Looking for the best VPN service for your business? Let’s consider different VPNs and where they fit.
A client-based VPN is a virtual private network created between a single user and a remote network.
In most scenarios, the user manually starts the VPN client, and authenticates with a username and password. The client creates an encrypted tunnel between the user’s computer and the remote network. The user then has access to the remote network via the encrypted tunnel.
Windows, Mac, and mobile operating systems often have standards-based VPN client options built-in.
Note that while IPsec was the client VPN protocol of choice for many years, SSL is more often used these days.
Client-based VPN apps make it easy for your users to connect their laptops or mobile devices to your private resources from anywhere.
Network-based VPNs are virtual private networks that securely connect two networks together across an untrusted network. One common example is an IPsec-based WAN, where all the offices of a business connect to each other across the Internet using IPsec tunnels.
There are several kinds of network VPNs. We’ll look at three of the most common:
- IPsec tunnels, both route-based and policy-based
- Dynamic multipoint VPNs
- MPLS-based L3VPNs
The simplest kind of network VPN is the standards-based IPsec tunnel, and most network routers and firewalls are capable of building one.
In principle, the tunnel on a network-based VPN is no different from a client-based IPsec tunnel. Both network and client implementations create a secure tunnel through which encrypted traffic flows between networks. While the client-based IPsec tunnel is designed to encapsulate traffic for a single device, the network-based IPsec tunnel carries traffic for entire networks of devices, allowing them to communicate.
IPsec tunnels that use some flavour of crypto access lists to define the traffic that can flow through them are generically termed policy-based VPNs.
The catch with policy-based VPNs is that the crypto access lists require maintenance to keep up with the demands of the business. If a new IP network comes online that needs to access a network on the other side of the tunnel, the crypto access list must be updated on the devices on either side of the tunnel.
Use policy-based IPsec tunnels when you need to build a single tunnel between two sites to provide carefully controlled access to resources.
In contrast to policy-based IPsec tunnels, route-based IPsec tunnels are more like a virtual link, allowing any traffic to flow through them.
Dynamic Multipoint VPN (DMVPN)
The current version of DMVPN expands the idea of IPsec point-to-point tunnels into a cloud of connected networks. With DMVPN, any network can talk to any other network directly across the DMVPN cloud.
Implementing DMVPN requires devices that can terminate a DMVPN tunnel.
DMVPN is a complex technology, requiring the use of GRE tunnels, IPsec, NHRP (Next Hop Resolution Protocol), and a routing protocol, all interdependent components that allow full mesh communication.
Use DMVPN to connect remote sites to a larger corporate network across the public Internet using a standard router configuration that’s hands-off once completed.
DMVPNs eliminate the need to know remote IP addresses, allowing for dynamically assigned IPs to connect to the infrastructure securely, registering their IP address with the DMVPN NHRP hub router. This allows the solution to scale as high as thousands of participating sites. The end result feels like a traditional WAN connection.
As a bonus, I thought I’d briefly mention L3VPNs, the most commonly deployed application over multiprotocol label switched (MPLS) networks.
MPLS is most often found in service provider networks. MPLS allows service providers to virtualize their networks so customers can share the physical network but still be kept logically separate.
If your company obtains WAN service from a service provider, the service provider is most likely offering L3VPN services over their MPLS network to your company. In this scenario, each office in your company connects to the service provider through what the service provider sees as a customer router — the one that connects the WAN circuit from the service provider to the rest of your network.
Internet bandwidth is remarkably cheap when compared to private WAN bandwidth running over a carrier’s L3VPN service.
There’s so much more information about the best VPN service and how it suits your specific needs. I’d love to have a chat with you if you are considering what might work best for you.