Until recently, this has meant the use of leased lines to maintain a Wide Area Network (WAN). Leased lines, ranging from ISDN (Integrated Services Digital Network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way to expand their private network beyond their immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines can become quite expensive and often rises in cost as the distance between the offices increases.
As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. Now, many companies are creating their own VPNs (Virtual Private Networks) to accommodate the needs of remote employees and distant offices.
As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. Now, many companies are creating their own VPNs (Virtual Private Networks) to accommodate the needs of remote employees and distant offices.
Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee. For years, voice, data, and just about all software-defined network services were called "virtual private networks" by the telephone companies. The current generation of VPNs, however, is a more advanced combination of tunneling, encryption, authentication and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider's backbone.
The traffic reaches these backbones using any combination of access technologies, including T1, frame relay, ISDN, ATM or simple dial access. VPNs use familiar networking technology and protocols. The client sends a stream of encrypted Point-to-Point Protocol (PPP) packets to a remote server or router, except instead of going across a dedicated line (as in the case of WANs); the packets go across a tunnel over a shared network.
The general idea behind using this method is that a company reduces the recurring telecommunications charges that are shouldered when connecting remote users and branch offices to resources in a corporation's headquarters.
The most commonly accepted method of creating VPN tunnels is by encapsulating a network protocol (including IPX, NetBEUI, AppleTalk, and others) inside the PPP, and then encapsulating the entire package inside a tunneling protocol, which is typically IP, but could also be ATM or frame relay. This increasingly popular approach is called Layer 2 tunneling, because the passenger is a Layer-2 Tunneling Protocol (L2TP).
Using this VPN model, packets headed towards the remote network will reach a tunnel-initiating device, which can be anything from an extranet router to a PC with VPN-enabled dial-up software. The tunnel initiator communicates with a VPN terminator, or a tunnel switch, to agree on an encryption scheme. The tunnel initiator then encrypts the package for security before transmitting to the terminator, which decrypts the packet and delivers it to the appropriate destination on the network.
L2TP is the combination of Cisco Systems' Layer-2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). It supports any routed protocol, including IP, IPX, and AppleTalk, as well as any WAN backbone technology, including frame relay, ATM, X.25, and SONET. Because of L2TP's use of Microsoft's PPTP, it is included as part of the remote access features of most Windows products.
Another approach to VPN is SOCKS 5, which follows a proxy server model and works at the TCP socket level. It requires a SOCKS 5 server and appropriate software in order to work. The SOCKS 5 client intercepts a request for service, and checks it against a security database. If the request is granted, the server establishes an authenticated session with the client, acting as a proxy. This allows network managers to apply specific controls and proxies traffic, and specify which applications can cross the firewall into the Internet.
VPN technology can be used for site-to-site connectivity as well, which would allow a branch office with multiple access lines get rid of the data line, and move traffic over the existing Internet access connection. Since many sites use multiple lines, this can be a very useful application, and it can be deployed without adding additional equipment or software.
No comments:
Post a Comment