virtual private network (VPN)

Definition of virtual private network (VPN) in The Network Encyclopedia.

What is a Virtual Private Network (VPN)?

Generally,Virtual Private Network, or VPN, is a technology for connecting the components and resources of one network over another. In common usage, a virtual private network (VPN) is a private corporate network whose wide area network (WAN) connections are made over a shared public network, usually the Internet. A common telecommunications carrier provides connectivity that acts like dedicated lines, but the network backbone is actually shared between all users as in a public network. VPNs are usually more cost-effective for companies than providing traditional remote access services to remote employees by using modem pools, dedicated phones lines, and toll-free numbers.

How It Works

VPNs use tunneling technologies to allow users to access private network resources through the Internet or another public network. Users enjoy the same security and features formerly available only in their private networks. Tunneling solutions are typically based on Microsoft’s Point-to-Point Tunneling Protocol (PPTP) or Cisco Systems’ Layer 2 Tunneling Protocol (L2TP), depending on resources and requirements.

You can use Internet Connection Services for Microsoft Remote Access Service (RAS), which is included in the Microsoft Windows NT Option Pack, to build VPNs and provide employees with secure remote access to the corporate network over the Internet. Using Windows NT, with its built-in support for PPTP, network administrators must configure two computers on the corporate network:

  • A dedicated PPTP server for providing secure, encrypted tunneling of IP packets
  • An Internet Authentication Service (IAS) computer that automatically integrates with the company’s domain controller to remotely authenticate employees

The Internet service provider (ISP) that provides the far-end tunneling connection services for VPN customers can install a Remote Authentication Dial-In User Service (RADIUS) proxy server and configure it to recognize authentication requests from the customer’s remote employees and forward these requests to IAS on the customer’s private network. In this way, the VPN customer can keep control over remote access permissions for all of its employees.

The ISP can implement other tools from Internet Connection Services for RAS, including the following:

  • Connection Manager:
    By using the Connection Manager Administration Kit, ISPs can configure custom preconfigured dialers for their VPN customers’ employees. These dialers make the connection experience secure and simple for remote employees by supporting PPTP, including corporate and ISP support numbers, and including customized Help files. Employees only have to enter their username to use these dialers - the dialer does everything else.

     

  • Connection Point Services:
    This tool allows new corporate and ISP access numbers to be automatically transferred to each employee through the Connection Manager dialer, providing phone books that are always up to date.

     

Once everything is set up and configured on the corporate network and at the ISP, remote employees can establish secure, local connections to their private corporate networks from anywhere in the world by dialing local access numbers to their ISPs. The RADIUS proxy server at the ISP forwards their authentication requests to IAS on their corporate networks, which uses their corporate domain controllers to grant access to resources on the corporate network. With Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), secure connections are established between remote employees and the PPTP server on the corporate network. The entire process is transparent to remote employees - as far as they are concerned, they appear to have a local area network (LAN) connection to the corporate network.

NOTE

Microsoft Windows 98 clients can also use PPTP to connect to VPNs. The Windows 98 client makes two connections to establish a VPN tunnel:

  • A physical connection to a network access server at an ISP using Dial-Up Networking and Point-to-Point Protocol (PPP). This type of connection is needed only if you use nondedicated dial-up connections.
  • A logical connection to the VPN tunnel server using PPTP control and data protocols. This is the only connection required if you have a dedicated connection to the ISP.

Microsoft Windows 2000 includes support for VPNs similar to that provided by Windows NT, along with the following enhancements:

  • L2TP, which, when used with Windows 2000 Internet Protocol Security (IPSec), provides an alternate method to PPTP for creating secure VPNs
  • Remote access policies to provide flexibility in configuring connection attributes and access permissions
  • The more secure version 2 of the MS-CHAP authentication protocol
  • Account lockout to help prevent against dictionary attacks
  • The new Extensible Authentication Protocol (EAP), which allows newer authentication methods such as smart cards to be integrated for VPN use

Web References