藍色情懷

For years, voice, data, and just about all software-defined network services were called "virtual private networks" by the telephone companies. The current generation of VPNs, however, is a more advanced combination of tunneling, encryption, authentication and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider's backbone.

The traffic reaches these backbones using any combination of access technologies, including T1, frame relay, ISDN, ATM or simple dial access. VPNs use familiar networking technology and protocols. The client sends a stream of encrypted Point-to-Point Protocol (PPP) packets to a remote server or router, except instead of going across a dedicated line (as in the case of WANs), the packets go across a tunnel over a shared network.

The general idea behind using this method, is that a company reduces the recurring telecommunications charges that are shouldered when connecting remote users and branch offices to resources in a corporation's headquarters.

The most commonly accepted method of creating VPN tunnels is by encapsulating a network protocol (including IPX, NetBEUI, AppleTalk, and others) inside the PPP, and then encapsulating the entire package inside a tunneling protocol, which is typically IP, but could also be ATM or frame relay. This increasingly popular approach is called Layer 2 tunneling, because the passenger is a Layer-2 Tunneling Protocol (L2TP).

Using this VPN model, packets headed towards the remote network will reach a tunnel initiating device, which can be anything from an extranet router to a PC with VPN-enabled dial-up software. The tunnel initiator communicates with a VPN terminator, or a tunnel switch, to agree on an encryption scheme. The tunnel initiator then encrypts the package for security before transmitting to the terminator, which decrypts the packet and delivers it to the appropriate destination on the network.

L2TP is the combination of Cisco Systems' Layer-2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). It supports any routed protocol, including IP, IPX, and AppleTalk, as well as any WAN backbone technology, including frame relay, ATM, X.25, and SONET. Because of L2TP's use of Microsoft's PPTP, it is included as part of the remote access features of most Windows products.

Another approach to VPN is SOCKS 5, which follows a proxy server model and works at the TCP socket level. It requires a SOCKS 5 server and appropriate software in order to work. The SOCKS 5 client intercepts a request for service, and checks it against a security database. If the request is granted, the server establishes an authenticated session with the client, acting as a proxy. This allows network managers to apply specific controls and proxied traffic, and specify which applications can cross the firewall into the Internet.

VPN technology can be used for site-to-site connectivity as well, which would allow a branch office with multiple access lines get rid of the data line, and move traffic over the existing Internet access connection. Since many sites use multiple lines, this can be a very useful application, and it can be deployed without adding additional equipment or software.