Virtual private networks - TCP-IP

This is a discussion on Virtual private networks - TCP-IP ; hello 1) What is the main purpose of using VPN - the security of connection between LAN and a remote host or the fact that LAN servers think of remote PC as one of the local PCs? 2) And why ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Virtual private networks

  1. Virtual private networks

    hello


    1) What is the main purpose of using VPN - the security of connection
    between LAN and a remote host or the fact that LAN servers think of
    remote PC as one of the local PCs?

    2) And why would security be greater with VPN tunneling than using
    your standard public network protocols? Couldn't packets be just as
    safe ( as they are when using VPN ) using your normal protocols with
    additional security measures applied? I'm not sure I understand why
    security can be that much greater with VPN?

    3) PPTP uses PPP for creating virtual connection. For what exactly is
    PPP used here?I assume PPP is used for remote client to connect to its
    ISP? But connection between ISP and VPN server is done using TCP
    protocol. So why would VPN server need PPP protocol?

    thank you


    cheers


  2. Re: Virtual private networks

    wrote in message
    news:1180540931.458798.278130@p47g2000hsd.googlegr oups.com...
    > hello
    >
    >
    > 1) What is the main purpose of using VPN - the security of connection
    > between LAN and a remote host or the fact that LAN servers think of
    > remote PC as one of the local PCs?
    >


    Well, the main purpose is to give the remote host(s) access to an internal
    network. Security is a concern, but not the main reason. You actually
    could create a VPN connection with no security, but that wouldn't be wise -
    see question 2 for more info.

    > 2) And why would security be greater with VPN tunneling than using
    > your standard public network protocols? Couldn't packets be just as
    > safe ( as they are when using VPN ) using your normal protocols with
    > additional security measures applied? I'm not sure I understand why
    > security can be that much greater with VPN?
    >


    Let's put it this way - the bad guys (and even the good guys) know how to
    get lots of your secrets if you don't encrypt the data - just the bad guys
    will abuse it. Would you put your credit card into a web page that doesn't
    have https? I sure wouldn't. Say you connect to your company network and
    don't use encryption. Someone steals your username/password and does
    malicious stuff - this could hurt your company and possibly even get you
    fired. Not good. If you've never used a packet sniffer, hook one up and
    capture a telnet session, then login. You'll see real quick how insecure
    this can be. TCP/IP was never meant to be secure in itself.


    > 3) PPTP uses PPP for creating virtual connection. For what exactly is
    > PPP used here?I assume PPP is used for remote client to connect to its
    > ISP? But connection between ISP and VPN server is done using TCP
    > protocol. So why would VPN server need PPP protocol?
    >


    Someone could probably write a book to explain this more in detail (and I'm
    sure they have). But, the simple point is that the word protocol can get
    very confusing in the network world. Keep in mind that a protocol (per
    definition) is just a defined way of doing something, or a set of rules.
    There is no single protocol that defines vpn. There are many ways to
    accomplish a vpn and many different protocols that come into play. Study
    the OSI model and you'll see that anything you do in networking uses
    multiple protocols to accomplish the task. There's no secret shortcut to
    understanding this stuff, it just comes with time and experience. When you
    see a concept in action it will set off all kinds of light bulbs to help you
    understand a lot of things that you've read about.

    > thank you
    >
    >
    > cheers


    Hope that helps,

    Jim



  3. Re: Virtual private networks

    On Wed, 30 May 2007 12:56:55 -0400, Scooby wrote:

    > wrote in message
    > news:1180540931.458798.278130@p47g2000hsd.googlegr oups.com...
    >> hello
    >>
    >>
    >> 1) What is the main purpose of using VPN - the security of connection
    >> between LAN and a remote host or the fact that LAN servers think of
    >> remote PC as one of the local PCs?
    >>
    >>

    > Well, the main purpose is to give the remote host(s) access to an
    > internal network. Security is a concern, but not the main reason. You
    > actually could create a VPN connection with no security, but that
    > wouldn't be wise - see question 2 for more info.


    I don't completely agree. A VPN is a Virtual Private Network. Originally,
    this ment:

    - Virtual: independent of the underlying protocols/networks, merely
    operating over them.

    - Private: For me only, so yes security comes into play. In practice,
    this is not always needed, although most people still call the resulting
    thing a VPN.

    - Network: Either an extension to a subnet (bridging), or a link between
    networks (routing), network here only means it is a networking
    technology, a way to inter operate networks.

    The main purpose of VPNs is to tie together different networks and hosts
    in a secure way. Giving access to remote hosts is a very common use, but
    tying together different networks is also very common[1]. In all cases
    there is a tunnel and there is security.

    Security is not just encryption, authentication comes into play as well.
    Most VPNs -- and all serious VPN technologies -- use some form of
    encryption AND authentication. Without authentication you are vulnerable
    to a so called man in the middle attack so your encryption is not very
    secure. Sometimes (although this is real seldom) only authentication is
    needed, and no encryption.

