Application-layer VPNs are generating lots of attention these days. Proponents cite the technology's ability to provide secure remote access to a broad spectrum of applications and network resources. But what exactly are application-layer VPNs, and how do they differ from traditional VPNs?

Unlike traditional IP Security (IPSec)-based VPNs, which operate at Layer 3 (the network layer) of the Open Systems Interconnection model, application-layer VPNs operate at Layer 7 (the application layer). Operating at Layer 7 provides visibility into application data, giving network administrators new opportunities to enforce security policy for remote application access.

The central element of an application-layer VPN is the application-layer proxy, typically provided in the form of a dedicated network appliance. The proxy offers a single point of administration while acting as a sentinel to the private network behind the firewall.

An application-layer VPN acts as an intermediary between remote client requests and server-based applications. It terminates incoming connections from remote users at the application layer, processes the data and then translates the data to the appropriate application protocol. During this termination gap, the VPN analyzes application information, applies security policy and serves as a gatekeeper between the Internet and the private network.

An application-layer VPN runs client and server versions of an application on a single server, eliminating the need for a client on the remote PC. For Windows applications, client and server versions are installed on a Windows Terminal Server, which uses Microsoft Remote Desktop Protocol (RDP) to negotiate the remote user's input with the application's responses.