Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices

Previous Topic/Section
3.1.7  Telecom / PBX (Private Branch Exchange)
Previous Page
Pages in Current Topic/Section
Next Page
3.1.9  IDS (Intrusion Detection System)
Next Topic/Section

3.1.8 VPN (Virtual Private Network)
(Page 1 of 2)

As mentioned in section 2.1.2, a Virtual Private Network, or VPN, simulates a private network over a public network (or less secure private network), allowing multiple sites to communicate securely. In this way, a VPN can support:

  • Traditional, host-based remote access (dial-in from a PC)

  • LAN-to-LAN access (wide area networking)

  • An extra level of communications security within an intranet (encrypting sensitive traffic so that it cannot be “sniffed” by personnel using your internal network).


A Virtual Private Network (VPN) allows you to simulate a private network over a public (less secure) network.

Advantages of VPNs

Companies often establish VPNs which run over the Internet as a more cost effective, lower administrative overhead, more scalable alternative to a traditional (non-virtual) private network. VPNs are more cost effective because organizations can connect any physical locations together without requiring long distance data calls via modem or leasing expensive private communications lines between sites, equipping these sites with the appropriate communications hardware to support the private network. This saves the organization the monthly line and long distance costs. For example, if your field support engineers, equipped with laptops, need access to sensitive customer data from both their offices (with local LAN connections) and from out in the field at customer sites (by modem); you might implement a VPN to allow them access to this information in a standard way, whether connected locally or remotely.

VPNs offer lower administrative overhead and improved scalability because having users access the VPN through the Internet enables you to assign responsibility for that connectivity to the users’ ISP’s, rather than taking it on yourself. Additionally, your data center won’t need to maintain the equipment that would be involved with the private lines, which could include high-speed CSU/DSUs and a router port for each private line, a modem bank for those network participants who do not connect via leased lines, etc. This frees technicians to concentrate on other issues and eliminates the time and cost involved in upgrading your communications hardware when technology advances or your network expands. Primary security features offered by VPNs include:

  • User authentication and authorization, usually through digital certificates or passwords, combined with policies, to ensure that only authorized personnel can access appropriate portions of the VPN.

  • Secure communications, by way of an encrypted communication tunnel, which keeps communication private, and tamper-proof, as it is routed through the Internet.

  • Protocol encapsulation, allowing protocols outside the Internet’s standard TCP/IP family, like IPX and AppleTalk, to be sent over the Internet.

  • Address space isolation, allowing use of private address ranges (and other internal Internet addresses to which your router may block access) within your VPN, even for hosts located outside the boundaries of your internal network.

  • Integration with firewall technology (with some VPN’s), for ease of administration .

    Figure 29: While not as secure as a direct connection, massive savings can be achieved when connecting remote offices.


A number of popular protocols are used by VPNs, including PPTP, L2TP, IPSec and SSH. Of these, IPSec is generally regarded as the most popular protocol for VPNs, with PPTP and L2TP following close behind, generally in Windows-based environments, and SSH popular in UNIX-based networks. For more information on these protocols, see the section 2 topics discussing Remote Access, which discusses each in depth.

VPNs can be implemented in firewalls, dedicated hardware or software. For example, a popular firewall solution that includes VPN capability is the Pix, by Cisco Systems284. Popular dedicated hardware solutions include Sonicwall285, Netscreen (for both small and enterprise VPNs286), and Nokia287 VPN. There are also software-based solutions that integrate with firewalls, such as Checkpoint. Finally, some are software-based solutions such as SSH and SSL. The interesting thing about some of the software solutions (including SSH and SSL) is that they started out as protocols that provided encryption for specific applications, such as remote terminal access (SSH) and SSL (Web browsing), but were later found to be effective VPN protocols as well.

VPNs are Cost Effective and Offer Numerous Features

VPNs are a cost-effective alternative to implementing a private network via non-shared leased lines.

VPN technology can be used to protect services accessed by both local and remote users. For example, a service used by both internal LAN users and by dial-up users on the road could be accessed via VPN.

Some VPN security features include user authentication, encrypted communication, protocol encapsulation and filtering, the use of private address spaces within the VPN tunnel, and integration with firewall technology.






Previous Topic/Section
3.1.7  Telecom / PBX (Private Branch Exchange)
Previous Page
Pages in Current Topic/Section
Next Page
3.1.9  IDS (Intrusion Detection System)
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.