    VPN technology is now so mature, it is often easier to use a VPN with
    null encryption as a tunneling technology than other technologies.
    (Although I also often find that people just don't know about other ways,
    what is wrong with IPIP?[3])

    The P stands for Private. If there is no encryption or authentication,
    the VPN is merely a tunnel and not a true VPN anymore (VN anyone?).
    However I have no difficulty in calling this a VPN.

    Things get even more confusing with IPSec. IPSec can be used in different
    modes, tunnel or transport. Only with tunneling mode you get the virtual
    aspect. In transport mode it only provides the private aspect[2].

    So in the strict sense, IPSec can only be said to provide a VPN in
    tunneling mode, which is by far the most common usage scenario. But to
    say that IPSec is a VPN technology is actually wrong. IPSec can be used
    to build VPNs, as well as for other uses (PN anyone?). However, I have no
    difficulty with calling this a VPN as well.

    Should you use a tunnel? Or use encryption? Or the convenience of
    combining them into a VPN? It depends on your requirements. As Scooby
    correctly pointed out, you probably want encryption. Although listening
    in on a tunnel is actually harder than most people assume, if correctly
    set up, VPN technology is so easy and mature you would be crazy not to
    use it.

    Tunneling, so no encryption or authentication, is mainly used to connect
    two networks when some IP-numbering issue comes up. For instance, when
    some subnet or a single host moves from one office to another but you
    cannot completely reroute the traffic to that new office. It's a hack,
    but it works. Or to connect two networks where privacy is not an issue,
    but the intermediate network uses a different numbering scheme.

    In other words, when you need tunneling, you probably know it. Otherwise
    use a VPN.

    Hope this clears things up a bit.
    M4

    [1] I'm currently on a project where 300 sites are to be connected using
    VPNs over the Internet. Interrrresting. The technical side is easy, the
    logistics a nightmare.

    [2] BTW, All IPSec manuals, books and tutorials I've seen claim transport
    mode can only be applied end to end. This is untrue, one can use
    transport mode between any two hops on the path. In fact, Cisco devices
    support this just fine and I'm sure others do as well. Using this
    technique results in a higher MTU than the tunneling technique so is very
    interesting when you can apply it instead of an IPSec tunnel.

    [3] The main tunneling technologies are either layer 2 or layer 3. Layer
    2 tunnels have fragmentation issues while layer 3 tunnels have mtu
    issues. Choosing a tunneling technology should take this into
    consideration[4]. VPNs have exactly the same issues, as any VPN is just a
    secure tunnel.

    [4]

    In practice I find way to many networking engineers that don't understand
    these issues. I'm prepared to state that anyone who does not understand
    these issues should not call themselves a networking engineer[5].


    [5]

    Yet people blindly copy the Cisco VPN example providing a GRE tunnel over
    a IPSec tunnel. The example was ment -- but doesn't state -- to
    illustrate a way how to use IPSec to secure a GRE tunnel. It was NOT ment
    as an example of how to set up an IPSec tunnel. To do a VPN this way is
    actually worst of both worlds, you get fragmentation AND mtu issues. If I
    would get a quarter for any "engineer" that uses this as _the_ way to set
    up a IPSec VPN between Cisco gear I would probably be richer than Bill
    Gates.

    Come on guys, it's not hard, just read a few books on how networking
    actually works.


  4. Re: Virtual private networks

    In article ,
    Martijn Lievaart wrote:

    > The main purpose of VPNs is to tie together different networks and hosts
    > in a secure way. Giving access to remote hosts is a very common use, but
    > tying together different networks is also very common[1]. In all cases
    > there is a tunnel and there is security.


    Why would you want to tie the networks together other than to give
    access to the remote hosts?

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  5. Re: Virtual private networks

    kaja_love160@yahoo.com writes:
    > 1) What is the main purpose of using VPN - the security of connection
    > between LAN and a remote host or the fact that LAN servers think of
    > remote PC as one of the local PCs?


    recent post about proposal introduced at '94 IETF meeting in
    san jose ... that came to be called VPN
    http://www.garlic.com/~lynn/aadsm27.htm#20 307 digit number factored

  6. Re: Virtual private networks

    This response is soooo over the edge. See inline responses...


    "Martijn Lievaart" wrote in message
    newsan.2007.05.30.20.49.35@rtij.nl.invlalid...
    > On Wed, 30 May 2007 12:56:55 -0400, Scooby wrote:
    >
    >> wrote in message
    >> news:1180540931.458798.278130@p47g2000hsd.googlegr oups.com...
    >>> hello
    >>>
    >>>
    >>> 1) What is the main purpose of using VPN - the security of connection
    >>> between LAN and a remote host or the fact that LAN servers think of
    >>> remote PC as one of the local PCs?
    >>>
    >>>

    >> Well, the main purpose is to give the remote host(s) access to an
    >> internal network. Security is a concern, but not the main reason. You
    >> actually could create a VPN connection with no security, but that
    >> wouldn't be wise - see question 2 for more info.

