This research paper provides an overview of virtual private networks (VPN), describes their basic requirements, and discusses some of the key technologies that permit private networking over public internetworks. This document also addresses the cost benefits of VPN and inevitable merging of VPN and high speed access technology.

Introduction

The term "VPN," or "Virtual Private Network," is one of the most overused buzzwords in the industry today. Proponents claim that VPNs can solve many issues, from extending the enterprise to include strategic business partners and customers, to providing remote users secure multi-protocol access to corporate Intranets, to securing corporate data for transport over the public Internet. Market research firms and vendors are predicting that the worldwide market for VPNs will reach, if not exceed, $10 billion by 2003. The allure of an Internet-based VPN is that you can avoid paying high monthly charges, and travelling company employees can dial in from practically anywhere. Understandably others say that an Internet-based VPN is not the place for data that carries critical transaction updates or streaming video. [Pompili, 1997] When you send your corporate data over a VPN drilled through the Internet, your data is contending for bandwidth and router services with data from every surfer and game player on the Net. There are no guarantees of connections or levels of throughput. With all the excitement, speculation and competing messages in the press regarding this technology, it's hard to figure out some of the basic questions like; what exactly is a VPN? Why do you need a VPN? And what are some of the technologies used in deploying a VPN? This paper will attempt to answer some of these questions by giving a working definition of VPN, its common uses, explain and point out implementation issues in terms of the required set of technologies and service level agreement options and elaborate on the benefits and future trends of VPNs.

What exactly is a VPN?

For years, voice and data services were delivered using what the telephone companies called virtual private networks. In fact, the phone companies consider just about all software-defined networks as VPNs. But the current generation of VPNs is very different. The working definition of a VPN that will serve as the basis for all discussion in this paper is the following: VPN is a combination of tunneling, encryption, authentication, and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider's backbone. [Salamone, 1998] Notice that with this definition the underlying network can be based on the Internet, a closed private IP net, frame relay, ATM, X.25 or any combination of network technologies. The service can support voice, data or video applications.

A VPN connects the components and resources of one network over another network. This is accomplished by allowing the user to tunnel through the Internet or another public network in a manner that lets the tunnel participants enjoy the same security and features formerly available only in private networks. The secure connection across the internetwork appears to the user as a private network communication -- despite the fact that this communication occurs over a public internetwork -- hence the name Virtual Private Network.

The need for VPN

Understanding the need for VPNs requires us to look at some connectivity and business trends. A number of events that are occurring in the corporate world are changing basic connectivity requirements.

The first major trend is the growth in telecommuting. Industry experts estimate that there were about 7.5 million full-time telecommuters in 1997. [Salamone, 1998] And there were probably several million more if you counted those people who work at home a couple of days a week.

Social factors are driving this number up. Many people want to work at home for personal reasons such as taking care of their children or eliminating time commuting to and from work.

In today's competitive business climate, companies are catering to employee demands and often will let skilled employees telecommute in order to retain their services. Additionally, many companies will now hire the best candidate for a job regardless of where that person is located.

Additionally, there is a different kind of mobile work force today than in the past. People have always traveled, but today's traveler needs frequent access to the corporate network. For example, access to e-mail is now considered essential by most travelers.

On top of that, more employees work extended hours. It is common for professionals to require access to e-mail and network applications at night and on the weekends. All of this is increasing the demand for connectivity.

Further driving the connectivity needs of a corporation are other major business changes. Decentralization of corporations is on the rise. Rather than having a corporate headquarters where the majority of employees are located, most companies today spread their operations across the country or even the world.

Pushing connectivity requirements even further is the fact that more companies now have business applications that require sites to share information frequently. For instance, in the past, a bank branch office might only need to check a customer's account balance on a mainframe in the bank's headquarters. Nowadays, associates in a branch office might need to look up the current rate on a money market certificate and check a customer's investments that are managed by the bank.

In other words, the number of applications that require small sites to have access to information keeps growing. And this trend is forcing companies to change the way they connect sites. The bottom line is that IT managers find they must support an increasing number of dial-access users, and at the same time, they must link more offices together.

