Lesson
12:�Understanding Virtual Private Networks
What Are
VPNs? | VPN
Technologies | Access,
Intranet, and Extranet VPNs | VPN
Examples
The Intranet VPN
Intranet VPNs: Link corporate headquarters,
remote offices, and branch offices over a shared infrastructure
using dedicated connections. Businesses enjoy the same policies
as a private network, including security, quality of service
(QoS), manageability, and reliability.
The benefits of an intranet VPN are as follows:
- Reduced WAN bandwidth costs
- Connect new sites easily
- Increased network uptime by enabling WAN
link redundancy across service providers
Building an intranet VPN using the Internet is the most cost-effective
means of implementing VPN technology. Service levels, however,
are generally not guaranteed on the Internet. When implementing
an intranet VPN, corporations need to assess which trade-offs
they are willing to make between guaranteed service levels,
network ubiquity, and transport cost. Enterprises requiring
guaranteed throughput levels should consider deploying their
VPNs over a service provider's end-to-end IP network, or,
potentially, Frame Relay or ATM.
The Extranet VPN
Extending connectivity to corporate partners
and suppliers is expensive and burdensome in a private network
environment. Expensive dedicated connections must be extended
to the partner, management and network access policies must
be negotiated and maintained, and often compatible equipment
must to be installed on the partner's site. When dial access
is employed, the situation is equally complicated because
separate dial domains must be established and managed. Due
to the complexity, many corporations do not extend connectivity
to their partners, resulting in complicated business procedures
and reduced effectiveness of their business relationships.
One of the primary benefits of a VPN WAN architecture is the
ease of extranet deployment and management. Extranet connectivity
is deployed using the same architecture and protocols utilized
in implementing intranet and remote access VPNs. The primary
difference is the access permission extranet users are granted
once connected to their partner's network.
Intranet and Extranet VPNs
Intranet and extranet VPN services based
on IPSec, GRE, and mobile IP create secure tunnels across
an IP network. These technologies leverage industry standards
to establish secure, point-to-point connections in a mesh
topology that is overlaid on the service provider's IP network
or the Internet. They also offer the option to prioritize
applications. An IPSec architecture, however, includes the
IETF proposed standard for IP-based encryption and enables
encrypted tunnels from the access point to and across the
intranet or extranet.
An alternative approach to intranet and extranet VPNs is to
establish virtual circuits across an ATM or Frame Relay backbone.
With this architecture, privacy is accomplished with permanent
virtual circuits (PVCs) instead of tunnels. Encryption is
available for additional security as an optional feature,
but more commonly, it is applied as needed by individual applications.
Virtual circuit architectures provide prioritization through
quality of service for ATM and committed information rate
for Frame Relay.
Finally, in addition to IP tunnels and virtual circuits, intranet
and extranet VPNs can be deployed with a Tag Switching/MPLS
architecture. Tag Switching is a switching mechanism created
by Cisco Systems and introduced to the IETF under the name
MPLS. MPLS has been adopted as an industry standard for converging
IP and ATM technologies.
A VPN built with Tag Switching/MPLS affords broad scalability
and flexibility across any backbone choice whether IP, ATM,
or multivendor. With Tag Switching/MPLS, packets are forwarded
based on a VPN-based address that is analogous to mail forwarded
with a postal office zip code. This VPN identifier in the
packet header isolates traffic to a specific VPN. Tag Switching/MPLS
solves peer adjacency scalability issues that occur with large
virtual circuit topologies. It also offers granularity to
the application for priority and bandwidth management, and
it facilitates incremental multiservice offerings such as
Internet telephony, Internet fax, and videoconferencing.
Comparing the Types
Access VPNs are differentiated from intranet
and extranet VPNs primarily by the connectivity method into
the network. While an access VPN refers to dialup (or part-time)
connectivity, an intranet or extranet VPN may contain both
dialup and dedicated links.
The distinction between intranet and extranet VPNs is essentially
in the users that will be connecting to the network and the
security restrictions that each will be subject to.
<<Back
[1] [2]
[3]
[4] [5]
[6] [7]
[8] [9]
Next>>
|