    >
    > I don't completely agree. A VPN is a Virtual Private Network. Originally,
    > this ment:
    >
    > - Virtual: independent of the underlying protocols/networks, merely
    > operating over them.
    >
    > - Private: For me only, so yes security comes into play. In practice,
    > this is not always needed, although most people still call the resulting
    > thing a VPN.
    >
    > - Network: Either an extension to a subnet (bridging), or a link between
    > networks (routing), network here only means it is a networking
    > technology, a way to inter operate networks.
    >
    > The main purpose of VPNs is to tie together different networks and hosts
    > in a secure way. Giving access to remote hosts is a very common use, but
    > tying together different networks is also very common[1]. In all cases
    > there is a tunnel and there is security.
    >


    Nice breaking down the acronym, but that doesn't really answer the OP's
    question. The question is what is the main purpose. The purpose is to
    communciate remote hosts. Security is a concern and I even stated that up
    front, but the purpose is communication. Without communication, security
    doesn't mean anything.


    > Security is not just encryption, authentication comes into play as well.
    > Most VPNs -- and all serious VPN technologies -- use some form of
    > encryption AND authentication. Without authentication you are vulnerable
    > to a so called man in the middle attack so your encryption is not very
    > secure. Sometimes (although this is real seldom) only authentication is
    > needed, and no encryption.
    >


    I realize that. This is an entry level question and I was trying to keep
    the answer simple. For that matter, there is more that goes into VPN
    security than just encryption and authentication.

    > VPN technology is now so mature, it is often easier to use a VPN with
    > null encryption as a tunneling technology than other technologies.
    > (Although I also often find that people just don't know about other ways,
    > what is wrong with IPIP?[3])
    >
    > The P stands for Private. If there is no encryption or authentication,
    > the VPN is merely a tunnel and not a true VPN anymore (VN anyone?).
    > However I have no difficulty in calling this a VPN.


    Define private again. Up above, you inferred encryption. Encryption HELPS,
    but is not a requirement of privacy. Would you consider it private if the
    encryption was DES? That is easily cracked. A little harder than plain
    text, but not much. I could steal your username/password and impersonate
    you. If I mail you a private letter, someone could easily be stolen and
    read by someone else. This does not negate the fact that it is private. It
    was sent in a private wrapper with the intention of only being viewable by
    each end. How secure it is has nothing to do with if it is private or not.

    So, when, in your definition does it qualify to be private.

    >
    > Things get even more confusing with IPSec. IPSec can be used in different
    > modes, tunnel or transport. Only with tunneling mode you get the virtual
    > aspect. In transport mode it only provides the private aspect[2].
    >
    > So in the strict sense, IPSec can only be said to provide a VPN in
    > tunneling mode, which is by far the most common usage scenario. But to
    > say that IPSec is a VPN technology is actually wrong. IPSec can be used
    > to build VPNs, as well as for other uses (PN anyone?). However, I have no
    > difficulty with calling this a VPN as well.


    You've got some strange definitions.

    >
    > Should you use a tunnel? Or use encryption? Or the convenience of
    > combining them into a VPN? It depends on your requirements. As Scooby
    > correctly pointed out, you probably want encryption. Although listening
    > in on a tunnel is actually harder than most people assume, if correctly
    > set up, VPN technology is so easy and mature you would be crazy not to
    > use it.
    >
    > Tunneling, so no encryption or authentication, is mainly used to connect
    > two networks when some IP-numbering issue comes up. For instance, when
    > some subnet or a single host moves from one office to another but you
    > cannot completely reroute the traffic to that new office. It's a hack,
    > but it works. Or to connect two networks where privacy is not an issue,
    > but the intermediate network uses a different numbering scheme.
    >
    > In other words, when you need tunneling, you probably know it. Otherwise
    > use a VPN.


    See, this is where you and I disagree. I think the tunnel as you have
    described it IS a VPN. It is not encrypted (or authenticated, sorry), but
    it still is a VPN.