Why change?

Remote and branch office connectivity are not new to most IT managers. So why are VPNs even necessary? The answer is that the costs of using traditional remote access technology is skyrocketing and will only get higher as more users and sites need to be connected.

During the past few years, several market research firms have done remote-access costs studies. Consistent findings have revealed that equipment costs are only about 15 percent to 20 percent of the total cost of ownership when connecting users and sites. [Salamone, 1998] The bulk of the cost to support remote access comes from two areas:

· Recurring telecommunications costs and the

· Operational costs to support the users and manage the equipment.

Typically, companies pay a per-minute charge for connect time and long distance fees for both dedicated and dial access. Long distance charges for dial access start at about 10 cents per minute--about $240 per month per person for two hours of connect time a day. Those costs can become astronomical if the user makes a long distance call from a hotel in an international location.

Companies also often have additional hidden costs when supporting large numbers of sites or users. For instance, some businesses simply have telecommuters or travelers submit their phone expenses with their normal expense reports. This is a productivity buster since the user must take the time to photocopy each phone bill and the accounting department must deal with the submissions.

A number of companies use 800 services to avoid such hassles and to make it much easier for their users to connect when on the road. Even the best rates on 800 services--about 5 cents per minute--amount to phone bills of $120 per month per user for about two hours of connect time each day. That adds up to $144,000 a year for 100 users. Telecommunications costs are simply proportional to the number of users. If you double the number of people dialing in, you also double the phone charges.

Enter VPNs

VPNs offer ways to keep costs in check. First, they can reduce the recurring communications charges. and secondly they can reduce the amount of access equipment required. VPNs use the relatively free bandwidth of the Internet or a service provider's network to connect a user to a corporate network or carry traffic between sites.

For dial access, the basic idea is to replace that long distance phone call to the company with a local call into an Internet service provider's point of presence (POP). Some IT managers may look at usage-based services to get a guaranteed network availability and latency across that provider's network. This would cost more than a flat-rate account but this amount would still be substantially lower than using an 800 service.

Reaping the benefits of VPNs

Early Adopters, like JetForm are seeing the benefits to VPNs. JetForm Corp., which sells electronic forms automation and enterprise workflow systems, tore out a 14-node frame relay network that connected 13 offices in North America and Europe to corporate headquarters in Ottawa and replaced it with an international VPN. JetForm now uses a VPN gateway in each site as well as a single international service provider for the VPN's IP backbone and Internet access.

The move is reaping huge cost savings in telecommunications charges and, surprisingly, a significant reduction in response times on the network. Using the frame relay network, JetForm had response times between Ottawa and California of about 300 to 400 milliseconds. In the VPN configuration, the company's typical response times are less than 200 milliseconds.

There are several keys to the VPN's performance. First, the traffic stays on one provider's backbone the entire way. Also, the VPN uses higher-speed access lines at lower cost.

In the frame relay configuration, Jet-Form paid about $2,500 per site per month for 56-Kbps connections. Now the company uses 128-Kbps Internet access links for each site, at a monthly cost of about $1,500

These are some of the examples that VPN solutions have overcome Internet outages and poor performances.

VPN Implementation

One thing all virtual private networks have in common is that they all share the same core set of technologies. These consist of Tunneling, encryption, authentication and access control. Within these core technology areas, IT managers will have to decide which implementations of each they wish to use in their networks. However, the service provider also plays a big role in your implementation. This could prove to be difficult decision for IT managers because the provider’s role could range from simply supplying Internet access to one where the provider offers a turnkey system that includes access, equipment, management of the equipment and administration of VPN services.

Connecting Users over the Internet

VPN, from a user's perspective, is a point-to-point connection between a computer and the corporate server. The nature of the middle internetwork is transparent to the user because it appears as if the data is being sent over a dedicated private link. Figure 1 shows a VPN remote user access over the Internet situation.

