Friday, December 19, 2008

IPSec VPNs

Public Internet-Based VPNs for Intersite Connections
Some organizations save money by using the public Internet for VPN service rather than MPLS (Multi-Protocol Label Switching) VPN or frame relay service. Companies using the public Internet mix intracompany and public Internet traffic on the same access lines. They provide their own security, usually IPSec as described below, as well as firewalls and antivirus software. Alternatively, they contract with their carrier to manage their security devices, which are onsite or at the carriers' POPs.

While the public Internet does not guarantee speeds, companies are finding that providing a high-speed access line gives them adequate site-to-site service at a lower price than frame relay and MPLS VPNs. This is because many Internet backbone providers overbuilt their networks, expecting a larger increase in traffic than occurred. Moreover, the costs for T-1 and T-3 have been decreasing, making them affordable for many more organizations.

Network-Based IPSec VPNs- Over Carriers' Private IP Networks
These IPSec VPN-based services operate over carriers' private IP networks instead of the public Internet. The carrier provides security in its network. It encapsulates (creates tunnels around) packets routed between its points of presence (POPs).

** Both of these IPSec VPN-type offerings don't offer the classes of service for voice and video. In addition, they do not provide service level agreements with statistics on traffic levels and network reliability. Customers are responsible for monitoring traffic flows through their own routers.

IPSec VPNs for Remote Access
To support VPN remote access, IT staff distribute client software to each person's computer or laptop. Users click on the client software, which is a special program that contains IPSec security, to launch remote access. It can be used with dial-up or broadband access. A shortcoming is that employees can only access their e-mail when they have their computers with the client software with them. This service does not work at public computers such as those at airports or Internet cafes.

IPSec establishes a secure connection between the corporate local area network and the remote user by scrambling and tunneling the bits and hiding the IP header in each packet. This ensures privacy. Tunneling prevents hackers from learning corporate LAN IP addresses. To stop remote users from passing viruses from the Internet to corporate networks, the client software will often not function if there is an open connection to the Internet while the user is logged in remotely.

No comments: