There are four main components of an Internet-based VPN: the Internet, security gateways, security policy servers, and certificate authorities. The Internet provides the fundamental plumbing for a VPN. Security gateways sit between public and private networks, preventing unauthorized intrusions into the private network. They may also provide tunneling capabilities and encrypt private data before it is transmitted on the public network. In general, a security gateway for a VPN fits into one of the following categories: routers, firewalls, integrated VPN hardware, and VPN software.

Because routers have to examine and process every packet that leaves the LAN, it seems only natural to include packet encryption on routers. Vendors of router-based VPN services usually offer two types of products, either add-on software or an additional circuit board with a coprocessor-based encryption engine. The latter product is best for situations that require greater throughput. If you are already using a particular vendor's routers, then adding encryption support to these routers can keep the upgrade costs of your VPN low. But adding the encryption tasks to the same box as the router increases risks—if the router goes down, so does the VPN.

Many firewall vendors include a tunnel capability in their products. Like routers, firewalls must process all IP traffic—in this case, to pass traffic based on the filters defined for the firewall. Because of all the processing performed by firewalls, they are ill-suited for tunneling on large networks with a great deal of traffic. Combining tunneling and encryption with firewalls is probably best used only on small networks with low volumes of traffic. Also, like routers, they can be a single point of failure for a VPN.

Using firewalls to create VPNs is a workable solution—for some networks. Firewall-based VPNs are probably best suited to small networks that transfer small amounts of data (on the order of 1–2 Mbps over a WAN link) and remain relatively static, i.e., do not require frequent reconfiguration.

Another VPN solution is to use special hardware that is designed for the task of tunneling, encryption, and user authentication. These devices usually operate as encrypting bridges that are typically placed between the network's routers and WAN links. Although most of these hardware tunnels are designed for LAN–to–LAN configurations, some products also support client–to–LAN tunneling.

Integrating various functions into a single product can be particularly appealing to businesses that do not have the resources to install and manage a number of different network devices (and also do not want to outsource their VPN operations). A turnkey installation can certainly make the setup of a VPN much easier than installing software on a firewall and reconfiguring a router as well as installing a RADIUS server, for example.

While many of these hardware devices are likely to offer you the best performance possible for your VPN, you will still need to decide how many functions you want to integrate into a single device. Small businesses or small offices without large support staffs (especially those experienced in network security) will benefit from products that integrate all the VPN functions as well as a firewall and perhaps one or two other network services. Some products—usually the more expensive ones—include dual power supplies and failover features to ensure reliability.

It is hard to beat many of these products for throughput and handling large numbers of simultaneous tunnels, which should be crucial to larger enterprises. Also, do not overlook the importance of integrating the control of other network-related functions, such as resource reservation and bandwidth control. Some companies already include these features in their products, and it is a step that will most likely gain more support in the future. Integrating traffic control with authentication and access control also makes sense over the long run, as policy-based network management becomes more prevalent (and useful).

VPN software is also available for creating and managing tunnels, either between a pair of security gateways or between a remote client and a security gateway. These software VPN systems are often good low-cost choices for systems that are relatively small and do not have to process a lot of traffic. These solutions can run on existing servers and share resources with them and they serve as a good starting point for getting familiar with VPNs. Many of these systems are well suited for client–to–LAN connections.

In addition to the security gateway, another important component of a VPN is the security-policy server. This server maintains the access-control lists and other user-related information that the security gateway uses to determine which traffic is authorized. For example, in some systems, access can be controlled via a RADIUS server.

Lastly, certificate authorities are needed to verify keys shared between sites and can also be used to verify individuals using digital certificates. Companies can choose to maintain their own database of digital certificates for users by setting up a corporate certificate server. For small groups of users, verification of shared keys might require checking with a third party that maintains the digital certificates associated with shared cryptographic keys. If a corporate VPN grows into an extranet, then an outside certificate authority may also have to be used to verify users from your business partners.