Protocols give VPNs their rights of passage

Protocols give VPNs their rights of passage

A typical virtual private network has gateways at both ends of a public network. A variety of products, such as VPN access servers, VPN routers and even computers loaded with VPN client software, can act as the gateways.

At one end of the network, frames of data are encapsulated, given headers and routing information, and sent on their way. When they reach their destination, the gateway or appliance at the other end unencapsulates the data frames and forwards them to the intended recipient.

The logical path through which the encapsulated packets travel the internetwork is called a tunnel. Tunneling, which includes the entire process of encapsulation, transmission and unencapsulation, is nothing new. It has been around for years in various forms, including IBM Corp.'s Systems Network Architecture over IP networks and Novell Inc.'s Internet Packet Exchange tunneling for IP internetworks.

But three important tunneling protocols with high-level encryption and security features have revolutionized the growth of VPN services, particularly over the Internet:

  • Point-to-Point Tunneling Protocol, which facilitates the encryption and encapsulation of IP, IPX and NetBEUI traffic into an IP header so that it can be sent safely over the Internet, or an enterprise intranet or extranet


  • Layer 2 Tunneling Protocol, which allows the same type of traffic to be encrypted and sent over any medium that supports point-to-point datagram delivery, such as IP, X.25, frame relay or asynchronous transfer mode


  • IP Security Tunnel Mode, which allows IP data payloads to be encrypted and then encapsulated in an IP header to be sent across the Internet or an enterprise intranet.

    A white paper by Microsoft Corp. says four security techniques are vital to any VPN system, regardless of the tunneling protocols it uses:

  • User authentication. It must verify a user's identity and restrict VPN access to authorized users. It also must provide audit and accounting records on user privileges.


  • Address management. It must assign and keep private clients' addresses on the private network.


  • Data encryption. It must render data carried on the public network unreadable to unauthorized clients.


  • Key management. It must generate and refresh encryption keys for the client and server.



'J.B. Miles

inside gcn

  • machine learning

    Mitigating the risks of military AI

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above