Problem solve Get help with specific problems with your technologies, process and projects.

VPN fundamentals for VARs and network consultants

Information for value-added resellers with some understanding of VPNs, but want to understand at a higher level exactly what a VPN is, VPN configuration choices and the value a VPN provides an organization.

If you're a network value-added reseller (VAR) or consultant, chances are you've been asked to deliver a VPN. As a channel partner, you need to be in a position to deliver answers and value to the customer when asked about networking choices. The presentation that you give obviously depends upon the technical capabilities of your customer's IT department. You need to be careful not to give a burdensome presentation to a group that doesn't have VPN knowledge and even more careful about giving a marketing presentation to technically savvy VPN gurus. This tip is written for people that have some understanding of VPNs, but want to understand at a higher level exactly what a VPN is, VPN configuration choices and the value a VPN provides an organization.

A virtual private network (VPN) is a private network that uses a public network (the Internet) to connect users. These users can be located in branch or home offices. Years ago, companies would either procure leased lines or create a frame relay network for this purpose, both solutions being very expensive. VPN technology is much more efficient because it uses virtual connections routed through the Internet, from the corporate LAN to the remote site. Best of all, there is no need to pay some carrier to take care of these services because the Internet is the carrier. Some other advantages of a VPN are encrypted security, broadband network support, ease of maintenance, simplified network topology and the ability to provide support to individual users or branch offices.

Several methods of configuration can be used with VPNs. One method is an intranet-based VPN, which is defined as a network that links remote locations to create a single private network. This type of network connects LANs. A single department's network may be physically connected to the intranet but separated by VPN servers. These servers do not provide a directly routed connection. Only users on the corporate intranet with the appropriate rights can establish a remote-access VPN connection with the server. There is another enhanced level of security provided by VPN -- all communication is encrypted. If users do not have rights to establish a VPN connection, the network is completely hidden from them.

Another way of setting up a VPN is to use routers for the VPN connections. In this example, departments must be connected to an intranet with computers that act as VPN routers. Once the connections are established, PC users on each network can exchange information over the Internet.

As shown in the diagram, each branch office has PC clients connected to a switch that also functions as a VPN router. This in turn connects to a firewall, which then sends its information encrypted through a tunnel that is linked with the VPN connection. The laptop user is a home-based user who does not need a router or a firewall. He uses a VPN client to establish his tunnel. The beauty of using VPN for this solution is that -- depending on the hardware purchased -- it should be possible to support hundreds of users across the public network, with just the client software. This solution provides significant cost savings over traditional toll-free numbers. It also supports broadband, giving dramatic performance improvements over dial-up. Security is improved as well, since the connections go through encrypted tunnels.

An important concept to understand regarding VPNs is tunneling. Tunneling is the transmission of data intended for use only within a private network through a public network in such a way that the nodes in the public network (the Internet) are not even aware that the transmission is part of a private network. The way this is done is to encapsulate the private network data and protocol information within the public network transmission. This is done so that the private network protocol information appears to the public network as data. This allows one to use the public network to transmit data from a corporate private network.

There are many VPN protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). IPsec (Internet Protocol Security), a framework for a set of security protocols at the packet processing layer, is also used with VPNs. IPSec has two encryption modes: tunnel and transport. Tunnel is more secure because it encrypts the header and the payload of each and every packet, whereas transport will encrypt only the payload. IPsec provides strong security features, such as complex encrypting algorithms and strong authentication. The only drawback here is that the hardware devices must support IPsec, and this is not a given.

Finally, when helping your customer choose a VPN, look carefully at all the products on the market. Don't just jump at the first one. Look at everything your customer wants the VPN to do. If all they'll ever need it for is connectivity for their work-from-home users, they may not need all the features of an enterprise hardware product offered by one of the top vendors.

Also, think carefully before you recommend a product in which the VPN is also the router or the firewall. All-in-one solutions have a certain appeal, but think about what would happen if someone were to break into that device -- there is no other barrier between your customer and their private network. A separate router provides another barrier. Similarly, many vendors offer hybrid firewall/VPN solutions. Don't forget that the firewall provides the barrier between the private network and the public network, which is the Internet. Any way you slice it, separating devices provides another layer of protection.

About the author:
Ken Milberg is the founder of Unix-Linux Solutions. He is also a board member of Unigroup of NY, the oldest Unix users group in NYC. Ken regularly answers user questions on Unix and Linux interoperability issues as a site expert on

This tip originally appeared on

Dig Deeper on MSPs and cybersecurity