Internet and Intranet-Based VPN Connections
VPN connections can be used whenever a secure point-to-point connection is needed to connect users or networks. Typical VPN connections are either Internet-based or intranet-based.
Internet-Based VPN Connections
Using an Internet-based VPN connection, you can avoid long-distance and 1-800 telephone charges while taking advantage of the global availability of the Internet.
Remote Access over the Internet
Rather than a remote access client having to make a long distance or 1-800 call to a corporate or outsourced network access server (NAS), the client can call a local ISP. By using the established physical connection to the local ISP, the remote access client initiates a VPN connection across the Internet to the organization's VPN server. When the VPN connection is created, the remote access client can access the resources of the private intranet.
Figure 9.3 illustrates remote access over the Internet.
Figure 9.3 VPN Connection Connecting a Remote Client to a Private Intranet
Connecting Networks over the Internet
When networks are connected over the Internet (illustrated in Figure 9.4), a router forwards packets to another router across a VPN connection. To the routers, the VPN operates as a data-link layer link.
Figure 9.4 VPN Connecting Two Remote Sites Across the Internet
Connecting Networks Using Dedicated WAN Links Rather than using an expensive long-distance dedicated WAN link between offices, the office routers are connected to the Internet using local dedicated wide area network (WAN) links to a local ISP. A router-to-router VPN connection is then initiated by either router across the Internet. When connected, routers can forward directed or routing protocol traffic to each other using the VPN connection.
Connecting Networks Using Dial-Up WAN Links Rather than having a branch office router make a long distance or 1-800 call to a corporate or outsourced NAS, the branch office router calls a local ISP. Using the established connection to the local ISP, a router-to-router VPN connection is initiated by the branch office router to the corporate hub router across the Internet. The corporate hub router acting as a VPN server must be connected to a local ISP using a dedicated WAN link.
For more information about configuring VPN connections using a dial-up connection to a local ISP, see "Addressing and Routing for VPNs" later in this chapter.
It is possible to have both offices connected to the Internet using a dial-up WAN link. However, this is only feasible if the ISP supports demand-dial routing to customers; the ISP calls the customer router when an IP datagram is to be delivered to the customer. Demand-dial routing to customers is not widely supported by ISPs.
Intranet-Based VPN Connections
The intranet-based VPN connection takes advantage of IP connectivity in an organization intranet.
Remote Access over an Intranet
In some organization intranets, the data of a department, such as a human resources department, is so sensitive that the department's network segment is physically disconnected from the rest of the organization's intranet. While this protects the department's data, it creates information accessibility problems for those users not physically connected to the separate network segment.
VPN connections allow the sensitive department's network segment to be physically connected to the organization intranet but separated by a VPN server. The VPN server does not provide a direct routed connection between the corporate intranet and the separate network segment. Users on the corporate intranet with the appropriate permissions can establish a remote access VPN connection with the VPN server and can gain access to the protected resources of the sensitive department's network. Additionally, all communication across the VPN connection is encrypted for data confidentiality. For those users who do not have permissions to establish a VPN connection, the separate network segment is hidden from view.
Figure 9.5 illustrates remote access over an intranet.
Figure 9.5 VPN Connection Allowing Remote Access to a Secured Network over an Intranet
Connecting Networks over an Intranet
You can also connect two networks over an intranet using a router-to-router VPN connection. This type of VPN connection might be necessary, for example, for two departments in separate locations, whose data is highly sensitive, to communicate with each other. For instance, the finance department might need to communicate with the human resources department to exchange payroll information.
The finance department and the human resources department are connected to the common intranet with computers that can act as VPN clients or VPN servers. When the VPN connection is established, users on computers on either network can exchange sensitive data across the corporate intranet.
Figure 9.6 illustrates networks connected over an intranet.
Figure 9.6 VPN Connection Connecting Two Networks over an Intranet
Combined Internet and Intranet VPN Connections
A VPN connection is a networking tool that can provide secured point-to-point connections in whatever manner you see fit. A less common combined Internet and intranet VPN connection, called a pass-through VPN connection, illustrated in Figure 9.7, allows a remote access client connected to one company's intranet to access the resources of another company's intranet using the Internet. In this scenario, a remote access VPN connection passes through one intranet and the Internet to access a second intranet.
Figure 9.7 Pass-Through VPN Connection
For more information about pass-through VPNs, see "Pass-Through VPN Scenario" later in this chapter.