Virtual privacy

Out on the road and need to access your office LAN? Worried about security? Fear not, Roger Gann can show you the way.

Remote access is now more of a necessity than a luxury for business users who need to access files on an office network when they're on the road or working from home. If the remote PC has Internet connectivity via modem, broadband or through a LAN (local area network), and the office network has a permanent connection to the Internet, the most cost-effective way for remote users to connect is by creating a VPN (virtual private network).

So, rather than laying your own personal network cable across the globe, you use a public network - the Internet - as your connection medium. As the Internet is by its very nature insecure, you place your private network traffic inside a secure "wrapper" to stop eavesdroppers accessing your data. The result is a VPN inside a physical public network, a great solution to wide area networking requirements.

VPN technologies use "tunnelling" protocols to create the connection and encryption protocols to provide the privacy on the public network. This allows you to securely access a VPN server and the rest of the company network. Once a VPN tunnel has been established, any application (Web, e-mail, even Voice over IP) can use it as though it were using a normal network connection.

So, if you need remote access, the question isn't whether to use VPN, but which VPN technology to use. There are four main protocols and each has pros and cons.

VPN choices

Because a VPN creates a secure virtual pipeline through the public network, the protocols used to create this connection are called tunnelling protocols. The most common VPN technologies available are: • PPTP • L2TP • IPSec • SSL

Choosing which one to use is tricky. A lot depends on factors such as server and client OS, the network resources to which access is needed, the level of security required and performance issues. Even inexpensive routers, such as Page Break

Layer, layer

The L2TP (Layer 2 tunnelling proto­col) was developed in co­operation between Cisco and Micro­soft, combining features of PPTP with those of Cisco's proprietary L2F (Layer 2 Forwarding) protocol. As you might guess, L2TP operates at the data link layer of the OSI (open systems interconnection) networking model. An L2TP client is built-in to Windows 2000, XP and 2003, but you can download software for older versions of Windows.

L2TP has several advantages over PPTP. The latter gives you data con­fidentiality, but L2TP goes further and also verifies data integrity and provides authentication of origin. However, the overhead involved in providing this extra security can result in slower performance than PPTP.

Windows XP has good support for VPNs - the New Connection Wizard makes it a doddle to set one up.

Wait a Sec

IPSec (the IP security protocol) actually provides the encryption for L2TP but it can also be used as a tunnelling protocol. Like PPTP and L2TP, IPSec provides a connection that terminates at the firewall and grants remote users access to the entire network. IPSec operates at a higher level of the OSI model, the network layer or Layer 3. Many hardware VPN appliances use an implementation of IPSec.

Authentication is accomplished via the IKE (Internet Key Exchange) protocol with either digital certificates or with a pre-shared key. IPSec VPNs can protect against many of the most common attack methods, including Denial of Service, replay, and "man-in-the-middle" attacks.

IPSec support is included in Windows 2000/XP/2003, but not in older Windows operating systems. If you have a VPN gateway you may have to buy client licenses for the client software. If you use multiple apps, IPSec can be a godsend.

The down side is that it leaves the network wide open if the remote access client has been compromised. IPSec clients often allow IT managers to specify that client PCs have security or antivirus software installed before permitting a VPN connection. IPSec is a good fit for "fixed" site-to-site VPNs, because it can be implemented in network hardware without client software support. For mobile users, however, it's more hassle - the cost of deploying the software, configuring it and supporting it can be significant.

The most simple VPNs employ SSL technology, which is widely employed in e-commerce. The padlock icon reveals I have a secure connection to Amazon (Click here to view).

Socket to 'em

If you've ever bought anything on the Internet you'll have come across SSL (secure socket layer) connections. And this is a big plus for SSL VPNs - you don't need special client software, you just use a Web browser to access the remote network.

With SSL VPNs, instead of giving VPN clients access to the whole network as with IPSec, you can restrict them to specific applications, which naturally have to be Web or Java-based. Less expensive, and easier to deploy than IPSec VPNs, SSL VPN technology provides remote access to Web applications such as e-mail and corporate intranets.

SSL VPNs operate at an even higher layer of the OSI model than IPSec VPNs: Layer 7 or the session layer, which permits much finer granularity when it comes to specifying access control. Because SSL VPNs work at the application layer, network administrators can specify access control sets and rules based on such criteria as application, TCP/IP port and user - something that the all-or-nothing nature of IPSec can't match without installing additional firewalls behind the tunnel end point and getting bogged down with lots of tedious rule sets.

Because SSL VPN access is browser-based, users can log on securely with a Web browser using almost any device. Firewalls usually don't cause any grief either, as SSL uses TCP ports that are usually left open.

SSL operates transparently across proxies and routers performing Network Address Translation, a major boon. SSL solves almost all remote access issues except one: providing access to client/server or other applications not accessible from a browser. Unlike IPSec VPNs, SSL VPN appliances don't typically allow direct access to network file shares.

SSL can also require multiple handshakes per session, which can increase the CPU load at both the client and the host, making SSL less easy to support multiple VPN connections, something that IPSec concentrators can handle with aplomb. So that's the theory. In next month's column, I'll step you through setting up a VPN connection. Don't worry - It's a lot easier than you think!

Connecting to site offices by VPN is best handled by dedicated VPN hardware, such as this Cisco VPN 3000 VPN Concentrator.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger Gann

PC Advisor (UK)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?