will generally perform better if all remote sites connect to the Internet using the same ISP (to reduce the number of router hops between sites). It is also important to consider the types of applications that are appropriate to run over a VPN. Extremely time-sensitive applications or applications requiring a particular quality of service may not work well.
There are other issues for VPN connections as well. Some applications may work poorly or not at all if they are sensitive to restrictions in data frame size imposed by an IPSEC VPN connection. A regular ethernet connection normally supports a data frame size of 1500 bytes. Data frames passing through a VPN connection must be a few bytes smaller due to the addition of the IPSEC header.
With careful planning and management, a VPN can be a highly cost-effective solution for remote connectivity. Give FLG Networking a call to discuss your specific VPN questions.
About Us | Phone: (913) 268-1061 | Fax: (913) 268-1062 | Email: flg@flgnetworking.com