Open the world to yourself

Custom Search

Your IP is

VPN Architecture

Using VPNs, an organization can help secure private network traffic over an unsecured network, such as the Internet. VPN helps provide a secure mechanism for encrypting and encapsulating private network traffic and moving it through an intermediate network. Data is encrypted for confidentiality, and packets that might be intercepted on the shared or public network are indecipherable without the correct encryption keys. Data is also encapsulated, or wrapped, with an IP header containing routing information.

VPNs help enable users working at home, on the road, or at a branch office to connect in a secure fashion to a remote corporate server using the Internet. From the users perspective, the VPN is a point-to-point connection between the user's computer and a corporate server. The nature of the intermediate network, the Internet, is irrelevant to the user because it appears as if the data is being sent over a dedicated private link.

There are a number of ways to use VPN. The most common scenario is when a remote user accesses a private network across the Internet using a remote access VPN connection. In another scenario, a remote office connects to the corporate network using either a persistent or an on-demand site-to-site VPN connection (also known as a router-to-router VPN connection).

Each of these VPN scenarios can be deployed to provide connectivity over a public network, such as the Internet, or over a private intranet. VPN connections can also be deployed in an extranet scenario to communicate securely with business partners. An extranet functions as an intranet that can be securely shared with a designated business partner.

With both the remote access and site-to-site connections, VPNs enable an organization to replace long distance dial-up or leased lines with local dial-up or leased lines to an Internet service provider (ISP).

Remote access VPN

A remote access VPN connection is made by a remote access client. A remote access client is a single computer user who connects to a private network from a remote location. The VPN server provides access to the resources of the network to which the VPN server is connected. The packets sent across the VPN connection originate at the VPN client.

The VPN client authenticates itself to the VPN server and, for mutual authentication, the VPN server authenticates itself to the VPN client.

Site-to-Site VPN Connections over an Intranet

Two networks can be connected over an intranet using a site-to-site VPN connection. This type of VPN connection might be necessary, for example, for two departments in separate locations, whose data is highly sensitive, to communicate with each other. For instance, the finance department might need to communicate with the human resources department to exchange payroll information.

The finance department and the human resources department are connected to the common intranet with computers that can act as VPN clients or VPN servers. When the VPN connection is established, users on computers on either network can exchange sensitive data across the corporate intranet.

The following figure shows two networks connected over an intranet.

Site-to-site VPN

A site-to-site VPN connection connects two portions of a private network or two private networks. For example, this allows an organization to have routed connections with separate offices, or with other organizations, over the Internet. A routed VPN connection across the Internet logically operates as a dedicated Wide Area Network (WAN) link.

The VPN server provides a routed connection to the network to which the VPN server is attached. On a site-to-site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and, for mutual authentication, the answering router authenticates itself to the calling router.

Internet-based VPN Connections

Using an Internet-based VPN connection, an organization can avoid long-distance charges while taking advantage of the global availability of the Internet. The intranet-based VPN connection takes advantage of IP connectivity in an organization’s Local Area Network (LAN).

Remote Access VPN Connections over the Internet

A remote access VPN connection over the Internet enables a remote access client to initiate a dial-up connection to a local ISP instead of connecting to a corporate or outsourced network access server (NAS). By using the established physical connection to the local ISP, the remote access client initiates a VPN connection across the Internet to the organization’s VPN server. When the VPN connection is created, the remote access client can access the resources of the private intranet. The following figure shows remote access over the Internet. In some organization intranets, the data of a department, such as human resources, is so sensitive that the network segment of the department is physically disconnected from the rest of the intranet. While this protects the data of the human resources department, it creates information accessibility problems for authorized users not physically connected to the separate network segment.

VPN connections help provide the required security to enable the network segment of the human resources department to be physically connected to the intranet. In this configuration, a VPN server can be used to separate the network segments. The VPN server does not provide a direct routed connection between the corporate intranet and the separate network segment. Users on the corporate intranet with appropriate permissions can establish a remote access VPN connection with the VPN server and gain access to the protected resources. Additionally, all communication across the VPN connection is encrypted for data confidentiality. For those users who are not authorized to establish a VPN connection, the separate network segment is hidden from view.

The following figure shows remote access over an intranet.

Home Privacy Policy Terms of Use Contact US Contact Us