Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)

A virtual private network is an extension of a private network across a public network such as the Internet. Using a VPN, connections across the public network can transfer data in a form that resembles a private Point-to-Point Tunneling Protocol (PPTP) link. VPNs use the routing infrastructure of the Internet, but to the user it appears as though the data were being sent over a dedicated private link.

The appeal of a VPN is the Internet and its global presence. Communication links can be made quickly, cheaply, and safely across the world. Dedicated private lines aren't required, and security can be configured at very high levels. In 1997, VPNs made up just 0.2 percent of total domestic network connections, according to Infonetics Research, a firm in San Jose, California that specializes in networking. Infonetics predicts that by the end of 2001, more than 27 percent of all U.S. connections will be made via VPNs.

REAL WORLD  When a VPN Isn't Appropriate

While VPNs are great methods of connectivity for branch offices and remote users of every stripe, there are conditions under which a VPN isn't appropriate:

• When performance at any price is the primary concern
• When most traffic is synchronous, as in voice and video transmissions
• When using an application with unusual protocols that are not compatible with TCP/IP

In these situations, a dedicated private line is almost always the best choice.

How VPNs Work

In a virtual private network, both ends of the connection make a link to the Internet. (Technically, they can link to any public network, but it's almost always the Internet.) The link can take the usual forms—a regular telephone line, an ISDN line, or a dedicated line of some sort. Instead of sending a packet as the originating node produces it, the VPN, using a tunneling protocol, encapsulates the packet in an additional header. The header provides routing information so that the encapsulated data can traverse the intermediate internetwork. For privacy, the data is encrypted and, if packets are intercepted, they cannot be unencrypted without the encryption keys.

This technology allows a remote user in Connecticut, for example, to establish a dial-up connection with any ISP and, through that connection, make a direct connection to a server on the company network in California. It's quick, it's cheap, and it's easy to set up. Figure 31-2 shows a VPN set up so that traveling employees, telecommuters in home offices, and employees in branch offices can all connect to the main network at a company's headquarters. Each component is connecting to the ISP though a different type of communications channel, but all are part of the same VPN. Figure 31-3 shows a more typical VPN, in which the connection is made from one router to another.

Figure 31-2. A virtual private network.

Figure 31-3. A router-to-router VPN.

Components of a VPN

A VPN connection in Windows 2000 consists of a VPN server, a VPN client, a VPN connection (the portion of the connection in which the data is encrypted), and the tunnel (the portion of the connection in which the data is encapsulated). The tunneling is done through one of the tunneling protocols included with Windows 2000, both of which are installed with Routing and Remote Access:

• Point-to-Point Tunneling Protocol (PPTP) An extension of the point-to-point protocol (PPP) in use for many years, PPTP was first used in Windows NT 4.
• Layer Two Tunneling Protocol (L2TP) A combination of PPTP and Layer Two Forwarding (L2F), a tunneling protocol developed by Cisco Systems. L2TP employs Internet Protocol security (IPSec) for encryption, so the VPN client and server must support both L2TP and IPSec.

MORE INFO