Types of virtual private networks
You can use VPN connections whenever you need a secure
point-to-point connection to connect users or networks. Typical VPN
connections are either Internet-based or intranet-based. This section
covers:
Internet-based VPNs
By using an Internet-based VPN connection, you can avoid
long-distance and 1-800 telephone charges while taking advantage of the
global availability of the Internet.
Remote access over the Internet
Rather than making a long distance or 1-800 call to a
corporate or outsourced network access server (NAS), a remote access
client can call a local ISP. By using the established physical
connection to the local ISP,
the remote access client initiates a VPN
connection across the Internet to the organization's VPN server. Once
the VPN connection is created, the remote access client can access the
resources of the private intranet.
The following illustration shows remote access over the Internet.
Connecting networks over the Internet
When networks are connected over the Internet, a router
forwards packets to another router across a VPN connection. This is
known as a router-to-router VPN connection. To the routers, the VPN
operates as a data-link layer link.
The following illustration shows connecting networks over the Internet.
Using dedicated WAN links
Rather than using an expensive long-distance dedicated WAN
link between branch offices, the branch office routers are connected to
the Internet by using local dedicated WAN links to a local ISP. A
router-to-router VPN connection is then initiated by either router
across the Internet. Once connected, routers can forward directed or
routing protocol traffic to each other by using the VPN connection.
Using dial-up WAN links
Rather than making a long distance or 1-800 call to a
corporate or outsourced NAS, a branch office router can call a local
ISP. By using the established connection to the local ISP, a
router-to-router VPN connection is initiated by the branch office router
to the corporate office router across the Internet. The corporate
office router acts as a VPN server and must be connected to a local ISP
by using a dedicated WAN link.
It is possible to have both the corporate office and the
branch office connected to the Internet by using a dial-up WAN link.
However, this is only feasible if the ISP supports demand-dialing
routing to customers--the ISP calls the customer router when an IP
datagram is to be delivered to the customer. Demand-dial routing to
customers is not widely supported by ISPs.
With a VPN connection, the department's network is physically connected to the organization intranet but separated by a VPN server. The VPN server does not provide a direct routed connection between the organization intranet and the department's network. Users on the organization intranet with the appropriate user rights can establish a remote access VPN connection with the VPN server and access the protected resources of the sensitive department's network. Additionally, all communication across the VPN connection is encrypted for data confidentiality. For those users who do not have the user rights to establish a VPN connection, the department's network is hidden from view.
The following illustration shows remote access over an intranet.
For example, the finance department might need to communicate with the human resources department to exchange payroll information. The finance department and the human resources department are connected to the common intranet with computers that can act as VPN routers. Once the VPN connection is established, users on computers on either network can exchange sensitive data across the corporate intranet.
The following illustration shows connecting networks over an intranet.
Intranet-based VPNs
The intranet-based VPN connection takes advantage of IP connectivity on an organization intranet.
Remote access over an intranet
On some organization intranets, the data of a department, such as a human resources department, is so sensitive that the department's network is physically disconnected from the rest of the organization's intranet. While this protects the department's data, it creates information accessibility problems for those users who are not physically connected to the separate network.With a VPN connection, the department's network is physically connected to the organization intranet but separated by a VPN server. The VPN server does not provide a direct routed connection between the organization intranet and the department's network. Users on the organization intranet with the appropriate user rights can establish a remote access VPN connection with the VPN server and access the protected resources of the sensitive department's network. Additionally, all communication across the VPN connection is encrypted for data confidentiality. For those users who do not have the user rights to establish a VPN connection, the department's network is hidden from view.
The following illustration shows remote access over an intranet.
Connecting networks over an intranet
You can also connect two networks over an intranet by using a router-to-router VPN connection. Organizations with departments in separate locations, whose data is highly sensitive, may use a router-to-router VPN connection to communicate with each other.For example, the finance department might need to communicate with the human resources department to exchange payroll information. The finance department and the human resources department are connected to the common intranet with computers that can act as VPN routers. Once the VPN connection is established, users on computers on either network can exchange sensitive data across the corporate intranet.
The following illustration shows connecting networks over an intranet.
No comments:
Post a Comment