Network Administration: VPN Security
The term tunnel is sometimes used to describe a VPN because the VPN creates a secure tunnel between two locations which can only be entered from either end. The data that travels through the tunnel from one end to the other is secure as long as it is within the tunnel — that is, within the protection provided by the VPN.
The P in VPN stands for private, which is the purpose of creating the tunnel. If the VPN did not create effective security so that data can enter the tunnel only at one of the two ends, the VPN would be worthless; you may as well just open your network and your remote computer up to the Internet and let the hackers have their way.
Prior to VPN technology, the only way to provide private remote network connections was through actual private lines, which were (and still are) very expensive. For example, to set up a remote office you could lease a private T1 line from the phone company to connect the two offices. This private T1 line provided excellent security because it physically connected the two offices and could be accessed only from the two endpoints.
VPN provides the same point-to-point connection as a private leased line, but does it over the Internet instead of through expensive dedicated lines. To create the tunnel that guarantees privacy of the data as it travels from one end of the VPN to the other, the data is encrypted using special security protocols.
The most important of the VPN security protocols is called IPSec, which stands for Internet Protocol Security. IPSec is a collection of standards for encrypting and authenticating packets that travel on the Internet.
In other words, it provides a way to encrypt the contents of a data packet so that only a person who knows the secret encryption keys can decode the data. And it provides a way to reliably identify the source of a packet so that the parties at either end of the VPN tunnel can trust that the packets are authentic.
The IPSec protocol operates at layer 3 of the OSI model, also called the Network layer. What that means is that the IPSec protocol has no idea about what kind of data is being carried by the packets it encrypts and authenticates. The IPSec protocol concerns itself only with the details of encrypting the contents of the packets (sometimes called the payload) and ensuring the identity of the sender.
Another commonly used VPN protocol is L2TP. L2TP stands for Layer 2 Tunneling Protocol. This protocol does not provide data encryption. Instead, it is designed to create end-to-end connections called tunnels through which data can travel. L2TP is actually a combination of two older protocols, one (called Layer 2 Forwarding Protocol, or L2FP) developed by Cisco, and the other (called Point-to-Point Tunneling Protocol, or PPTP) developed by Microsoft.
Many VPNs today use a combination of L2TP and IPSec, called L2TP Over IPSec. This type of VPN combines the best features of L2TP and IPSec to provide a high degree of security and reliability.