(VPN) Virtual Private Network FAQs
What is a virtual private network?
A virtual private network is essentially a system that allows two or more private networks to be connected over a publically accessible network, such as the Internet. It usually consists of an encrypted tunnel of some kind, although a VPN can take several forms, using different combinations of hardware and software technologies. They can exist between an individual machine and a private network, or a remote LAN and a private network.
Aside from supporting basic LAN interfaces, a good VPN should have high-availability features such as redundant power supplies. Also, all VPNs require some kind of authorization protocol and encryption, although some companies may choose to opt out of the latter. Other advanced functions can be useful, such as data compression, routing ability, network address translation, bandwidth management capabilities and fail-over redundancy. When purchasing a ready-made VPN package from a solutions provider, it is often possible to get other bundled services to compliment the network, such as voice over IP and other hosted applications.
A VPN service is an economical alternative to setting up a private network with expensive leased lines, as it can use existing IP infrastructure and equipment to connect remote users and offices. For offices with great distances between them, VPNs are ideal because they can provide connectivity for almost any location in the world, and without incurring long-distance charges. Also, the flexibility and relative simplicity of VPNs allows small- to medium-sized businesses the option to switch to a different provider, increase bandwidth, or add more offices to the network more freely than with other schemes.
Once a company connects to a VPN server, it can either use the same applications that it normally uses to connect to the Internet, or it can purchase or rent the appropriate devices, depending on the scope of the network. It can then be used to connect LANs in different sites, or give customers, clients and consultants access to corporate resources, provided they have compatible software and can be authenticated. Often VPNs are useful for mobile workers such as salespeople, for home workers or day extenders.
Not really. An extranet is basically a glorified Web site, which allows clients or partners access to the corporate intranet for highly specific, often administrative functions. For example, an online newspaper’s extranet might allow advertisers to change banner ads on its site. A VPN uses a protocol that allows a remote PC full access to a company’s network neighbourhood, as if it were actually in the home office. Although extranets take a variety of forms, some of which can resemble a VPN, they do not have the same function. However, using a more sophisticated authentication and segmentation method, a company can build a separate extranet application on its VPN, possibly saving money in the process.
By using a relatively cheap local dial-up or broadband connection, companies using VPNs save on telecommunications costs, and also reduce long-distance phone charges. They also cut down on operational costs by outsourcing the management of equipment used for remote access, as well as reducing the number of access line running into a corporate site. In some cases, the company can “borrow” the necessary hardware from a VPN service prover, at no extra charge. Finally, a VPN can theoretically alleviate the support burden, as the public service provider is generally responsible for supporting its dial-up customers.
There are a number of factors that can contribute to the VPN’s performance. While some of the issues may be related to the hardware or software applications being used, much of it depends on the Internet itself. The availability and speed of IP services may differ from one area to the next, as well as the actual provider. Because of this, most VPN providers will not offer a guarantee on the latency of packets moving across the network. Performance also depends somewhat on the encryption scheme being used, as well as the client’s ability to process it. Highly encrypted data takes considerably longer to transmit, especially on larger packets being sent through a dial-up line.
Since VPNs rely on a public network to connect PCs, they are often at the mercy of Internet service providers. Equipment problems can plague ISPs, or even the root servers that make up the core of the Internet, which means outages are always a possibility. Lately, ISPs are trying to improve the reliability of their networks by making them more redundant and upgrading their infrastructure, but few will offer 100 percent availability. Some providers will offer refunds or credits to compensate for any downtime that might be experienced. Companies must be realistic, and take into account the possibility of downtime when setting out on any endeavour.
Service Level Agreements have evolved over the last few years to offer more guarantees on uptime, network delay, packet loss, interoperability and security, but they are still far from perfect. Many SLAs are written in confusing doubletalk, often with multiple disclaimers and limitations that you should be aware of. In some cases, they are dependent on special purchases and other agreements by the customer. Many service providers have unsatisfactory quality of service guarantees on latency or mean time to repair. Furthermore, VPN SLAs usually only apply to the specific ISP, and not traffic crossing over to another network. Some companies have worked out “extended SLAs” between multiple cooperating ISPs, although they rarely work. Customer-defined SLAs may become more common as the industry evolves.
The most popular tunneling protocols for VPNs are the Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSec), OpenVPN (Open Source VPN Protocol), SSTP (Microsoft proprietary Secure Socket Tunnel Protocol) and Layer 2 Tunneling Protocol (L2TP), which combines PPTP and Cisco Systems’ Layer-2 Forwarding (L2F).
Modern VPNs can use just about any common encryption technology available, and equipment vendors usually give their customers the choice. Triple DES and 3DES seem to be the standards in North America, although in some countries encryption strength is regulated by legislation, and must use a less robust technology. Whether hardware- or software-based, all VPN providers offer some sort of encryption scheme, which can often be customized to suit the buyer.
VPNs usually take some sort of firewall, often a surprisingly simple “plug-and-play” solution provided by a vendor. The system is installed on as many LANs as needed, and keys are exchanged between the users in order to provide authentication. All VPNs require that an access device be configured to recognize and authenticate remote users. A wide number of techniques and products, both hardware- and software-based, are available from vendors. Stronger and more advanced authentication techniques, such as tokens or regulated access levels, can also be implemented.