What Is A Virtual Private Network?

By Robert Moskowitz

Feel More Secure! Don't leave security to chance. With our Security Threat Watch newsletter you can quickly identify and act upon the most dangerous and pervasive security vulnerabilities without having to wade through thousands of e-mail alerts and mailing lists. Sign up today!

Virtualosity Webster's Dictionary defines virtual as "being such practically or in effect, although not in actual fact or name." So for something to be a virtual network, it should act like a network, yet not be one. It's a wonder then that anyone could classify only some networks as virtual sinc e all networks are virtual to some extent. Perhaps we can make the separation based on physical wiring. If there are real wires among all of the nodes, then the network is not virtual. Based on this determination, WANs have been virtual since the telcos stopped provisioning T1 circuits on conditioned copper and started using channelized T3 circuits instead.

Perhaps a better determinant is whether the network connections are on-demand or dedicated. An on-demand network is made of connections that can be controlled by network administrators, instead of their telecom partners. A network made of connections controlled by a third party like a telco, ISP or telecom analyst is a dedicated network. At some point in this type of network, administrators lose control of the physical network, sometimes right past the building hubs. Thus, for all practical purposes, on-demand networks are built above the network layer because this is the only place accessible to network administrators for their entire network.

Pssst! Got a Secret? What is private for one person is all too often very public for the next. Over the years I've heard of numerous cases of tapped lease circuits, both legally and illegally. We shouldn't use the word private when we mean secure. After all, my front yard is private, yet open for viewing to anyone who wants to see my weedy lawn. Private is defined by Webster's as "of, belonging to, or concerning a particular person or group; not common or general." So a private network is one where you acquire exclusive use of the network links. This is contrasted with a public network where the ownership or payment is dispersed across all of the network residents.

A secure network is an altogether different type of network. Secure networks might be private or public. Security is rarely accomplished in the manner in which the network is provisioned, unless you have armed guards patrolling the wires. In many cases, only the WAN links are secured as a part of their provisioning. This type of secured netwo rking is done with encrypting hardware that delivers security just below the network layer. Secure networking can be more consistently provisioned above the network layer, just like on-demand networking.

This little exercise provides us with a handful of interesting network types. The most common special type of network found is the DPN (dedicated private network). A DPN is what you get almost every time you order a WAN from a third party (regardless of the method--leased circuits, frame relay or ATM) or build your LAN with ATM switches instead of wiring hubs. These technologies let the telecom analyst specify which devices actually have data paths between them, which may be different from the actual physical wiring. Thus a private network, again, is where the data paths are defined by someone for someone and these can consist of physical wiring or specific data links over shared wiring.

This type of private network is different from DSNs (dedicated secure networks), which are standard for banks and mil itary operations. A few companies have implemented DSNs for their international links because of industrial espionage concerns. In a DSN, the WAN links are secured with link-layer or physical-layer encryption devices. The new trends, however are for ONs (on-demand public networks) and OSNs (on-demand secure networks).