X

The Intranet VPN

Intranet VPNs: Link corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, quality of service (QoS), manageability, and reliability.

The benefits of an intranet VPN are as follows:

  •   – Reduced WAN bandwidth costs
  • – Connect new sites easily
  • – Increased network uptime by enabling WAN link redundancy across service providers

Building an intranet VPN using the Internet is the most cost-effective means of implementing VPN technology. Service levels, however, are generally not guaranteed on the Internet. When implementing an intranet VPN, corporations need to assess which trade-offs they are willing to make between guaranteed service levels, network ubiquity, and transport cost.

Enterprises requiring guaranteed throughput levels should consider deploying their VPNs over a service provider’s end-to-end IP network, or, potentially, Frame Relay or ATM.

The Extranet VPN

Extending connectivity to corporate partners and suppliers is expensive and burdensome in a private network environment. Expensive dedicated connections must be extended to the partner, management and network access policies must be negotiated and maintained, and often compatible equipment must to be installed on the partner’s site. When dial access is employed, the situation is equally complicated because separate dial domains must be established and managed. Due to the complexity, many corporations do not extend connectivity to their partners, resulting in complicated business procedures and reduced effectiveness of their business relationships. 

One of the primary benefits of a VPN WAN architecture is the ease of extranet deployment and management. Extranet connectivity is deployed using the same architecture and protocols utilized in implementing intranet and remote access VPNs. The primary difference is the access permission extranet users are granted once connected to their partner’s network.

Intranet and Extranet VPNs

Intranet and extranet VPN services based on IPSec, GRE, and mobile IP create secure tunnels across an IP network. These technologies leverage industry standards to establish secure, point-to-point connections in a mesh topology that is overlaid on the service provider’s IP network or the Internet. They also offer the option to prioritize applications. An IPSec architecture, however, includes the IETF proposed standard for IP-based encryption and enables encrypted tunnels from the access point to and across the intranet or extranet.

An alternative approach to intranet and extranet VPNs is to establish virtual circuits across an ATM or Frame Relay backbone. With this architecture, privacy is accomplished with permanent virtual circuits (PVCs) instead of tunnels. Encryption is available for additional security as an optional feature, but more commonly, it is applied as needed by individual applications. Virtual circuit architectures provide prioritization through quality of service for ATM and committed information rate for Frame Relay.

Finally, in addition to IP tunnels and virtual circuits, intranet and extranet VPNs can be deployed with a Tag Switching/MPLS architecture. Tag Switching is a switching mechanism created by Cisco Systems and introduced to the IETF under the name MPLS. MPLS has been adopted as an industry standard for converging IP and ATM technologies.

A VPN built with Tag Switching/MPLS affords broad scalability and flexibility across any backbone choice whether IP, ATM, or multivendor. With Tag Switching/MPLS, packets are forwarded based on a VPN-based address that is analogous to mail forwarded with a postal office zip code. This VPN identifier in the packet header isolates traffic to a specific VPN. Tag Switching/MPLS solves peer adjacency scalability issues that occur with large virtual circuit topologies. It also offers granularity to the application for priority and bandwidth management, and it facilitates incremental multiservice offerings such as Internet telephony, Internet fax, and videoconferencing.

Comparing the Types

Access VPNs are differentiated from intranet and extranet VPNs primarily by the connectivity method into the network. While an access VPN refers to dialup (or part-time) connectivity, an intranet or extranet VPN may contain both dialup and dedicated links.

The distinction between intranet and extranet VPNs is essentially in the users that will be connecting to the network and the security restrictions that each will be subject to.