Three Types of VPNs
Let’s look now at the three types of VPNs.
Access, Intranet, and Extranet VPNs
As previously stated, VPN is defined as customer connectivity deployed on a shared infrastructure with the same policies as a private network. The shared infrastructure can leverage a service provider IP, Frame Relay, or ATM backbone, or the Internet. Cisco defines three types of virtual private networks according to how businesses and organizations use VPNs:
Access VPNs provide remote connectivity to telecommuters and mobile users. They’re typically an alternative to dedicated dial or ISDN connections. They offer users a range of connectivity options as well as a much lower cost solution.
Intranet VPNs link corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. The VPN typically is an alternative to a leased line. It provides the benefit of extended connectivity and lower cost.
Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure using dedicated connections. In this example, the VPN is often an alternative to fax, snail mail, or EDI. The extranet VPN facilitates e-commerce.
Access VPNs Let’s look at the Access VPN in more detail.
Access VPNs
Remote access VPNs extend the corporate network to telecommuters, mobile workers, and remote offices with minimal WAN traffic. They enable users to connect to their corporate intranets or extranets whenever, wherever, or however they require. Remote access VPNs provide connectivity to a corporate intranet or extranet over a shared infrastructure with the same policies as a private network. Access methods are flexible—asynchronous dial, ISDN, DSL, mobile IP, and cable technologies are supported. Migrating from privately managed dial networks to remote access.
VPNs offers several advantages, most notably:
– Reduced capital costs associated with modem and terminal server equipment
– Ability to utilize local dial-in numbers instead of long distance or 800 numbers, thus significantly reducing long distance telecommunications costs
– Greater scalability and ease of deployment for new users added to the network
– Restored focus on core corporate business objectives instead of managing and retaining staff to operate the dial network
Access VPN Operation Overview
In an Access VPN environment, the most important aspect of security revolves around identifying a user as a member of an approved customer company and establishing a tunnel to its home gateway, which handles per-user authentication, authorization, and accounting (AAA).
User authentication is a critical characteristic of an Access VPN. Through a local point of presence (POP), a client establishes communication with the service provider network (1), and secondarily establishes a connection with the customer network (2).
The Access VPN tunnel end points authenticate each other (3).
Next, the user connects to the customer premises equipment (CPE) home gateway server (local network server) using PPP or SLIP (4) and is authenticated through a username/password handling protocol such as PAP, CHAP, or TACACS+.
The home gateway maintains a relationship with an access control server (ACS), also known as an AAA server, using TACACS+ or RADIUS protocols. At this point, authorization is set up using the policies stored in the ACS and communicated to the home gateway at the customer premises (5).
Often, the customer administrates the ACS server, providing ultimate and centralized control of who can access its network as well as which servers can be accessed. User profiles define what the user can do on the network. Using authorization profiles, the network creates a “virtual interface” for each user. Access policies are enforced using Cisco IOS software specific to each interface.