Figure 1. Using a VPN to connect a remote client to a private LAN

Rather than making a leased line, long distance (or 1-800) calls to a corporate or outsourced Network Access Server (NAS), the user first calls a local Internet Service Provider (ISP) NAS phone number. Using the local connection to the ISP, the VPN software creates a virtual private network between the dial-up user and the corporate VPN server across the Internet.

Connecting networks over the Internet

VPN technology also allows a corporation to connect to branch offices (Intranets) or to other companies (Extranets) over a public internetwork while maintaining secure communications. The VPN connection across the Internet logically operates as a Wide Area Network link between the sites.

There are two methods for using VPNs to connect local area networks at remote sites:

1) Using dedicated lines to connect a branch office to a corporate LAN. Rather than using an expensive long-haul dedicated circuit between the branch office and the corporate hub, both the branch office and the corporate hub routers can use a local dedicated circuit and local ISP to connect to the Internet. The VPN software uses the local ISP connections and the public Internet to create a virtual private network between the branch office router and corporate hub router.

2) Using a dial-up line to connect a branch office to a corporate LAN. Rather than having a router at the branch office make a leased line, long distance or (1-800) call to a corporate or outsourced NAS, the router at the branch office can call the local ISP. The VPN software uses the connection to the local ISP to create a virtual private network between the branch office router and the corporate hub router across the Internet.

[VPN3509D 4313 bytes ]

Figure 2. Using a VPN to connect two remote sites

Note that in both cases, the facilities that connect the branch office and corporate offices to the Internet are local. Both client-server, and server-server VPN cost savings are largely predicated upon the use of a local access phone number to make a connection. It is recommended that the corporate hub router that acts as a VPN server be connected to a local ISP with a dedicated line. This VPN server must be listening 24 hours per day for incoming VPN traffic.

Connecting computers over an intranet

In some corporate internetworks, the departmental data is so sensitive that the department's LAN is physically disconnected from the rest of the corporate internetwork. While this protects the department's confidential information, it creates information accessibility problems for those users not physically connected to the separate LAN.

[VPN3509E 4036 bytes ]

Figure 3. Using a VPN to connect to two computers on the same LAN

VPNs allow the department's LAN to be physically connected to the corporate internetwork but separated by a VPN server. Note that the VPN server is NOT acting as a router between the corporate internetwork and the department LAN. A router would interconnect the two networks, allowing everyone access to the sensitive LAN. By using a VPN, the network administrator can ensure that only those users on the corporate internetwork who have appropriate credentials (based on a need-to-know policy within the company) can establish a VPN with the VPN server and gain access to the protected resources of the department. Additionally, all communication across the VPN can be encrypted for data confidentiality. Those users who do not have the proper credentials cannot view the department LAN.

Basic Requirements

Before we look at the basics of tunneling and explore service level options let us establish some basic implementation requirements. Typically, when deploying a remote networking solution, an enterprise desires a controlled access to corporate resources and information. However, the solution must allow freedom for authorized remote clients to easily connect to corporate LAN resources, and also allow remote offices to connect to each other to share resources and information (LAN-to-LAN connections). The solution must also ensure the privacy and integrity of data as it traverses the public Internet. The same concerns apply in the case of sensitive data traversing a corporate internetwork. Therefore, at a minimum, a VPN solution should provide all of the following:

· User Authentication. The solution must verify a user's identity and restrict VPN access to authorized users. In addition, the solution must provide audit and accounting records to show who accessed what information and when.

· Address Management. The solution must assign a client's address on the private net, and must ensure that private addresses are kept private.

· Data Encryption. Data carried on the public network must be rendered unreadable to unauthorized clients on the network.

· Key Management. The solution must generate and refresh encryption keys for the client and server.

· Multiprotocol Support. The solution must be able to handle common protocols used in the public network. These include Internet Protocol (IP), Internet Packet Exchange (IPX), and so on.

Tunneling Basics

Tunneling is at the heart of all VPN implementations. Tunneling is a method of using an internetwork infrastructure to transfer data from one network over another network. The data to be transferred (or payload) can be the frames (or packets) of another protocol. These payload is encapsulated in an additional header by the tunneling protocol. The additional header provides routing information so that the encapsulated payload can traverse the intermediate internetwork.

