access method for branch and SOHO sites. A virtual private network (VPN) is a concept that describes how to create a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide sender authentication, message integrity, and confidentiality by protecting against packet sniffing. VPNs can be implemented at Layers 2, 3, and 4 of the Open Systems Interconnection (OSI) model. Figure illustrates a typical VPN topology. Components required to establish a VPN include:

An existing network with servers and workstations
Connection to the Internet
VPN gateways (i.e., routers, PIX, ASA, VPN concentrators) that act as endpoints to establish, manage, and control VPN connections
Software to create and manage tunnels

The key to VPN technology is security. VPNs secure data by encapsulating the data, encrypting the data, or both encapsulating the data and then encrypting it:

Encapsulation is also referred to as tunneling because encapsulation transmits data transparently from network to network through a shared network infrastructure.
Encryption codes data into a different format. Decryption decodes encrypted data into the data’s original unencrypted format.

Encapsulation and encryption are discussed in more detail as this course progresses.

Content 3.1 Introducing VPN Technology 3.1.2 Overlay and Peer-to-Peer VPN Architecture In terms of evolution, there are two major VPN models: overlay VPN and peer-to-peer VPN. Overlay VPNs
Service providers (SPs) are the most common users of the overlay VPN model. The design and provisioning of virtual circuits (VC) across the backbone is complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service. The scaling issues of overlay VPNs present a challenge to SPs when they have to manage and provision a large number of circuits and tunnels between customer devices. From a customer's point of view, the Interior Gateway Protocol design is also complex and difficult to manage.
The overlay model includes L2 and L3 VPNs.

L2 overlay VPN: L2 overlay VPNs are independent of the network protocol used by the customer meaning that the VPN is not limited to carrying IP traffic. If the carrier offers the appropriate ATM service, the overlay VPN will carry any kind of information. Frame Relay VPNs are normally limited to data applications, although voice over Frame Relay customer premises equipment (CPE) devices may be useable on some services.
L3 overlay VPN: L3 Overlay VPNs most often use an “IP in IP” tunneling scheme using Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP security (IPsec). Figure summarizes the basic properties of these technologies.

CPE-Based VPN (Peer-to-Peer)
CPE-based VPN is another name for an L3 overlay VPN. The VPN is implemented using CPE, as shown in Figure . In this way, a customer creates a VPN across an Internet connection without any specific knowledge or cooperation from the service provider. The customer gains the advantage of increased privacy using an inexpensive Internet connection. This approach is not advantageous to the SP because there is little opportunity for VPN service revenue. However, SPs do charge a higher rate for “business class” Internet services applicable to medium to large enterprises. Also, some SPs offer “managed VPN” services where CPE configuration and Network Address Translation (NAT) address management are performed by the SP rather than by the customer. SP-Provisioned VPN
The introduction of Multiprotocol Label Switching (MPLS) combines the benefits of overlay VPNs (security and isolation among customers) with the benefits of the simplified routing of a peer-to-peer VPN. MPLS VPN provides simpler customer routing, simpler service provider provisioning and a number of possible topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection-oriented approach to the IP routing paradigm, through the establishment of label-switched paths that are created based on topology information rather than traffic flow. This model uses three types of routers as shown in Figure :

The Provider (P) and the Customer Edge (CE) routers are assumed to be unaware of any VPN protocols or procedures.
Only the Provider Edge (PE) routers need to be provisioned to support the VPNs.

Note that MPLS VPNs cannot replace all VPN implementations because MPLS only supports IP as the Layer 3 protocol. Other protocols including IPX and AppleTalk must be tunneled through the IP backbone.

Content 3.1 Introducing VPN Technology 3.1.3 VPN Topologies There are three VPN topologies to consider:

Remote Access VPN : Remote access VPNs provide remote users access to an intranet or extranet over a shared infrastructure. Mobile users, telecommuters, and branch offices can securely connect using dialup, Integrated Services Digital Network (ISDN), digital subscriber line (DSL), mobile IP, and cable technologies. Remote access VPNs use only a single VPN gateway. The party negotiating a secure connection with the VPN Gateway uses VPN client software. The VPN Client software allows telecommuters and traveling users to communicate on the central network and access servers from many different locations. Tunnels are created using either IPsec, Point to Point Tunneling Protocol (PPTP), Layer 2 Tunnel Protocol (L2TP), or Layer 2 Forwarding (L2F) Protocol.

Benefits: Remote access VPNs reduce long-distance charges that are associated with dialup access. Remote access VPNs also help increase productivity and confidence by ensuring secure network access regardless of an employee’s location.

Site-to-Site Intranet VPN : Site-to-site intranet VPNs link headquarters, remote offices, and branch offices to an internal network over a shared infrastructure using dedicated connections. Intranet VPNs differ from extranet VPNs in that intranet VPNs allow access only to trusted employees. With an intranet VPN, gateways at various physical locations within the same business negotiate secure tunnels across the Internet. An example of this type of VPN is a network that exists in several geographic locations, connecting to a data center or mainframe that has secure access through the Internet. Users from the networks on either side of the tunnel can communicate with one another as if the networks were a single network. These networks may need strong encryption and strict performance and bandwidth requirements. Tunnels are created using either IPsec, or IPsec/GRE.

Benefits: Site-to-site intranet VPNs offer cost savings over traditional leased-line or Frame Relay technologies.

Site-to-Site Extranet VPN : An extranet site-to-site VPN links outside customers, suppliers, partners, or communities of interest to an enterprise customer's network over a shared infrastructure using dedicated connections. Extranet VPNs differ from intranet VPNs in that extranet VPNs allow access to users who are outside the enterprise. Extranet VPNs use firewalls in conjunction with VPN tunnels so that business partners are only able to gain secure access to specific data and resources while not gaining access to private corporate information. Benefits: Businesses enjoy the same policies as a private network, including security, quality of service (QoS), manageability, and reliability.

Content 3.1 Introducing VPN Technology 3.1.4 Characteristics of a Secure VPNs Security is the focus of any VPN design. VPNs can use advanced encryption techniques and tunneling to establish secure, end-to-end,