Two primary concerns when deploying VPNs over the Internet are security and performance. The transmission control protocol (TCP)/IP protocols and the Internet were not originally designed with either of these concerns in mind, because the number of users and the types of applications originally did not require either strong security measures or guaranteed performance.

But if Internet VPNs are to serve as reliable substitutes for dedicated leased lines or other WAN links, technologies for guaranteeing security and network performance must be added to the Internet. Fortunately, standards for network data security on IP networks have evolved to where IP networks can be used to create VPNs. Work on providing guaranteed performance is at an earlier stage of development, with service providers not yet deploying these technologies to any great degree as of yet.

VPNs need to provide the following four critical functions to ensure security for data:

• authentication—ensuring that the data originates at the source that it claims
• access control—restricting unauthorized users from gaining admission to the network
• confidentiality—preventing anyone from reading or copying data as it travels across the Internet
• data integrity—ensuring that no one tampers with data as it travels across the Internet

Various password-based systems, and challenge-response systems—such as challenge handshake authentication protocol (CHAP) and remote authentication dial-in user service (RADIUS)—as well as hardware-based tokens and digital certificates can be used to authenticate users on a VPN and control access to network resources. The privacy of corporate information as it travels through the VPN is guarded by encrypting the data.

In the past, private networks were created by leasing hard-wired connections between sites; these connections were devoted to the traffic from a single corporate customer. In order to extend that concept to the Internet, where the traffic from many users usually passes over the same connection, a number of protocols have been proposed to create tunnels. Tunneling allows senders to encapsulate their data in IP packets that hide the underlying routing and switching infrastructure of the Internet from both senders and receivers. At the same time, these encapsulated packets can be protected against snooping by outsiders using encryption techniques.

In VPNs, virtual implies that the network is dynamic, with connections set up according to the organizational needs. It also means that the network is formed logically, regardless of the physical structure of the underlying network (the Internet, in this case). Unlike the leased lines used in traditional corporate networks, VPNs do not maintain permanent links between the end points that make up the corporate network. Instead, when a connection between two sites is needed, it is created; when the connection is no longer needed, it is torn down, making the bandwidth and other network resources available for other uses. Thus the connections making up a VPN do not have the same physical characteristics as the hard-wired connections used on the LAN, for instance.

Tunnels can consist of two types of end points, either an individual computer or a LAN with a security gateway, which might be a router or firewall. Only two combinations of these end points, however, are usually considered in designing VPNs. In the first case, LAN-to-LAN tunneling, a security gateway at each end point serves as the interface between the tunnel and the private LAN. In such cases, users on either LAN can use the tunnel transparently to communicate with each other.

The second case, that of client-to-LAN tunnels, is the type usually set up for a mobile user who wants to connect to the corporate LAN. The client, i.e., the mobile user, initiates the creation of the tunnel on his end in order to exchange traffic with the corporate network. To do so, he runs special client software on his computer to communicate with the gateway protecting the destination LAN.