The encapsulated packets are then routed between tunnel endpoints over the internetwork. The logical path through which the encapsulated packets travel through the internetwork is called a tunnel. Once the encapsulated frames reach their destination on the internetwork, the frame is stripped of the added header and forwarded to its final destination. Note that tunneling includes this entire process (encapsulation, transmission, and stripping of packets).

Figure 3. Tunneling

Note that the transit internetwork can be any internetwork -- the Internet is a public internetwork and is the most widely known real world example. There are many examples of tunnels that are carried over corporate internetworks. And while the Internet provides one of the most pervasive and cost-effective internetworks, references to the Internet in this paper can be replaced by references to any other public or private internetwork that acts as a transit internetwork.

Tunneling technologies have been in existence for some time. Some examples of mature technologies include:

· SNA tunneling over IP internetworks. When System Network Architecture (SNA) traffic is sent across a corporate IP internetwork, the SNA frame is encapsulated in a UDP and IP header.

· IPX tunneling for Novell NetWare over IP internetworks. When an IPX packet is sent to a NetWare server or IPX router, the server or router wraps the IPX packet in a UDP and IP header, and then sends it across an IP internetwork. The destination IP-to-IPX router removes the UDP and IP header, and forwards the packet to the IPX destination.

In addition, new tunneling technologies have been introduced in recent years. These newer technologies include:

· Point-to-Point Tunneling Protocol (PPTP). PPTP allows IP, IPX, or NetBEUI traffic to be encrypted and then encapsulated in an IP header to be sent across a corporate IP internetwork or a public IP internetwork such as the Internet.

· Layer 2 Tunneling Protocol (L2TP). L2TP allows IP, IPX, or NetBEUI traffic to be encrypted and then sent over any medium that supports point-to-point datagram delivery, such as IP, X.25, Frame Relay, or ATM.

· IP Security (IPSec) Tunnel Mode. IPSec Tunnel Mode allows IP payloads to be encrypted and then encapsulated in an IP header to be sent across a corporate IP internetwork such as the Internet.

Tunneling Protocols

For a tunnel to be established, both the tunnel client and the tunnel server must be using the same tunneling protocol. Tunneling technology can be based on either a Layer 2 or Layer 3 tunneling protocol. These layers correspond to the Open Systems Interconnection (OSI) Reference Model. Layer 2 protocols correspond to the Data Link layer, and use frames as their unit of exchange. PPTP and L2TP and Layer 2 Forwarding (L2F) are Layer 2 tunneling protocols; both encapsulate the payload in a Point-to-Point Protocol (PPP) frame to be sent across an internetwork. Layer 3 protocols correspond to the Network layer, and use packets. IP over IP and IP Security (IPSec) Tunnel Mode are examples of Layer 3 tunneling protocols. These protocols encapsulate IP packets in an additional IP header before sending them across an IP internetwork.

How tunneling works

For Layer 2 tunneling technologies such as PPTP and L2TP, a tunnel is similar to a session; both of the tunnel endpoints must agree to the tunnel and must negotiate configuration variables, such as address assignment or encryption or compression parameters. In most cases, data transferred across the tunnel is sent using a datagram-based protocol. A tunnel maintenance protocol is used as the mechanism to manage the tunnel.

Layer 3 tunneling technologies generally assume that all of the configuration issues have been handled out of band, often by manual processes. For these protocols, there may be no tunnel maintenance phase. For Layer 2 protocols (PPTP and L2TP), however, a tunnel must be created, maintained, and then terminated.

Once the tunnel is established, tunneled data can be sent. The tunnel client or server uses a tunnel data transfer protocol to prepare the data for transfer. For example, when the tunnel client sends a payload to the tunnel server, the tunnel client first appends a tunnel data transfer protocol header to the payload. The client then sends the resulting encapsulated payload across the internetwork, which routes it to the tunnel server. The tunnel server accepts the packets, removes the tunnel data transfer protocol header, and forwards the payload to the target network. Information sent between the tunnel server and the tunnel client behaves similarly.

