In the Works: The truth about VPNs

By PAUL HOFFMAN
Network World Fusion, 11/22/99

As director of the newly formed VPN Consortium, an industry trade group for manufacturers of virtual private networks and affiliated products, I get asked to define what VPNs are quite often. So here goes.

Everyone wants security, and the simpler the security, the better. So when the concept of easy, secure connections across the Internet started getting bandied about, IT departments got very excited. Such networks could greatly slash the cost for setting up WANs to far-flung offices and make secure dial-in access a reality.

When there's demand, there'll always be software and hardware companies to meet it; even if what they are offering isn't exactly what the customer wanted. This is the case with VPNs. Corporations wanted to get rid of the private leased lines that they were paying dearly for and start using the Internet to move WAN traffic, as long as that traffic was unreadable by their competitors. Some vendors, however, overstated the "P" in VPNs in order to make sales.

A virtual network (the "V" and the "N") is one that is not a typical, closely controlled network, but is made up of other networks and links between them. A private network (the "P" and the "N") is a network whose traffic is not visible to an outsider. Put the three letters together, and you get a network that can be an amalgam of other networks, glued together in a way that makes the network look whole.

There are many ways to put together a VPN. You can connect two or more networks through security gateways using IP Security (IPSec), the most promising standard for VPNs. In this situation, IPSec creates encrypted tunnels between the two gateways, and all a snooper can understand is the packets that make up the tunnel, not the insides of the packets.

There are also many ways not to put together a VPN. Some vendors promote tunneling protocols such as Layer 2 Forwarding (L2F), Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) as VPN protocols, but they don't provide any real privacy without an additional layer of encryption underneath them. Of these, only PPTP has a commonly agreed-to encryption technology. If you're running L2F or L2TP without encryption, you have a "VN", but not a "VPN" and any attacker with any sense at all can read your traffic.

Then there are the "in-between" methods for setting up a VPN. There are other protocols that have been suggested for making VPNs, such as a combination of SOCKS and Secure Sockets Layer. They may be secure and they might even meet some customer needs, but it's not clear how many companies will support these methods.

Earlier this year, the members of the VPN Consortium voted on which protocols we thought the consortium should support. The vote was for IPSec, PPTP with RC4 encryption, and L2TP under IPSec.

Individual users seeking secure remote access to a corporate network mostly use PPTP with RC4 encryption, and L2TP under IPSec - IPSec alone is mostly used to link two networks. Much work is being done to make IPSec more useful for the remote access case, and some vendors have early (but probably not interoperable) remote access solutions based on IPSec.

In the Works: The truth about VPNs

Related Links