Protocols give VPNs their rights of passage

Protocols give VPNs their rights of passage

A typical virtual private network has gateways at both ends of a public network. A variety of products, such as VPN access servers, VPN routers and even computers loaded with VPN client software, can act as the gateways.

At one end of the network, frames of data are encapsulated, given headers and routing information, and sent on their way. When they reach their destination, the gateway or appliance at the other end unencapsulates the data frames and forwards them to the intended recipient.

The logical path through which the encapsulated packets travel the internetwork is called a tunnel. Tunneling, which includes the entire process of encapsulation, transmission and unencapsulation, is nothing new. It has been around for years in various forms, including IBM Corp.'s Systems Network Architecture over IP networks and Novell Inc.'s Internet Packet Exchange tunneling for IP internetworks.

But three important tunneling protocols with high-level encryption and security features have revolutionized the growth of VPN services, particularly over the Internet:

  • Point-to-Point Tunneling Protocol, which facilitates the encryption and encapsulation of IP, IPX and NetBEUI traffic into an IP header so that it can be sent safely over the Internet, or an enterprise intranet or extranet

  • Layer 2 Tunneling Protocol, which allows the same type of traffic to be encrypted and sent over any medium that supports point-to-point datagram delivery, such as IP, X.25, frame relay or asynchronous transfer mode

  • IP Security Tunnel Mode, which allows IP data payloads to be encrypted and then encapsulated in an IP header to be sent across the Internet or an enterprise intranet.

    A white paper by Microsoft Corp. says four security techniques are vital to any VPN system, regardless of the tunneling protocols it uses:

  • User authentication. It must verify a user's identity and restrict VPN access to authorized users. It also must provide audit and accounting records on user privileges.

  • Address management. It must assign and keep private clients' addresses on the private network.

  • Data encryption. It must render data carried on the public network unreadable to unauthorized clients.

  • Key management. It must generate and refresh encryption keys for the client and server.

  • 'J.B. Miles


    • business meeting (Monkey Business Images/

      Civic tech volunteers help states with legacy systems

      As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

    • data analytics (

      More visible data helps drive DOD decision-making

      CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

    Stay Connected