The tunneling protocols and the basic tunneling requirements

Because they are based on the well-defined PPP protocol, Layer 2 protocols (such as PPTP and L2TP) inherit a suite of useful features. These features and their Layer 3 counterparts’ address the basic VPN requirements as outlined below.

· User Authentication. Layer 2 tunneling protocols inherit the user authentication schemes of PPP, including the EAP methods discussed below. Many Layer 3 tunneling schemes assume that the endpoints were well known (and authenticated) before the tunnel was established. An exception to this is IPSec ISAKMP negotiation, which provides mutual authentication of the tunnel endpoints. (Note that most IPSec implementations support machine-based certificates only, rather than user certificates. As a result, any user with access to one of the endpoint machines can use the tunnel. This potential security weakness can be eliminated when IPSec is paired with a Layer 2 protocol such as L2TP.)

· Token card support. Using the Extensible Authentication Protocol (EAP), Layer 2 tunneling protocols can support a wide variety of authentication methods, including one-time passwords, cryptographic calculators, and smart cards. Layer 3 tunneling protocols can use similar methods; for example, IPSec defines public key certificate authentication in its ISAKMP/Oakley negotiation.

· Dynamic address assignment. Layer 2 tunneling supports dynamic assignment of client addresses based on the Network Control Protocol (NCP) negotiation mechanism. Generally, Layer 3 tunneling schemes assume that an address has already been assigned prior to initiation of the tunnel. Schemes for assignment of addresses in IPSec tunnel mode are currently under development and are not yet available.

· Data Compression. Layer 2 tunneling protocols support PPP-based compression schemes. For example, the Microsoft implementations of both PPTP and L2TP use Microsoft Point-to-Point Compression (MPPC). The IETF is investigating similar mechanisms (such as IP Compression) for the Layer 3 tunneling protocols.

· Data Encryption. Layer 2 tunneling protocols support PPP-based data encryption mechanisms. Microsoft's implementation of PPTP supports optional use of Microsoft Point-to-Point Encryption (MPPE), based on the RSA/RC4 algorithm. Layer 3 tunneling protocols can use similar methods; for example, IPSec defines several optional data encryption methods which are negotiated during the ISAKMP/Oakley exchange. Microsoft's implementation of the L2TP protocol uses IPSec encryption to protect the data stream from the client to the tunnel server.

· Key Management. MPPE, a Layer 2 protocol, relies on the initial key generated during user authentication, and then refreshes it periodically. IPSec explicitly negotiates a common key during the ISAKMP exchange, and also refreshes it periodically.

· Multi-protocol support. Layer 2 tunneling supports multiple payload protocols, which makes it easy for tunneling clients to access their corporate networks using IP, IPX, NetBEUI, and so forth. In contrast, Layer 3 tunneling protocols, such as IPSec tunnel mode, typically support only target networks that use the IP protocol.

VPN Service Levels

Ideally, VPN may be a managed service that includes a single logon feature enabling access to an integrated directory. The directory, in turn, is tied to a centralized policy management server. This arrangement allows the selection of quality of service (QoS) by call, user, time of day, destination, origin or any other criteria. The QoS is tied to service-level agreements and directly influences the price. This is quite the ideal environment, however, there are countless variations available to IT managers, with advantages and disadvantages to every approach.

Economical Access

For example, one strategy is to keep the role of the provider to a minimum. An IT manager purchases a VPN tunnel termination device for headquarters, sets up remote users with VPN client soft-ware and then puts VPN equipment in branch offices.

In this scenario, the provider is simply there for access. The IT staff must manage the equipment and VPN services such as user authentication and encryption key distribution. The provider is not involved in managing the VPN at all.

This approach is generally regarded as an economical one. A company pays for an Internet access line to headquarters and branch offices. Users, in turn, each get an unlimited access, flat-rate monthly ISP account.

One potential problem with this approach is that with a flat-rate ISP account, there is no distinction between a VPN user dialing into the service provider for business or a teenager surfing the Web and chatting with friends.

