A Guide To VPN Basics

  • Virtual private networks (VPNs) have been a staple of enterprise remote connectivity for more than two decades since they replaced old Frame Relay and dial-up systems. Their ability to provide low-cost and secure connectivity for remote users and networks has been unparalleled. VPNs have played an increasingly critical role in enterprises as workplace patterns have shifted to more remote workers and telecommuters.

    Over the years, we’ve seen a steady stream of improvement built on legacy VPN architectures, including the rise of SSL VPNs. In this guide, I'll cover basic VPN models and protocols that are used in enterprises today. I'll also provide a view into how VPNs may evolve in the not-too-distant future.

    (Image: chrupka/Shutterstock with modification)

  • Remote-access VPN

    Let’s quickly review the two primary types of VPN connectivity. The first type is a client-based or remote access form of VPN. This is when a client device such as a PC, tablet, or smartphone connects to a remote network over the Internet. Once a user initiates a connection to a remote network, that user must authenticate before specific network access is granted. Remote-access VPN is great for users who work from home or travel because the connections are dynamic on the client side, meaning the client device can be located with different IP addresses anywhere on the internet.

  • Site-to-site VPN

    The second type of VPN is the site-to-site VPN. These types of connections are used to extend transparent network access to a remote location or third-party network. These are static connections; if an IP address changes due to an office move or a change in internet service providers, the VPN tunnel configuration must be manually updated to reflect those changes. This is in contrast to the dynamic nature of a client-based VPN, which allows for dynamic changes to the client-side source IP address.

  • IPsec and SSL VPNs

    In a remote-access VPN, you’re likely to run across two different protocol types. The first is the classic IPsec (Internet Protocol Security) VPN, which requires client software. Once a user is authenticated and connected to the remote network through a VPN tunnel, access can be restricted, but only at a basic IP level. Because of the lack of granularity inherent in IPsec-based remote-access VPNs, many IT departments have migrated to an SSL VPN technology that allows administrators to restrict user access at the application level. Another benefit of SSL-based remote access VPNs is that you're not necessarily required to install third-party software on endpoints as you are with IPsec-based VPNs.

  • IPsec and DMVPN

    For site-to-site VPN connectivity, enterprises use a mix of IPsec tunnels and a technology called Dynamic Multipoint VPN (DMVPN).

    IPsec tunnels are a low-cost solution for critical remote sites to use as a backup connection that initiates if and when the primary dedicated WAN link such as private T1 or MPLS circuit fails. The VPN tunnel automatically forms and maintains connectivity between the two networks until the primary link is restored. The problem with using IPsec VPN is that it is strictly a static point-to-point technology. Therefore, VPN networks based on IPsec were largely built as hub-and-spoke networks. This works, but becomes inefficient if you continuously route traffic from one spoke to another through the hub. This is where DMVPN helps

    DMVPN bundles several technologies, including multipoint GRE tunnels and the Next Hop Resolution Protocol (NHRP), to move away from point-to-point connections and instead allow for a dynamic mesh architecture. DMVPN allows for the dynamic and direct connection of a GRE tunnel between two spokes. Thus, it eliminates complex static configurations and reduces potential traffic bottlenecks on hub VPN endpoints.

  • Emerging VPN technologies

    Even with today’s more capable VPN technologies, they still succumb to the fact that if they utilize the internet for connectivity between locations, it’s impossible to optimize data paths based on things like congestion or degradation. To solve this issue, several network vendors are merging the security of VPN with the flexibility and intelligence of SD-WANs.

    This emerging technology creates a framework that can quickly identify problematic paths and reroute traffic around those areas, which allows end-user data to use the most optimal path(s) in real time to provide the absolute best performance. SD-WANs can provide carrier-grade performance using mixture mix of low-cost internet and private WAN connectivity options. While some network vendors are allowing for the deployment and control of on-premises intelligent VPN solutions, there are plenty of others providing these technologies as cloud-based services.

    VPN technologies have certainly progressed over the past two decades. Technologies that were once simple, unintelligent connections that generally got the job done yet couldn’t be relied upon regularly have morphed into highly adaptive solutions that can provide carrier-class WAN performance at a fraction of the cost. Since WAN connectivity is an increasing cost burden for IT departments, expect to see more and more enterprise organizations choosing a next-gen intelligent VPN option in the near future.