    >
    > Hope this clears things up a bit.
    > M4
    >


    Now, it's clear :-P

    > [1] I'm currently on a project where 300 sites are to be connected using
    > VPNs over the Internet. Interrrresting. The technical side is easy, the
    > logistics a nightmare.
    >
    > [2] BTW, All IPSec manuals, books and tutorials I've seen claim transport
    > mode can only be applied end to end. This is untrue, one can use
    > transport mode between any two hops on the path. In fact, Cisco devices
    > support this just fine and I'm sure others do as well. Using this
    > technique results in a higher MTU than the tunneling technique so is very
    > interesting when you can apply it instead of an IPSec tunnel.
    >
    > [3] The main tunneling technologies are either layer 2 or layer 3. Layer
    > 2 tunnels have fragmentation issues while layer 3 tunnels have mtu
    > issues. Choosing a tunneling technology should take this into
    > consideration[4]. VPNs have exactly the same issues, as any VPN is just a
    > secure tunnel.
    >
    > [4]
    >
    > In practice I find way to many networking engineers that don't understand
    > these issues. I'm prepared to state that anyone who does not understand
    > these issues should not call themselves a networking engineer[5].
    >

    >
    > [5]
    >
    > Yet people blindly copy the Cisco VPN example providing a GRE tunnel over
    > a IPSec tunnel. The example was ment -- but doesn't state -- to
    > illustrate a way how to use IPSec to secure a GRE tunnel. It was NOT ment
    > as an example of how to set up an IPSec tunnel. To do a VPN this way is
    > actually worst of both worlds, you get fragmentation AND mtu issues. If I
    > would get a quarter for any "engineer" that uses this as _the_ way to set
    > up a IPSec VPN between Cisco gear I would probably be richer than Bill
    > Gates.
    >
    > Come on guys, it's not hard, just read a few books on how networking
    > actually works.
    >


    Oh, you can't be serious. First, I've personally not had problems with GRE
    VPN's and mtu/fragmentation. But, let's say for a moment you are correct.
    Then I have a couple questions about that. One, just how do you do routing
    over vpn? Two, does this mean that DSL is not a valid means of connectivity
    since it introduces mtu/fragmentation issues (due to PPPOE). I will say that
    I prefer Cable over DSL partially because of this, but it doesn't mean that
    DSL isn't a valid technology. Now, I won't question your ability to do
    network, you obviously understand it, I think we just disagree about some
    things. But, just because someone does something different from you doesn't
    mean that they don't understand it. I've been doing this a looooong time
    and have been complimented by many for my abilities (even high up engineers
    within Cisco). You make some decent arguments, but I think I'll just agree
    to disagree on these points. Get down off that high horse, boy !!!!

    Keep in mind this was a simple entry level question - I was just trying to
    keep the answer basic. As I noted, there are books that have been written
    on these topics. VPN is complicated and becomes more complicated with new
    technologies (such as SSL VPNs) and newer encryption methods.

    Just MHO,

    Jim



  7. Re: Virtual private networks

    On Thu, 31 May 2007 00:30:11 +0000, Scooby wrote:

    > This response is soooo over the edge. See inline responses...


    (snip)

    > I realize that. This is an entry level question and I was trying to
    > keep the answer simple. For that matter, there is more that goes into
    > VPN security than just encryption and authentication.


    Yes, I probably should have answered differently, if at all.

    >
    >> VPN technology is now so mature, it is often easier to use a VPN with
    >> null encryption as a tunneling technology than other technologies.
    >> (Although I also often find that people just don't know about other
    >> ways, what is wrong with IPIP?[3])
    >>
    >> The P stands for Private. If there is no encryption or authentication,
    >> the VPN is merely a tunnel and not a true VPN anymore (VN anyone?).
    >> However I have no difficulty in calling this a VPN.

    >
    > Define private again. Up above, you inferred encryption. Encryption
    > HELPS, but is not a requirement of privacy. Would you consider it


    That is the problem. There is not a single definition of VPN. The above
    is my definition, and I happen to like it a lot.

    What is 'P'rivate? Even MPLS is sold as a VPN technology these days. I
    don't agree, although the LS should keep your data private, so it does
    meet my definition.

    > private if the encryption was DES? That is easily cracked. A little
    > harder than plain text, but not much. I could steal your
    > username/password and impersonate you. If I mail you a private letter,
    > someone could easily be stolen and read by someone else. This does not
    > negate the fact that it is private. It was sent in a private wrapper


    Security is always a compromise. Security should be a consideration
    between investments in security and damages avoided.

    Nothing is 100% secure. A risk analysis should tell you what to protect
    and what that can cost. If all you can afford is a PIX with a simple
    license, DES may be your only option. If the risks are low and the impact
    low as well, DES may be fine. (Although I agree, this is akin to no
    encryption at all).

    Consider WEP. It is insecure, nowadays trivial to crack (2 minutes on an
    average notebook, given a steady stream of data). But not all devices do
    WPA yet. We do WEP at $ORK because of this. We know it is insecure. Yet
    the costs of replacing all WEP only devices does not justify the better
    security of WPA.

    > with the intention of only being viewable by each end. How secure it is
    > has nothing to do with if it is private or not.
    >
    > So, when, in your definition does it qualify to be private.
    >


    If it is private, you should do a risk analysis and design your security
    based on that. It's slightly more complex than that, for instance you
    have to take laws and regulations into account as well, but in the end it
    is still just a trade off between costs and possible damages.