Premium Access

Some IT managers opt for a higher level of service from their ISPs. An alternative that is gaining popularity is to subscribe to premium access services for VPN applications.

In contrast to the flat-rate service, a premium service provides performance guarantees. These guarantees typically come with some financial incentive for the user organization. If the provider fails to meet promised service level agreements (SLAs) for latency across its backbone or network availability, the customer gets a credit on its monthly bill.

One thing to look for with SLAs is how the process works. Does the provider give the IT manager a tool to measure performance? And are user organization accounts credited automatically in the event of a network outage or a performance problem?

Keep in mind that the SLAs go out the door when traffic does not stay on a provider's network.

With SLAs in hand, some providers are offering premium usage-based user accounts that deliver much better performance than flat-rate monthly ISP accounts.

Such services cost more than a flat-rate service but deliver the performance that would be required for business applications. Typically, a manager can expect to pay anywhere from $2 to $5 per hour for these services. The cost, while frequently more than a flat-rate, $20-per month ISP account, typically makes a VPN a less expensive alternative than either direct-dial access utilizing an 800 service or paying for long distance phone calls.

More Than Access
Such premium services still have nothing to do with the VPN that an IT manager may have set up in his or her business. The company is still simply buying access from the service provider.

This level of involvement by the ISP may be just right for some IT managers, but others may want or require more. To that end, some service providers offer managed services that extend to the VPN arena.

For example, certain providers offer services that include access in addition to the VPN equipment. In essence, the IT manager leases the equipment from the service provider or the price of the equipment is built into the monthly service fee.

As with any kind of arrangement that bundles equipment and service, the IT manager no longer has to worry about training staffers on the use of the equipment. In addition, there's no longer a need to dedicate resources to managing the equipment on a day-to-day basis, and the provider can typically upgrade the equipment over time.

Service providers can also play a role beyond the management of access equipment. For instance, some handle VPN-specific tasks such as authentication or encryption key management. Some managers would prefer to retain the management of these tasks within their organizations. And for some financial industry applications and government agencies, there are regulations stipulating that operations such as key management be controlled entirely by the company or organization.

However, as more companies look to their VPNs for e-commerce applications, IT managers may want the service provider to play a bigger role in security services. For instance, if a company starts to allow customers to do business electronically and requires the use of digital certificates for a customer to participate, the IT manager may want the provider to manage the digital certificates and offer certificate authority services (or at least offer a link to a third-party certificate authority service).

Another option that some IT managers are looking for is a combination of managed security services, for example, having the provider perform additional tasks such as managing firewalls and scanning e-mail messages and attachments for viruses.

The level of involvement of the provider will depend on each IT manager's preferences. Some will want to off-load as many VPN and security tasks to a provider as possible. Other managers may want help only with specific tasks. Still others may simply want the provider to deliver raw access and leave the administration and management of the VPN to the corporate IT staff.

Future Direction

The types of applications being deployed across the public Internet today are increasingly mission-critical, whereby business success can be jeopardized by poor application performance. Until now, telecommuters had to make do with the speeds afford by these traditional dial access services. For most, there was no economical alternative. Frame relay, fractional T1, T1 and other high-speed data services were simply too expensive to run out to every telecommuter's home. However, there has been noticeable progress in the deployment of high-speed access services based on cable modems and Digital Subscriber Line (DSL) technologies. The problem with these services from a business standpoint has been that they really only provided high-speed Internet access and did not offer any way to get back to the corporate network.

VPN’s security and network access features combined with these high-speed access services seems to offer an economical and dependable alternative to traditional access services. DSL, particularly symmetrical versions of the service, seems to fit the bill for corporate users giving them T1 or better access speeds at a fraction of the cost of a traditional T1 line. And cable modem services typically offer between 1 Mbps and 2 Mbps connection speeds for between $40 and $100 per month.

