"a Virtual Private Network [VPN] is a network of virtual circuits for carrying private traffic."
"A virtual circuit is a connection set up on a network between a sender and a receiver in which both the route for the session and bandwidth is allocated dynamically. VPNs can be established between two or more Local Area Networks (LANs), or between remote users and a LAN."
Quoted from the following source:
Source: Kosiur Dave. Building and Managing Virtual Private Networks.
New York: John Wiley & Sons, Inc.; 1998.
Virtual Circuit versus Tunnel
Written by: Thomas J. Smith
"The way that Internet VPNs create these virtual circuits is to encapsulate data packets within special IP packets for transmission on the Internet, enabling them to be transmitted on any medium that supports IP… the paths that the encapsulated packets follow in Internet VPNs are called tunnels, not virtual circuits."
Quoted from the following source:
Source: Kosiur Dave. Building and Managing Virtual Private Networks.
New York: John Wiley & Sons, Inc.; 1998.
Business Opportunities via the Internet
The Internet provides worldwide connectivity. The benefits include reduced telecommunication costs; improved connections to customers, business partners and employees; and the global promotion of the business.
Also, the Internet allows the sharing of distributed-network resources. The Internet provides a flexible means of connecting business partners and mobile users through out the world.
In addition, the Internet offers a location-independent work environment. Flexible work hours, telecommuting and location-independent work groups are some of the benefits derived by business.
Source: Kosiur Dave. Building and Managing Virtual Private Networks.
New York: John Wiley & Sons, Inc.; 1998.
Written by: Thomas J. Smith
Internet VPNs
Written by: Thomas J. Smith
Unlike dedicated-leased lines and Private Virtual Circuits (PVCs) such as frame relay, Internet VPNs use the Internet for data connections. The Internet VPN connection is established via local connection points, Points-of-presence (POPs) of an Internet Service Provider (ISP). The data is routed using the ISP's network and Internet to the destination. The open architecture of the Internet is used in lieu of leased lines. The connections and bandwidth are dynamically allocated and de-allocated for each communication session.
Source: Kosiur Dave. Building and Managing Virtual Private Networks. New York: John Wiley & Sons, Inc.; 1998.
Business Case Supporting Internet VPNs
Written by: Thomas J. Smith
Cost savings are the most compelling reason for businesses to use Internet VPNs. In numerous-monthly cost comparisons between leased-line networks versus an Internet VPN, the Internet VPN is one third the cost of the traditional VPNs.
Flexibility is another reason for using Internet VPNs. As opposed to the interface hardware (such as modem banks) and maintenance required for leased lines, Internet VPNs support a variety of connection types to the ISP. T1 and T3 can be used for larger businesses as well as lower cost connections such as modem and ISDN lines for smaller businesses.
Internet VPNs affords two dimensions of scalability including geography and bandwidth. Remote offices, teams, telecommuters and mobile workers can be added to a VPN wherever the ISP has a POP. ISPs offer a variety of connections including modem, ISDN, T1 and T3 lines to achieve the required bandwidth for the business.
Outsourcing the Internet VPN can reduce technical support costs and equipment requirements; the ISP takes over many of the support requirements for the network. ISPs offer a single solution for networking, dial-in access and Internet access. Using an ISP and an Internet VPN eliminates the requirements for modem banks, terminal adapters and remote access servers.
Source: Kosiur Dave. Building and Managing Virtual Private Networks. New York: John Wiley & Sons, Inc.; 1998.
Business Integration Concerns Using Internet VPN
Written by: Thomas J. Smith
Manageability, scalability, reliability, performance, standardization and legacy integration is the major concerns when integrating any technology into a business. Managers implement products and services based on common standards; interoperability of new and old products is a concern.
As the demand for network services increases with changing business strategies and more users, additional network equipment and technical support is required to implement, manage, monitor and configure increasingly complex networks. Outsourcing of this ramping demand to an ISP may be a viable method to scale-up service without additional staffing.