    Or to be complete, your risk analysis should tell you if your data needs
    to be protected, what data needs to be protected, how it needs to be
    protected (level of confidentially, level of integrity, level of
    accountability, or CIA for short) and what your budget is to do so.

    VPNs are a possible answer to these needs, and the P in VPN stands for
    any of these needs.

    (IPsec)

    > You've got some strange definitions.


    I don't think these strange. IPSec in transport mode is another answer to
    security needs, it's just not a VPN in the strict meaning of the TLA.

    In fact, if I need to explain IPSec to people, explaining the above is
    more often than not very enlightening. People expect IPSec to be a VPN
    technology, so they expect a tunnel somehow, never mind that there is a
    transport and a tunnel mode. Once these differences are explained by
    taking people away from "IPSec is a VPN" we can go back to calling all
    IPSec usage a VPN and ignore the details.

    (tunnels)

    >> In other words, when you need tunneling, you probably know it.
    >> Otherwise use a VPN.

    >
    > See, this is where you and I disagree. I think the tunnel as you have
    > described it IS a VPN. It is not encrypted (or authenticated, sorry),
    > but it still is a VPN.


    We'll just have to agree to disagree on this one. Just to get this clear,
    you consider IPIP a VPN technology?

    >>
    >> Yet people blindly copy the Cisco VPN example providing a GRE tunnel
    >> over a IPSec tunnel. The example was ment -- but doesn't state -- to
    >> illustrate a way how to use IPSec to secure a GRE tunnel. It was NOT
    >> ment as an example of how to set up an IPSec tunnel. To do a VPN this
    >> way is actually worst of both worlds, you get fragmentation AND mtu
    >> issues. If I would get a quarter for any "engineer" that uses this as
    >> _the_ way to set up a IPSec VPN between Cisco gear I would probably be
    >> richer than Bill Gates.
    >>
    >> Come on guys, it's not hard, just read a few books on how networking
    >> actually works.
    >>

    >
    > Oh, you can't be serious. First, I've personally not had problems with
    > GRE VPN's and mtu/fragmentation. But, let's say for a moment you are


    GRE VPNs do have fragmentation issues (or mtu issues if you explicitly
    lower the MTU). These issues can or cannot turn into problems. I've once
    seen performance problems caused by lost packets and GRE fragmentation.
    TCP performance was horrible. Also, if these fragmented packets go over
    your slowest link, they have a slight performance impact. I vaguely
    remember once having performance issues on a slow GRE link due to
    fragmentation, but cannot recall the details, however the impact was
    larger than could be attributed to just the overhead. Damn, now what was
    that problem again.

    > correct. Then I have a couple questions about that. One, just how do
    > you do routing over vpn? Two, does this mean that DSL is not a valid
    > means of connectivity since it introduces mtu/fragmentation issues (due
    > to PPPOE). I will say that I prefer Cable over DSL partially because of


    In most cases DSL is a fine technology. Normally you won't notice any
    problems. Fragmentation just lowers the total throughput slightly or if
    you choose to use a lower mtu, PMTUD will make things work.

    What I was referring to is people who don't understand these issues and
    try to use GRE or lower MTUs in situations where they are not appropriate.

    - GRE tunnels over links that also carry (lots of) other traffic are not
    a good idea. It may work, and then it may cause problems because you
    loose more packets (any fragment lost means the whole packet must be
    retransmitted).

    - PMTUD blackholes do exist. On the netfilter-user list many people ask
    about solutions when they either accidentally created one or encounter
    one on the Internet. To often I've worked at companies where icmp was
    considered evil and fragmentation-needed was filtered out. I even
    encountered a commercial firewall product that always filtered out
    fragmentation-needed, it could not be told to do otherwise.

    Now combine the icmp-is-evil attitude with an IPSec tunnel, which has a
    lower MTU than the surrounding links. Also try to use this to encrypt a
    GRE tunnel over a congested link. I actually encountered this more than
    once. In all cases this was set up by "experts". I'm not an expert, I
    don't have any formal qualification in networking at all, but even I
    understand this will not work reliably.

    (In one environment, a very large government institution, not only did I
    encounter the above, but also a mix of token-ring and ethernet. No one
    understood why, only that they should lower the MTU to 1500 on token-ring
    to make things work. The introduction of VPN technology seriously broke
    about everything. Not to mention that most Unix boxes used a MTU of 536
    on anything not locally attached, giving severe performance degradation
    on any saturated link. There were about 10 "networking engineers" there,
    most of which I actually respect a lot. However, I found it more than a
    little disappointing that I had to point out these issues (which were
    very real problems), convince the engineers, only to have all changes to
    be suffocated in the change process. AFAIK, things still work that way
    over there.)