As DSL and cable modems service deployment heats up in the coming year, IT managers should be looking at the combination of VPNs and these high-speed services for their remote users. A small number of service providers are already combining VPN and high-speed services. These providers have targeted the connectivity needs of small to medium businesses and seem to be carving out a nice niche market.

However, many providers do not combine the two services for you. In most cases that means IT managers will be left to do VPN-enabled high-speed connections on their own. VPN security applied to cable modems seems to have a particular appeal. Cable modem services are being aggressively rolled out in certain parts of the US.

However, the service has primarily been seen as a consumer Internet access service. One reason for this perception is that many cable net-works are architected so that all homes served from the same neighborhood equipment pedestal essentially share a single LAN segment. This will not do for most business users.

VPNs solve this problem since the traffic is encrypted before it is sent through the cable modem box. One potential obstacle to implementing a VPN-enabled high-speed telecommuting system is that cable and DSL modems do not typically support VPN technology. But then again, neither do analog modems. However, there is a difference between the analog and high-speed access worlds that needs to be taken into account.

With analog modems, the amount of data streaming from and toward a telecommuter is fairly modest. And any PC running VPN client software can easily handle the encryption, decryption and tunneling tasks associated with using a VPN.

The situation could be radically different with a high-speed connection. Commercially available cable modem and DSL services tout transmission speeds in the range of 1 Mbps to 2 Mbps. Before setting up a VPN, the question that needs to be answered is: Can a PC with VPN client software perform the necessary encryption and tunneling tasks at these rates?

And if the PC can handle these tasks, does it do so at the expense of other applications? It makes no sense to give telecommuters a connection to the corporate network if their PCs are going to lock up under the load.

Early indications seem to offer some assuring news. Users who have experimented with running VPNs over a DSL link say that a Pentium-class computer has enough processing power to handle these tasks.

So software-based VPN approaches in the telecommuter's home seem to be viable. And hardware-based VPN solutions that are designed primarily to link branch offices over T1 lines can easily be used in a telecommuter application. In this scenario, the VPN device would be placed between the user's PC and the cable or DSL modem.

If companies start using VPNs to connect large numbers of DSL and cable modem telecommuters, there might be implications with respect to the equipment used in the main office.

Traffic from these high-speed access users then needs to be aggregated. For main offices, companies will likely have to use some form of packet processor dedicated to VPNs on the LAN side of a router. These devices will handle VPN security along with a substantial number of other functions such as bandwidth management. For the most part, it looks like IT managers are going to have to roll their own solutions.

This entire area of marrying VPN security services to high-speed access is just beginning to emerge. If the combination proves popular, it has the potential of increasing telecommuter productivity, and will allow companies to let more people telecommute. This might let companies keep highly skilled people thus saving the costs of replacing a worker who might have left otherwise.

Conclusion

VPN services allow users or corporations to reliably and securely connect to remote servers, branch offices or to other companies over public and private networks. In all of these cases, the secure connection across appears to the user as a private network communication -- despite the fact that this communication occurs over a public internetwork (like the Internet). VPN technology is designed to address issues surrounding the current business trend toward increased telecommuting and widely distributed global operations, where workers must be able to connect to central resources and where businesses must be able to communicate with each other efficiently.

References

MSDN Online Web Workshop. (1998, June 25), Virtual Private Networking. An Overview. [On-Line]. http://msdn.microsoft.com/

Microsoft Security Adviser. (1999, October 8), Virtual Private Network. [On-Line]. http://www.microsoft.com/

Salamone, Salvatore(1998, December 14), Does Everybody Really Know What a VPN IS?. Internet Week, p. 56

O’Brien, James. (1999), MIS: Managing InformationTechnology in the Internetworked Enterprise, Fourth Edition. P 219

Briere, Daniel. (1998, March 30), Burning VPN questions answered. http://www.nwfusion.com/

Kent, S. (1998, November), Security Architecture for the Internet Protocol. Request for Comments 2401

Pompili, Tony. (1997, October 10), Drill a VPN through the Internet. PC Magazine: Net Tools

McDonald, Christopher. (1999, June 14), Virtual Private Network: An overview. Intranet Design Magazine, p. 1