There are two reliability concerns using Internet VPNs, hardware and the Internet. Standard components and modularity are key components in the maintainability of hardware. The market for Internet-based VPNs is still in its infancy; standardization of protocols and devices is still evolving. The reliability of the Internet as a data channel is also a concern; bandwidth and level of service must be resolved with the ISP. For guaranteed performance, Service Level Agreements (SLAs) with the ISP are required.
There are two bottleneck concerns using Internet VPNs, encryption and packet encapsulation. Security is a major component of the Internet VPN. Encryption and decryption is a resource consuming process; dedicated high-speed workstations running encryption software may be a solution. Packet encapsulation increases the size of the original data packet; packet fragmentation can lead to poor performance. Data compression may be a solution to this issue.
Security of the Internet VPN should be a component of the overall security strategy for a company. The management of keys and user rights must be integrated into the security policy. With the global scope of Internet VPNs, the restriction on the export of encryption software must be considered and managed.
Interoperability is another concern. Protocols for tunneling and security are not interoperable. There is no single protocol for VPN. PPTP and L2TP are better for client-initiated tunnels; whereas, IPSec is best for LAN-to-LAN tunnels. IPSec is being adopted by most protocols for encryption; however, devices that support multiple tunnel protocols still may be required.
IP management is also a concern. In the most common applications, each part of the VPN is a separate network; the Domain Name Service (DNS) may be fragmented versus a single unified solution. This will add difficulty in managing the VPN.
Other issues relevant to reliability and performance are real-time applications and IP encapsulated packets. Congestion, dropped packets and other pertinent problems would be problematic for telephony and videoconferencing. The encapsulation of IP headers in tunnels is a problem for some Quality of Service (QoS) schemes resulting in improper allocation of network resources and poor performance.
Although many companies are using TCP/IP as the protocol of choice, some are not. In the case of Netware's IPX, tunneling non-IP packets over IPSec does not work; IPSec only encapsulates IP packets. Netware, however, can now run over IP. PPTP and L2TP include multiprotocol support in their tunnels.
Source: Kosiur Dave. Building and Managing Virtual Private Networks. New York: John Wiley & Sons, Inc.; 1998.
The Future of Internet VPN
Written by: Thomas J. Smith
"Virtual Private Networks using the Internet are an ever-increasing opportunity for businesses, vendors and ISPs alike. It's been projected by Infonetics Research that the market for VPN products will reach $12 billion in 2001. Many of the business forces motivating the deployment of VPNs, such as cost reductions and changes in telecommunications and networking, will remain in effect for quite a few years. If anything, these forces are likely to get even stronger over time."
Dial-in VPNs will replace the existing remote access systems using modems and remote access servers. A universal mailbox with email, faxes and phone calls may be implemented into a single application using VPN. Also, internal VPNs are being considered by some companies to provide security against internal snooping.
ISPs are critical keys in the evolution of VPN. ISPs have much to gain by offering value-added services. Some of these services include the utilization of "class of service" technology; specialize tunneling services using PPTP and L2TP; hosting and managing outsourced VPN services; and hosting servers such as Web servers. Outsourcing a VPN can include network equipment, security management and certificate authority.
VPN protocols, PPTP, L2TP and IPSec, will continue to be utilized over the next few years. IPSec will be used for LAN-to-LAN VPN implementations; key management will be via IKE. IPSec standards are extended to improve remote access. IPSec will be a standard feature on all hosts implemented with Ipv6. Elliptic curve cryptography (ECC) will be an optional algorithm for IPSec.
Digital certificates will be integrated into VPN systems. Lightweight Directory Access Protocol (LDAP) directories will be used to store certificates as well as X.500. On-line Certificate Status Protocol (OCSP) may be used to manage the certificates versus the Public Key Infrastructures (PKIs).
To manage VPN networks, policy-based network management products will be implemented. Both Directory Enabled Networks (DEN) and LDAP will be the "glue" between the devices and directories.
In the future, integrated products will replace the current "point solution" products. Integrated solutions will evolve with the pertinent VPN standards.
Quotes and content from the following source:
Source: Kosiur Dave. Building and Managing Virtual Private Networks.
New York: John Wiley & Sons, Inc.; 1998.