    > this, but it doesn't mean that DSL isn't a valid technology. Now, I
    > won't question your ability to do network, you obviously understand it,
    > I think we just disagree about some things. But, just because someone
    > does something different from you doesn't mean that they don't
    > understand it. I've been doing this a looooong time and have been
    > complimented by many for my abilities (even high up engineers within
    > Cisco). You make some decent arguments, but I think I'll just agree to
    > disagree on these points. Get down off that high horse, boy !!!!


    Thumb! Ouch! That was a way down. But given the above explanation,
    (especially that issues are not problems per se), i think we probably
    agree on this.

    (Except when you do use IPSec to encrypt GRE tunnels just because).

    >
    > Keep in mind this was a simple entry level question - I was just trying
    > to keep the answer basic. As I noted, there are books that have been


    Yes, I probably should have reacted differently, if at all.

    > written on these topics. VPN is complicated and becomes more
    > complicated with new technologies (such as SSL VPNs) and newer
    > encryption methods.


    Absolutely. On the other hand, VPNs get to be commodity products these
    days and the complexity is partly hidden by standards and good products.

    M4

  8. Re: Virtual private networks

    In article ,
    "Scooby" wrote:

    > This response is soooo over the edge. See inline responses...
    >
    >
    > "Martijn Lievaart" wrote in message
    > newsan.2007.05.30.20.49.35@rtij.nl.invlalid...
    > > The main purpose of VPNs is to tie together different networks and hosts
    > > in a secure way. Giving access to remote hosts is a very common use, but
    > > tying together different networks is also very common[1]. In all cases
    > > there is a tunnel and there is security.
    > >

    >
    > Nice breaking down the acronym, but that doesn't really answer the OP's
    > question. The question is what is the main purpose. The purpose is to
    > communciate remote hosts. Security is a concern and I even stated that up
    > front, but the purpose is communication. Without communication, security
    > doesn't mean anything.


    But the VPN doesn't provide communication, the network does that all by
    itself. The point of the question is what is the value added by using a
    VPN? And the primary value is that it makes the communication secure,
    by authenticating the client and encrypting the data.

    > > The P stands for Private. If there is no encryption or authentication,
    > > the VPN is merely a tunnel and not a true VPN anymore (VN anyone?).
    > > However I have no difficulty in calling this a VPN.

    >
    > Define private again. Up above, you inferred encryption. Encryption HELPS,
    > but is not a requirement of privacy. Would you consider it private if the
    > encryption was DES? That is easily cracked. A little harder than plain
    > text, but not much. I could steal your username/password and impersonate
    > you. If I mail you a private letter, someone could easily be stolen and
    > read by someone else. This does not negate the fact that it is private. It
    > was sent in a private wrapper with the intention of only being viewable by
    > each end. How secure it is has nothing to do with if it is private or not.
    >
    > So, when, in your definition does it qualify to be private.


    The point is that it TRIES to be private. Contrast it with normal
    traffic, which is easily viewed if it can be intercepted. Encryption is
    a necessary prerequisite. If you don't encrypt, what's the point of the
    VPN? What about it makes it more Private than ordinary Internet
    communication?

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  9. Re: Virtual private networks

    Okay, I was going to do this inline, but the thread is getting too long, so
    here are my thoughts:

    Yes, it is hard to find any single authoratative definition of vpn. But,
    here is my take on what the spirit of private means. In my opinion, Private
    has nothing to do with security. It is not the data that is private, but
    the networks. Here is the idea. Network A needs to talk with network B.
    All the routers in between A and B need to know routes to both of these
    networks and every single host on them that wants to communicate across the
    link. A VPN will encapsulate the true IP information so that the source and
    destination networks become private. Then, all the routers in between do
    not need to know anything about networks A and B.

    As I'm thinking this out, I got this image in my head of some little boy
    reading his sister's diary. She see's him and says "Hey, that's private".
    He looks back and says "It can't be private, it's not encrypted". Sorry,
    the mind wanders some times.

    You mention MPLS. MPLS itself is not a VPN technology, but there are MPLS
    VPN's. If you don't know much about this, read up, cause it is pretty cool
    stuff. The VPN's do pretty much what I just described above by
    encapsulating packets. And a major reason for this is.... routing !!!!
    There can be multiple customers with the same address space. The VPN's
    handle this by creating virtual routing tables for each customer. While the
    service provider participates in the customer routing, the service
    provider's internal routers do not need to know anything about the customer
    routes, only the edge MPLS routers do.

    Again, with just about any VPN, security is a concern and should strongly be
    considered, but I don't think it is a requirement to be called a VPN.

    You totally sidestepped my question of when a connection is secure enough to
    be considered a vpn. If you just say that it needs to be secure, it leaves
    such a gray area. Where do you draw the line. This is why I asked about
    DES. Why do you consider unencrypted tunnels not a vpn, but tunnels
    encrypted with a really weak algorhythm are vpns? That doesn't make sense.
    How secure does it have to be to qualify?

