PPTP's strength is that it provides a low-cost, easy-to-configure multiprotocol VPN solution. Furthermore, PPTP, unlike IPSec VPN, provides multiprotocol connectivity for dial-up remote clients. Multiprotocol tunneling extends not only IP networks to the remote users and site, but also I PX. NetBEUI and NetBIOS networking can also be easily extended to remote users and sites.

We found in testing that setting up PPTP tunnels was no more difficult than setting up RAS connections. After launching the Dial-On Demand Wizard on the two NT Servers that are the PPTP tunnel end points, the PPTP tunnel is created and ready to run. When the NT Server sees a packet that requires a tunnel, it creates the tunnel with the other side and begins to run traffic over it.

· Socks-Based VPN Saying that Socks 5-based proxies are VPN solutions is stretching the already muddy definition of virtual private networking fairly thin. Socks is an application-level protocol designed to grant access to services and applications on your network. Aventail's VPN 2.0 is a Socks 5 proxy server that grants secure access to your network services and applications, but it is not a true VPN because it doesn't provide n etwork addressing to the client machine.

What makes VPN 2.0 interesting in relation to the VPN s tory is that the goal of VPN is strong authentication and encryption from the user to the LAN, complete with user-based access to network resources. To do that with IPSec devices, lots of holes still need to be filled, such as IPSec interoperation and certificate authorities that manage access control lists, revocation lists and certificates and interoperate with other CAs.

Aventail's VPN 2.0 offers much of that strong, user-based authentication and encryption and user-based access, as well as a host of other features that are not possible with IPSec, PPTP or other VPN technologies, such as content filtering (denying access to Java applets or ActiveX controls, for example) and extensive logging and auditing of users. In fact, during testing, we used VPN 2.0's audit logs to track usage and debug connections.

Aventail's VPN server provides a great deal of modularity for encryption algorithms, authentication algorithms, and filtering addresses and content. An administrator creates configuration files fo r users; the files contain the redirection rules, server definitions and other parameters the client needs to connect to the Socks server. These files are distributed to remote users. All user profiles are created and stored on VPN 2.0, which centralizes user management. The profiles define what authentication, encryption and network resource access users have. When users attempt to access protected services, the user has to authenticate and, if successful, the security profile is enforced and the connection continues.

For example, a client profile may say that any connection destined for the payroll network should be sent to a Socks server for authentication and encryption, while all other connections should be processed as normal. The user profile on VPN 2.0 might state that this user needs to be authenticated with the MD5 hash algorithm, can access the personnel database and requires DES encryption. When th e user tries to connect to the personnel database, the client profile redirects the request to VPN 2.0. VPN 2.0 creates a Secure Sockets Layer (SSL) session with the client and authenticates the user. Once the user is authenticated, VPN 2.0 sets up the encrypted session and the authenticated user can access the database.

· A Proprietary VPN VTCP/Secure from InfoExpress is a software-only client/server system that uses a proprietary protocol to tunnel TCP traffic across the Internet. It provides a full set of utilities for setting up strong authentication and data encryption, and can apply these properties to both users and groups.