Virtual private networks (VPNs) are systems that use public networks to carry private information and maintain privacy through the use of a tunneling protocol and security procedures. By using the shared public infrastructure, these virtual private networks are far more cost effective than were early real private networks which companies built using costly private lines and systems. In a VPN some of the parts of the network are connected using the Internet (the public infrastructure). Data that travel over the Internet are encrypted, so the entire network is "virtually" private. This allows users to share private information over a public infrastructure. A typical VPN application would be one created by a company with offices in different cities. By setting up a VPN the company uses the Internet as the connector between the networks in its two offices effectively merging their networks into one. Encryption is used on all transmissions within the network that use the Internet link, making it a private network.
The public infrastructure that provides the backbone for most VPN systems is the Internet. VPNs can connect remote users and other off-site users (such as vendors or customers) to a larger centralized network. Before the Internet, and the easy availability of high-speed or broadband connections to the Internet, a private network required that a company install proprietary and very expensive communication lines. The expense of such an investment put private networks out of the reach of most mid- to small-size firms. This is no longer the case. This fact, along with the universal appeal of the Internet, has enabled the rapid spread of VPN technology. The result is remote access that is quicker, more secure, and wider in scope.
STRUCTURAL OVERVIEW OF VPN SYSTEMS
In the most basic terms, a computer network is a group of computers that are connected with cable. Usually, one or more computers acts as a server within the group. A network may also be formed with computers that communicate through wireless connections but the wireless signal must be caught and transmitted by hardware that is located reasonably near both the sending and receiving machines.
Companies have long networked computers. Until the advent of the Internet, however, the entire infrastructure of these networks had to be built by the companies themselves. They had to purchase and lay cables to connect their computers. They had to purchase and install boosters or repeaters to augment the signals transmitted through cables when large distances were involved. They had to lease high-capacity, dedicated phone lines in order to connect computers or networks in remote locations. They had to build or lease transmission towers in order to send wireless signals long distances and they had to purchase and install the systems used to send and receive these signals. Not surprisingly, most companies did not go far beyond networking computers in a single building since the cost of the infrastructure requirements for anything larger were prohibitive.
With the advent of the Internet and the growth in availability of high speed, broadband communication lines, new technologies were developed to use the Internet as the conduit through which to connect remote computers or networks. A company no longer had to absorb the full cost of building the infrastructure needed for wide area networks (WANs).
The communications protocols that regulate and make the Internet possible are also the basis for the protocols necessary to operate virtual private networks. The underlying collection of protocols is called transmission control protocol/Internet protocol or TCP/IP for short. The protocols for VPNs are called IPSec.
A virtual private network is, basically, a network in which some of its components are connected to one another through the Internet. Software written to use IPSec is used to establish these Internet connections. The connections created in this way are called tunnels, through which all transactions between the two authenticated computers on either end of the tunnel may transmit privately across the public Internet.
VPN can be set up to connect single-client PCs with a company's local-area network (LAN) This sort of VPN is usually called a client-to-LAN VPN. This enables companies that have employees who travel extensively or work remotely to equip those employees with a computer that uses the VPN to access the company network and work on it like any other employee from just about anywhere, as long as they have access to the Internet. Small companies may set up a client-to-LAN VPN through which all the employees access a central server from their home offices.
A LAN-to-LAN VPN is one that connects two networks together instead of individual client computers being connected to a single LAN. The mechanisms behind these two types of VPN is the same. A LAN-to-LAN system is useful for connecting a branch office network to a corporate headquarters network, or a warehouse network to a supplier's network. The options are many.
THE COST OF VIRTUAL PRIVATE NETWORKS
The costs of implementing a virtual private network are reasonable for any company that already has a network and high-speed access to the Internet. The two biggest components of a VPN, for those with networks in place, are the software and set-up of the same, and the need in many cases to upgrade the Internet connection service. Because a VPN uses the Internet address of the network server as the access for those logging on the system through the Internet, a company must have a static IP address. Internet Service Providers usually charge slightly more for a service that holds the IP address static.
The software needed to manage a VPN is commonly sold as a part of many network operating systems. Setting up this software takes networking knowledge but can be done by any competent network administrator or network outsourcing supplier.
When a business decides to use an outside provider, it is immediately eliminating any costs for purchasing and maintaining the necessary equipment. The most the business will have to do is maintain security measures (usually a firewall) as well as provide the servers that will help authenticate users. Of course, this too can be done by an outside provider for an additional price. Outsourcing also cuts down on the number of employees that would be required to manage and maintain the virtual private network.