    Absolutely, I consider IPIP to be a VPN.

    There's no great difference in tunnel vs. transport mode, the effectively
    accomplish the same thing (what I defined above), the only real different is
    the headers.

    So, I don't think it needs to be secure (encrypted, authenticated, or
    whatever) to be considered a vpn - that's my story and I'm sticking to it.




    "Martijn Lievaart" wrote in message
    newsan.2007.05.31.20.42.50@rtij.nl.invlalid...
    > On Thu, 31 May 2007 00:30:11 +0000, Scooby wrote:
    >
    >> This response is soooo over the edge. See inline responses...

    >
    > (snip)
    >
    >> I realize that. This is an entry level question and I was trying to
    >> keep the answer simple. For that matter, there is more that goes into
    >> VPN security than just encryption and authentication.

    >
    > Yes, I probably should have answered differently, if at all.
    >
    >>
    >>> VPN technology is now so mature, it is often easier to use a VPN with
    >>> null encryption as a tunneling technology than other technologies.
    >>> (Although I also often find that people just don't know about other
    >>> ways, what is wrong with IPIP?[3])
    >>>
    >>> The P stands for Private. If there is no encryption or authentication,
    >>> the VPN is merely a tunnel and not a true VPN anymore (VN anyone?).
    >>> However I have no difficulty in calling this a VPN.

    >>
    >> Define private again. Up above, you inferred encryption. Encryption
    >> HELPS, but is not a requirement of privacy. Would you consider it

    >
    > That is the problem. There is not a single definition of VPN. The above
    > is my definition, and I happen to like it a lot.
    >
    > What is 'P'rivate? Even MPLS is sold as a VPN technology these days. I
    > don't agree, although the LS should keep your data private, so it does
    > meet my definition.
    >
    >> private if the encryption was DES? That is easily cracked. A little
    >> harder than plain text, but not much. I could steal your
    >> username/password and impersonate you. If I mail you a private letter,
    >> someone could easily be stolen and read by someone else. This does not
    >> negate the fact that it is private. It was sent in a private wrapper

    >
    > Security is always a compromise. Security should be a consideration
    > between investments in security and damages avoided.
    >
    > Nothing is 100% secure. A risk analysis should tell you what to protect
    > and what that can cost. If all you can afford is a PIX with a simple
    > license, DES may be your only option. If the risks are low and the impact
    > low as well, DES may be fine. (Although I agree, this is akin to no
    > encryption at all).
    >
    > Consider WEP. It is insecure, nowadays trivial to crack (2 minutes on an
    > average notebook, given a steady stream of data). But not all devices do
    > WPA yet. We do WEP at $ORK because of this. We know it is insecure. Yet
    > the costs of replacing all WEP only devices does not justify the better
    > security of WPA.
    >
    >> with the intention of only being viewable by each end. How secure it is
    >> has nothing to do with if it is private or not.
    >>
    >> So, when, in your definition does it qualify to be private.
    >>

    >
    > If it is private, you should do a risk analysis and design your security
    > based on that. It's slightly more complex than that, for instance you
    > have to take laws and regulations into account as well, but in the end it
    > is still just a trade off between costs and possible damages.
    >
    > Or to be complete, your risk analysis should tell you if your data needs
    > to be protected, what data needs to be protected, how it needs to be
    > protected (level of confidentially, level of integrity, level of
    > accountability, or CIA for short) and what your budget is to do so.
    >
    > VPNs are a possible answer to these needs, and the P in VPN stands for
    > any of these needs.
    >
    > (IPsec)
    >
    >> You've got some strange definitions.

    >
    > I don't think these strange. IPSec in transport mode is another answer to
    > security needs, it's just not a VPN in the strict meaning of the TLA.
    >
    > In fact, if I need to explain IPSec to people, explaining the above is
    > more often than not very enlightening. People expect IPSec to be a VPN
    > technology, so they expect a tunnel somehow, never mind that there is a
    > transport and a tunnel mode. Once these differences are explained by
    > taking people away from "IPSec is a VPN" we can go back to calling all
    > IPSec usage a VPN and ignore the details.
    >
    > (tunnels)
    >
    >>> In other words, when you need tunneling, you probably know it.
    >>> Otherwise use a VPN.

    >>
    >> See, this is where you and I disagree. I think the tunnel as you have
    >> described it IS a VPN. It is not encrypted (or authenticated, sorry),
    >> but it still is a VPN.

