132
Networking: A Beginner’s Guide
corporate LAN. Even for users who don’t have DSL or cable modems available in their
area, ISDN is usually an option from the local telephone company. (ISDN and DSL
technology are discussed in more detail in Chapter 7.)
Remote users using DSL or cable modems are “hard-wired” to a particular ISP for
their connection, so they need to use a virtual private networking approach to connecting
to the LAN. ISDN users, on the other hand, have the choice of either connecting to an
ISDN-capable ISP or to ISDN “modems” hosted on the LAN. Through a process called
bonding, ISDN users can achieve speeds up to 128 Kbps, although this consumes two
B-channels. (and doubles the call charges!) Still, such speeds are better than the 33.6 Kbps
that you can otherwise achieve through a modem.
Virtual Private Networks
A virtual private network (VPN) is a network link formed through the Internet between
the remote user connected to an ISP and the company LAN. A VPN connection is
carried over a shared or public network—which is almost always the Internet. VPNs
use sophisticated packet encryption and other technologies, so the link from the user
to the LAN is secure, even though it may be carried over a public network. VPN
connections cost much less than dedicated connections, such as the WAN technologies
discussed in Chapter 7, because they take advantage of the cost efficiencies of the
Internet without compromising security.
VPN solutions range from simple ones that can be implemented on a Windows
server essentially for free—using the Remote Access Service (RAS) included with
Windows NT Server or the equivalent Routing and Remote Access Service (RRAS)
in Windows 2000 Server or later—to stand-alone specialized VPN routers that can
support hundreds of users. Figure 10-6 shows how a VPN connection works.
VPN connections are used in two important ways:
N To form WAN connections using VPN technology between two networks that
might be thousands of miles apart but which each have some way of accessing
the Internet
N To form remote access connections that enable remote users to access the LAN

through the Internet
The emphasis in this chapter is on remote access, but it’s important to know that
VPNs support WAN connections in much the same way as they support a remote
access connection. The main difference for a WAN VPN connection is that it connects
two networks together, rather than a user and a network, and relies on different
hardware (typically) than a remote access connection uses. A WAN VPN connection
takes advantage of the existing Internet connection for both LANs and might run
virtually 24 hours a day. A remote access connection, on the other hand, is usually
formed when needed and uses less expensive hardware on the remote side, such as a
dialup modem or perhaps a higher-speed Internet connection, such as xDSL, ISDN, or
cable modem.
133
Chapter 10: Connections from Afar: Remote Network Access
TIP In some circumstances, a VPN might even be an appropriate way to segregate users in a
single location from other users, by using the company’s intranet to host the VPN tunnel. Such a
scheme might be appropriate, for example, if one group of users accesses data that is so sensitive
that it must be separated from the rest of the company in some fashion. In such cases, the sensitive
network can be separated from the corporate LAN, except for a firewall that allows VPN connections
from the sensitive LAN to the corporate LAN, but not vice versa. This configuration would still allow
users on the sensitive LAN to access general corporate network services.
A VPN connection has several requirements:
N Both sides of the VPN connection must be connected to the Internet, usually
using the Point-to-Point Protocol (PPP). (Other public or private networks can
also carry VPNs, but this discussion will stick with the Internet because it’s the
most frequently used network for this purpose.)
N Both sides must have a networking protocol in common. This protocol is usually
TCP/IP, but can also be IPX, NetBEUI, or AppleTalk.
Figure 10-6. A typical VPN connection
134
Networking: A Beginner’s Guide

N Both sides must establish a tunnel through their existing PPP connections,
through which their data packets will pass. The tunnel is formed using a
tunneling protocol.
N Both sides must agree on an encryption technique to use with the data
traversing the tunnel. A variety of different encryption techniques are available.
So, both sides of a VPN connection must be running compatible VPN software
using compatible protocols. For a remote access VPN solution, the software you install
depends on the VPN itself. Dedicated VPN solutions also sell client software that you can
distribute to your users. Usually, this software carries a per-copy charge, typically around
$25 to 50 per remote computer supported. (Some VPNs include unlimited client licenses,
but the VPN is licensed to accept only a certain number of connections at a time.)
If you are using a Windows server and RRAS service on the server, and some
version of Windows 95 or later on the remote computer, you can take advantage of the
VPN software included for free with those network operating systems. However, this
software must still be set up on each client computer.
VPN Protocols
The three most popular tunneling protocols used for VPNs are Point-to-Point Tunneling
Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Protocol Security
(IPSec). PPTP is a Microsoft-designed protocol that can handle IP, IPX, NetBEUI, and
AppleTalk packets. PPTP is included with Windows, starting with Windows 95, and
is also supported by Windows RRAS (a free upgrade to RAS) and by later versions of
Windows servers. For a Windows-oriented network, PPTP is the way to go.
L2TP is a newer protocol that is an Internet Engineering Task Force standard. It will
probably become the most widely supported tunneling protocol because it operates at
layer 2 of the OSI model, and thus can handle all layer 3 protocols, such as IP, IPX, and
AppleTalk.
IPSec, while probably the most secure tunneling protocol, seems to be most popular
for LAN-to-LAN VPNs and for UNIX-oriented VPNs, due to its reliance on IP. IPSec is
a layer 3 protocol and is limited to handling only IP traffic.
TIP While IPSec works only with IP packets, an L2TP VPN can also carry the resulting IPSec

