There are two types of VPN which are most commonly used in the market. They are Remote access VPN or client-based VPN and Site-to-Site VPN or network-based VPN. Remote Access VPN establishes a secure connection between a remote network and a single user. It comes into the picture when an employee of a company wants access to the company’s resources from a distant place such as from his/her home.
A network-based VPN on the other hand securely connects two remote networks with each other. A prime example of this is a connection between two offices of a company which are situated at different locations.
A network-based VPN classifies into two sub-segments, namely IPSec Tunnels and Dynamic Multipoint VPN.
- Also read: VPN Protocols Explained
Remote Access VPN
A remote access VPN allows an employee to utilize the company’s resources from a remote location without the threat of the data being compromised.
The connection is initiated by a VPN software which is present on the employee’s device, be it a laptop or a mobile phone. This software is given by the vendor who is providing the VPN service to the Company.
Initially, the employee logs into this VPN software by providing the necessary credentials. Then it is the software which creates an encrypted tunnel between that device and the company’s server.
The company’s server is known as the Network Access Server (NAS) which acts as a VPN Gateway. All the internet traffic that now runs through the employee’s computer would go in that encrypted tunnel created by the VPN software.
Different operating systems, such as Windows and Mac, often have the options related to a VPN Client built in beforehand. For example, the latest version of the Mac operating system to be released had L2TP (Layer 2 Tunneling Protocol) in its makeup.
A VPN Client also offers improved security features apart from basic connectivity. One of the features includes inspecting a user’s device thoroughly before connecting them to the remote network.
This feature gives the IT teams in companies, an option to reject a user device owing to reasons other than authentication failure.
Network-based VPN involves a connection between two whole networks through a VPN. The primary example is a connection between two offices of a company which are situated in different cities. As mentioned above, they can be classified into two parts:
- IP Sec Tunnels
- Multipoint Dynamic VPN
IP Sec Tunnels
IP Sec tunnels are built by most of the network routers and firewalls which mean it is the most straightforward network-based VPN. In theory, the IP Sec tunnel on a network-based VPN is no different from that of a client based VPN.
While the client based VPN involves connecting a single user to the remote network, an IP Sec Tunnel based VPN connects a whole system of devices to the remote network.
For this type of an approach, it is necessary first to decide what will be the endpoints of the tunnel. Generally, IP Sec tunnel uses a pair of single IP addresses as endpoints. A network router or firewall at either end will configure the other IP as a peer IP.
Secondly, it is vital to decide how the authentication between the two endpoints will be completed. Usually, it involves the use of a password or in some cases an exchange of digital certificates.
Moreover, both the endpoints need to agree to a common set of ciphers to encrypt the traffic that would flow in the tunnel. Thirdly, a decision has to be taken on the type of traffic that would flow through the tunnel.
In most cases, a crypto access list (ACL) is used to specify the internet traffic. An ACL would define the source IP addresses which could communicate with the destination IP addresses.
The interaction takes place through Internet Key Exchange (IKE) protocol. These protocols help to create a security association between two IP addresses.
These IP Sec tunnels, which require a crypto list to define the traffic that flows through them are otherwise known as policy-based VPN’s. The other type of IP Sec tunnels is the route based IP Sec tunnels.
Route based IP Sec Tunnels are like a virtual link which would allow any traffic to flow through them.
Dynamic Multipoint VPN
A Dynamic Multipoint VPN establishes a secure connection between sites without the need to pass through a server or router. Through it, any office network of a company can communicate with the networks of other offices through a DMVPN cloud.
The company Cisco invented dynamic Multipoint VPN (DMVPN) technology, hence it is limited to the Cisco routers. The DMVPN makes use of components such as GRE Tunneling, IP Sec, NHRP (Next Hop Resolution Protocol), etc. which are all interdependent.
The DMVPN utilizes these components to create a mesh topology. A DMVPN hugely reduces the internet bandwidth charges for the company. Moreover, it eliminates additional network delays.
Over to you on types of VPN
VPN’s are becoming a must-have for ensuring privacy while using the internet. The decision with regards to the type of VPN to use ultimately depends on our requirements and needs.