Virtual privacy

Out on the road and need to access your office LAN? Worried about security? Fear not, Roger Gann can show you the way.

Remote access is now more of a necessity than a luxury for business users who need to access files on an office network when they're on the road or working from home. If the remote PC has Internet connectivity via modem, broadband or through a LAN (local area network), and the office network has a permanent connection to the Internet, the most cost-effective way for remote users to connect is by creating a VPN (virtual private network).

So, rather than laying your own personal network cable across the globe, you use a public network - the Internet - as your connection medium. As the Internet is by its very nature insecure, you place your private network traffic inside a secure "wrapper" to stop eavesdroppers accessing your data. The result is a VPN inside a physical public network, a great solution to wide area networking requirements.

VPN technologies use "tunnelling" protocols to create the connection and encryption protocols to provide the privacy on the public network. This allows you to securely access a VPN server and the rest of the company network. Once a VPN tunnel has been established, any application (Web, e-mail, even Voice over IP) can use it as though it were using a normal network connection.

So, if you need remote access, the question isn't whether to use VPN, but which VPN technology to use. There are four main protocols and each has pros and cons.

VPN choices

Because a VPN creates a secure virtual pipeline through the public network, the protocols used to create this connection are called tunnelling protocols. The most common VPN technologies available are: • PPTP • L2TP • IPSec • SSL

Choosing which one to use is tricky. A lot depends on factors such as server and client OS, the network resources to which access is needed, the level of security required and performance issues. Even inexpensive routers, such as Page Break

Layer, layer

The L2TP (Layer 2 tunnelling proto­col) was developed in co­operation between Cisco and Micro­soft, combining features of PPTP with those of Cisco's proprietary L2F (Layer 2 Forwarding) protocol. As you might guess, L2TP operates at the data link layer of the OSI (open systems interconnection) networking model. An L2TP client is built-in to Windows 2000, XP and 2003, but you can download software for older versions of Windows.

L2TP has several advantages over PPTP. The latter gives you data con­fidentiality, but L2TP goes further and also verifies data integrity and provides authentication of origin. However, the overhead involved in providing this extra security can result in slower performance than PPTP.

Windows XP has good support for VPNs - the New Connection Wizard makes it a doddle to set one up.

Wait a Sec

IPSec (the IP security protocol) actually provides the encryption for L2TP but it can also be used as a tunnelling protocol. Like PPTP and L2TP, IPSec provides a connection that terminates at the firewall and grants remote users access to the entire network. IPSec operates at a higher level of the OSI model, the network layer or Layer 3. Many hardware VPN appliances use an implementation of IPSec.

Authentication is accomplished via the IKE (Internet Key Exchange) protocol with either digital certificates or with a pre-shared key. IPSec VPNs can protect against many of the most common attack methods, including Denial of Service, replay, and "man-in-the-middle" attacks.

IPSec support is included in Windows 2000/XP/2003, but not in older Windows operating systems. If you have a VPN gateway you may have to buy client licenses for the client software. If you use multiple apps, IPSec can be a godsend.

The down side is that it leaves the network wide open if the remote access client has been compromised. IPSec clients often allow IT managers to specify that client PCs have security or antivirus software installed before permitting a VPN connection. IPSec is a good fit for "fixed" site-to-site VPNs, because it can be implemented in network hardware without client software support. For mobile users, however, it's more hassle - the cost of deploying the software, configuring it and supporting it can be significant.

The most simple VPNs employ SSL technology, which is widely employed in e-commerce. The padlock icon reveals I have a secure connection to Amazon (Click here to view).

Socket to 'em

If you've ever bought anything on the Internet you'll have come across SSL (secure socket layer) connections. And this is a big plus for SSL VPNs - you don't need special client software, you just use a Web browser to access the remote network.

With SSL VPNs, instead of giving VPN clients access to the whole network as with IPSec, you can restrict them to specific applications, which naturally have to be Web or Java-based. Less expensive, and easier to deploy than IPSec VPNs, SSL VPN technology provides remote access to Web applications such as e-mail and corporate intranets.

SSL VPNs operate at an even higher layer of the OSI model than IPSec VPNs: Layer 7 or the session layer, which permits much finer granularity when it comes to specifying access control. Because SSL VPNs work at the application layer, network administrators can specify access control sets and rules based on such criteria as application, TCP/IP port and user - something that the all-or-nothing nature of IPSec can't match without installing additional firewalls behind the tunnel end point and getting bogged down with lots of tedious rule sets.

Because SSL VPN access is browser-based, users can log on securely with a Web browser using almost any device. Firewalls usually don't cause any grief either, as SSL uses TCP ports that are usually left open.

SSL operates transparently across proxies and routers performing Network Address Translation, a major boon. SSL solves almost all remote access issues except one: providing access to client/server or other applications not accessible from a browser. Unlike IPSec VPNs, SSL VPN appliances don't typically allow direct access to network file shares.

SSL can also require multiple handshakes per session, which can increase the CPU load at both the client and the host, making SSL less easy to support multiple VPN connections, something that IPSec concentrators can handle with aplomb. So that's the theory. In next month's column, I'll step you through setting up a VPN connection. Don't worry - It's a lot easier than you think!

Connecting to site offices by VPN is best handled by dedicated VPN hardware, such as this Cisco VPN 3000 VPN Concentrator.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger Gann

PC Advisor (UK)
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender solutions stop attacks before they even begin! Get cybersecurity that 500 MILLION users already have and trust.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?