packets, because they can be handled like the other major layer 3 packets, such as IP, IPX, and
AppleTalk packets.
Types of VPNs
Four major types of VPNs are in use today. One type uses a router with added VPN
capabilities. VPN routers not only can handle normal routing duties, but they can
also be configured to form VPNs over the Internet to other similar routers, located on
remote networks. This method is used to create VPN WAN links over the Internet,
usually between multiple company locations.
135
Chapter 10: Connections from Afar: Remote Network Access
Another major type of VPN is one built into a firewall device. Most popular firewalls,
such as Check Point’s Firewall-1 or WatchGuard’s Firebox, serve not only as firewall
devices, but also as VPN hosts. Firewall VPNs can be used both to support remote
users and also to provide WAN VPN links. The benefit of using a firewall-based VPN
is that you can administer your network’s security—including both standard firewall
security and VPN security—entirely within the firewall. For example, you could
configure the firewall to allow connections to the network only when they are made as
part of a valid VPN connection.
The third major type of VPN includes those offered as part of a network operating
system. The best example of this type is Windows RRAS, and Novell’s BorderManager
software. These VPNs are most often used to support remote access, and they are
generally the least expensive to purchase and install.
The fourth major type is the SSL VPN, a relatively new category. This is actually
my overall favorite for remote access support. An SSL VPN takes advantage of the
Secure Sockets Layer (SSL) encryption technology built into most web browsers to offer
VPN services through the web browser. SSL is the same technology used to encrypt
information in web pages that use the http:// prefix, such as for shopping or online
banking web sites.
SSL VPNs bring a number of attractive benefits to supporting remote access:
N No client software needs to be installed on the remote computer, except for

usually an ActiveX or Java add-in that installs into the browser automatically.
N There is essentially no configuration or management required on the remote
system. This is an important point, because most VPN client software is very
difficult to support.
N Provided the users know the web address of the SSL VPN server and have the
correct information to authenticate (log in) to the system, they can log in from
almost any Internet-connected computer in the world and access a wide range
of network services through simple web pages.
N Because many common functions, such as file management, can be performed
using web pages, SSL VPNs work much better over lower-bandwidth
connections than other VPN alternatives. HTML was designed to be stingy in
its use of network bandwidth, so many tasks that are slow over a traditional
VPN connection are much faster with an SSL VPN.
N Most SSL VPNs, in addition to their web-based access features, also allow
the user to start a remote node connection on demand, and this remote node
connection runs using automatically installing and configuring browser
plug-ins.
SSL VPNs are typically offered as an appliance—a rack-mountable piece of
equipment that contains all of the hardware and software needed to run the VPN.
136
Networking: A Beginner’s Guide
This gives rise to the only real drawback to SSL VPNs: They are still fairly expensive
for smaller companies, with the smallest configurations starting at $8,000 to $10,000 to
support up to 100 simultaneous users. Still, even if you need to support only 20 to 30
remote users, you may find this to be a small price to pay to reduce the administrative
burden of a traditional VPN, which is often considerable.
At the time of this writing, there are a number of SSL VPN vendors. The pioneer
in this space is the NetScreen product family from Juniper Networks (which acquired
a product originally launched by a company called Neoteris, which pioneered SSL
VPNs). Another leader is the FirePass line of products from F5 Networks. AEP

Networks, SonicWALL, and Nokia are some other firms that offer SSL VPNs. Since this
product area is evolving rapidly, you should conduct a careful search for products that
meet your needs.
To give you an idea of how an SSL VPN looks to a remote access user, some screens
of a demo version of F5 Network’s FirePass 4000 are shown in this section. Figure 10-7
Figure 10-7. An SSL VPN login screen