Virtual Private Networks Part 1: VPNs

After our foray into the world of E-commerce over the last few months, time to switch gears at the request of several readers. I have had more requests for information about advanced networking subjects like virtual private networks, proxy servers, gateways, firewalls, remote access servers, voice over IP, and DHCP than I had expected. I touched briefly on some of these subjects in the first Help Desk series, over a year ago, but obviously more detail is required. (For copies of the original network Help Desk series, check my Web site at So, for the next few issues, we’ll look at some of these networking complexities, specifically in terms of Windows NT networks as they are the widest used (and the ones I got the requests for).

Let’s start with Virtual Private Networks, or VPNs as they are known. It’ll take a column or two to cover this issue, but don’t tune out if you are not interested. You’ll be surprised how handy VPNs are for your customers, how much money can be saved by using them, and how easy they are to set up (most of the time).

The easiest way to recognize a need for a VPN is from the cost savings point of view. Imagine you have three branches of a company in different cities. They are all part of the same large WAN, connected together by leased lines or remote access servers using long distance calls. Either approach is expensive. Leased lines cost thousands of dollars to maintain. Switching to VPNs can save at least half, and usually more than 75% of the cost of a leased line or RAS setup, all other aspects of the networks kept equal. Sound interesting?

The most common form of VPN uses the Internet, and that’s the model we’ll follow. A VPN uses the Internet as the connection between the different parts of a larger WAN. If we return to the three branch offices scenario, you can see how a VPN works. Let’s suppose the offices are in Halifax, Toronto, and Victoria. Leased lines between the three branches are very expensive. Internet service providers are cheap. One machine in each office has software installed that connects to an ISP all the time. Whenever traffic has to flow from one office to another, it goes through the ISP connection, to the Internet, and is routed to the ISP connection in the target office. The Internet excels at getting information from one place to another quickly, and we simply use the Internet to route the data from one office to another.

A number of problems crop up immediately when you think about this scenario. First, if there are three different connections to the Internet, how do the three parts know they are all within a larger wide area network? The answer is to properly set up the connections through the ISP so that the target IP addresses are well known, and to the machines acting as the network-ISP gateway, the other two offices are simply connected by telephone connections through the ISP and the Internet. All three offices can have their IP addresses set to the same subnet address, so traffic can flow automatically from one office to another as though they were all in one large network. Alternatively, you can set the three offices up as separate networks with different IP subnet addresses, and let the ISP-network gateway machine handle the traffic between the sites. Whichever approach is used, users never have to know the details of the network. If they are sending files and e-mail from Victoria to Halifax, it’s as though they were all connected by the same LAN.

The other major problem is security. If you are routing data from Victoria to Halifax, what’s to stop some unethical cretin on the Internet from intercepting your data and reading it? The answer is encryption and authentication methods (which we looked at before in an earlier Help Desk series). By encrypting the data between the VPN machines, the traffic becomes unreadable to anyone else. When data leaves Halifax’s gateway machine the encryption takes place, and when it arrives at Victoria it is decrypted automatically before reaching the target user. Again, the whole thing is transparent to the users. There are a number of encryption and authentication systems used over VPNs, as well as a special protocol called PPTP (Point to Point Tunneling Protocol).

Final problem: these gateways must be difficult to set up and configure, right? Actually, no. Any Windows machine can be the gateway into a VPN (as can most other operating systems). There’s no special router or dedicated hardware required. For smaller networks, the machine doesn’t even have to be used only as a gateway. With a decent modern processor, a user can be using the machine at the same time it is acting as a gateway for the entire network. Software cost? Minimal, if any. VPNs are supported by Windows NT and Windows 98 as part of the basic software distribution. If you have any other platforms, they are often configurable without spending any money, either. Sure, you can buy fancy third-party packages and security software, but for all but the most paranoid large corporation, the native VPN software Microsoft provides is all you need. In the next installment, you’ll see how to set up a VPN.