For a firm that does not already have a computer network with Internet access, the task of setting up a VPN is a much larger undertaking.
VIRTUAL PRIVATE NETWORKS AND SECURITY
Virtual private network systems are constantly evolving and becoming more secure through four main features: tunneling, authentication, encryption, and access control. These features work separately, but combine to deliver a higher level of security while at the same time allowing all users (including those from remote locations) to access the VPN more easily.
Tunneling creates the connection between a user (either from a remote location or separate office) to the main LAN. This connection is called a tunnel and is essentially the circuit-like path that transfers encrypted private information through the Internet. This requires an IP address which is an Internet address to which the client PC can direct itself, a pointer to the company network. Unlike other IP addresses, this one is not open to the public but is rather a gateway through which VPN users may enter, and after authentication and logging on, have access to the network.
To avoid crowded connections, a tunneling feature called "switching" was developed. This feature helps differentiate between direct and remote users to determine which connections should receive the highest priority. The switching can either be programmed directly into the virtual private network or upgraded so that the hardware recognizes each connection on an individual basis.
Incoming callers to the virtual private network are identified and approved for access through features called authentication and access control. These features are usually set up by the IT manager who enters a user's individual identification code or password into the main server, which cuts down on the chances that the network can be manipulated from outside the company. Authentication also offers the chance to regulate access to the material on the LAN so that users can be provided access to specific information only.
Encryption is the security measure that allows information on virtual private networks to be scrambled so that it becomes meaningless to unauthorized users. Encrypted data is eventually unscrambled at the end of the tunnel by a user with the proper authorization. This process is usually done via a private IP address that encrypts the information before it leaves the LAN or a remote location.
Despite these precautions, some companies are still hesitant to transfer highly sensitive and private information over the Internet via a virtual private network and still resort to tried-and-true methods of communication for such data.
THE PERFORMANCE OF VIRTUAL PRIVATE NETWORKS
The latest wave of virtual private networks features self-contained hardware solutions (whereas previously they were little more than software solutions and upgrades to existing LAN equipment). Since they are now self-contained, this VPN hardware does not require an additional connection to a network and therefore cuts down on the use of a file server and LAN, which makes everything run a bit more smoothly. These new VPNs are small and easy to set up and use, but still contain all of the necessary security and performance features.
In order for a virtual private network to perform properly, the server must have enough bandwidth to accommodate the number of users active at any one time. The number of remote users can also affect a VPN's performance. In addition, new technology that requires more bandwidth is bound to come out from time to time, and this should be planned for in advance to avoid a potential disruption in performance.
High volumes of traffic are also known to adversely affect the performance of a virtual private network, as is encrypted data. Since encryption technology is often added on via software, this may cause the network to slow down, hindering performance. A more desirable solution is to incorporate encryption technology that uses hardware solutions to keep the network running at the proper speed. New technologies are also constantly emerging that help to decide just how sensitive certain material is (and therefore how intensive the encryption needs to be).
THE FUTURE OF VIRTUAL PRIVATE NETWORKS
As virtual private networks continue to evolve, so do the number of outlets that can host them. Several providers have experimented with running VPNs over cable television networks. This solution offers high bandwidth and low costs, but less security. Other experts see wireless technology as the future of virtual private networks.
A new protocol for VPN systems has emerged in recent years and shows promise for enhancing the flexibility of VPNs. The traditional VPN system was based on Internet protocol security. The new protocol is based on Secure Sockets Layer or SSL. According to an article in Network World, "The biggest difference between SSL VPNs and traditional IP Security VPNs is that the IP Security standard requires installation of client code on the end user's system, while SSL VPNs focus on making applications available through any Web browser."
The popularity of VPNs continues to grow and evolve, providing companies of all sizes a means with which to leverage the Internet to reduce the costs of communication.
SEE ALSO Communication Systems; Local Area Networks; Mobile Office; Wide Area Networks
Administrator's Guide to TCP/IP. Second Edition. Tech Republic, June 2003.
Binsacca, Rich. "Virtual Private Networks." Builder. June 2000.
Goldberger, Henry. "The Migration from Frame Relay to IP VPN and VPLS Services." In-Stat Alerts. 2 February 2006.
Hayes, Jim. "Managed Data Services." Communicate. July 2000.
Schnider, Joel. "SSL VPN Gateways." Network World. 12 January 2004.
Winther, Mark. "Avoiding the Challenges of Do-it-Yourself Broadband VPNs." Business Communications Review. February 2006.
Hillstrom, Northern Lights
updated by Magee, ECDI