Virtual Private Networks
Virtual private networks (VPN) provide an encrypted connection
between a user's distributed sites over a public network (e.g., the Internet).
By contrast, a private network uses dedicated circuits and possibly
This page describes IP-based VPN technology over the Internet,
though an organization might deploy VPN's on its internal nets (
to encrypt sensitive information.
We also have some performance numbers.
The basic idea is to provide an encrypted IP tunnel through the Internet
that permits distributed sites to communicate securely.
The encrypted tunnel provides a secure path for network applications
and requires no changes to the application.
- supported platforms (UNIX, Win*, Mac)
- proprietary or open solution (standards support)
- ease of use (end user and network manager/SNMP)
- performance (pkts/sec, encryption bandwidth, compression)
- IP fragmentation support
- strength of security
- firewall inter-operability
- features (firewall, addressing, IPv6 support, protocols, multicast)
- network address translation (NAT) for host and client
- mobile user support
- key and policy management, authentication
- export restrictions
- internals (chipset, MHz, memory, net interfaces, tamper resistance)
- The software solutions might be better termed "software approximations."
The classic solution is to provide privacy on an application-by-application
Secure remote access is provided by encrypted telnet services
SSH also permits tunneling other services (like X) over the
For dial-in connections, Blaze's
Encrypting Session Manager (ESM) provides encryption
after the session has been established.
Encrypted voice communication over the Internet is provided by
Transport layer encryption for TCP is provided by
also see the IETF's
Transport Layer Security (TLS) drafts.
More integrated software solutions can be provided by
or by using a Point to Point Tunnelling Protocol
and a FAQ)
combines the best of PPTP and Cisco's
provide encrypted transport services, also see Gong's
The on-going development of
IP security options for IPv4 and IPv6 along with ISAKMP and GKMP
may soon provide the necessary software tools for constructing your
own virtual private network, and there are
implementations available for testing, also see
on MS-DOS implementaton.
Also, see the recent
or the VPN framework, or the
and Linux freeswan or
- InternetWeek's vpn
- DataComm's tests 7/98
- LANtimes review of VPN's (10/98)
- Network Computing
VPN review (9/98)
and IPsec VPNs 9/99
IOS security architecture and
Cisco's PIX info
- DSN's NetFortress
- Brivida's Pirma One
altavista tunnel and a comparison
- VPlus Networks
- IBM's SecureWay
- compatible systems
- shiva vpn
- redcreek VPN hardware for NT
- Xerox Ethernet tunnel
- Bay/New Oak NOC 4000
- Microsoft's Windows 2000 VPN
- Shiva infocrypt
- NEC's PrivateNet
and a review
- IRE's SafeNet
- Radguard's CiPro and a
- Win* solutions:
or Ashley Laurent VPCOM
- Checkpoint's Firewall-1 vpn
firewall vendors and (soon)
router vendors provide VPN services, e.g., see
Cisco's encrypting routers
- vpnlabs info
VPN info and links/FAQ
vpn references and links
Test and evaluation
Network Research Group at
ORNL has been doing
evaluations of various VPN solutions, including STEL, SSH, Kerberos,
and IPv4/v6 with Cisco ISAKMP daemon.
We have also done preliminary testing on Cisco PIX unit, DEC's
AltaVista client tunnel, and DSN's NetFortress.
Here are some
preliminary performance data
of encrypted tunneling throughput and latency.
Last Modified Wednesday, 13-Oct-2004 07:16:35 EDT firstname.lastname@example.org
(touches: 532669 )
Other security related links can be found
back to Tom Dunigan's page
or the ORNL home page