    >
    > We'll just have to agree to disagree on this one. Just to get this clear,
    > you consider IPIP a VPN technology?
    >
    >>>
    >>> Yet people blindly copy the Cisco VPN example providing a GRE tunnel
    >>> over a IPSec tunnel. The example was ment -- but doesn't state -- to
    >>> illustrate a way how to use IPSec to secure a GRE tunnel. It was NOT
    >>> ment as an example of how to set up an IPSec tunnel. To do a VPN this
    >>> way is actually worst of both worlds, you get fragmentation AND mtu
    >>> issues. If I would get a quarter for any "engineer" that uses this as
    >>> _the_ way to set up a IPSec VPN between Cisco gear I would probably be
    >>> richer than Bill Gates.
    >>>
    >>> Come on guys, it's not hard, just read a few books on how networking
    >>> actually works.
    >>>

    >>
    >> Oh, you can't be serious. First, I've personally not had problems with
    >> GRE VPN's and mtu/fragmentation. But, let's say for a moment you are

    >
    > GRE VPNs do have fragmentation issues (or mtu issues if you explicitly
    > lower the MTU). These issues can or cannot turn into problems. I've once
    > seen performance problems caused by lost packets and GRE fragmentation.
    > TCP performance was horrible. Also, if these fragmented packets go over
    > your slowest link, they have a slight performance impact. I vaguely
    > remember once having performance issues on a slow GRE link due to
    > fragmentation, but cannot recall the details, however the impact was
    > larger than could be attributed to just the overhead. Damn, now what was
    > that problem again.
    >
    >> correct. Then I have a couple questions about that. One, just how do
    >> you do routing over vpn? Two, does this mean that DSL is not a valid
    >> means of connectivity since it introduces mtu/fragmentation issues (due
    >> to PPPOE). I will say that I prefer Cable over DSL partially because of

    >
    > In most cases DSL is a fine technology. Normally you won't notice any
    > problems. Fragmentation just lowers the total throughput slightly or if
    > you choose to use a lower mtu, PMTUD will make things work.
    >
    > What I was referring to is people who don't understand these issues and
    > try to use GRE or lower MTUs in situations where they are not appropriate.
    >
    > - GRE tunnels over links that also carry (lots of) other traffic are not
    > a good idea. It may work, and then it may cause problems because you
    > loose more packets (any fragment lost means the whole packet must be
    > retransmitted).
    >
    > - PMTUD blackholes do exist. On the netfilter-user list many people ask
    > about solutions when they either accidentally created one or encounter
    > one on the Internet. To often I've worked at companies where icmp was
    > considered evil and fragmentation-needed was filtered out. I even
    > encountered a commercial firewall product that always filtered out
    > fragmentation-needed, it could not be told to do otherwise.
    >
    > Now combine the icmp-is-evil attitude with an IPSec tunnel, which has a
    > lower MTU than the surrounding links. Also try to use this to encrypt a
    > GRE tunnel over a congested link. I actually encountered this more than
    > once. In all cases this was set up by "experts". I'm not an expert, I
    > don't have any formal qualification in networking at all, but even I
    > understand this will not work reliably.
    >
    > (In one environment, a very large government institution, not only did I
    > encounter the above, but also a mix of token-ring and ethernet. No one
    > understood why, only that they should lower the MTU to 1500 on token-ring
    > to make things work. The introduction of VPN technology seriously broke
    > about everything. Not to mention that most Unix boxes used a MTU of 536
    > on anything not locally attached, giving severe performance degradation
    > on any saturated link. There were about 10 "networking engineers" there,
    > most of which I actually respect a lot. However, I found it more than a
    > little disappointing that I had to point out these issues (which were
    > very real problems), convince the engineers, only to have all changes to
    > be suffocated in the change process. AFAIK, things still work that way
    > over there.)
    >
    >> this, but it doesn't mean that DSL isn't a valid technology. Now, I
    >> won't question your ability to do network, you obviously understand it,
    >> I think we just disagree about some things. But, just because someone
    >> does something different from you doesn't mean that they don't
    >> understand it. I've been doing this a looooong time and have been
    >> complimented by many for my abilities (even high up engineers within
    >> Cisco). You make some decent arguments, but I think I'll just agree to
    >> disagree on these points. Get down off that high horse, boy !!!!

    >
    > Thumb! Ouch! That was a way down. But given the above explanation,
    > (especially that issues are not problems per se), i think we probably
    > agree on this.
    >
    > (Except when you do use IPSec to encrypt GRE tunnels just because).
    >
    >>
    >> Keep in mind this was a simple entry level question - I was just trying
    >> to keep the answer basic. As I noted, there are books that have been

    >
    > Yes, I probably should have reacted differently, if at all.
    >
    >> written on these topics. VPN is complicated and becomes more
    >> complicated with new technologies (such as SSL VPNs) and newer
    >> encryption methods.

    >
    > Absolutely. On the other hand, VPNs get to be commodity products these
    > days and the complexity is partly hidden by standards and good products.
    >
    > M4




  10. Re: Virtual private networks

    In article ,
    "Scooby" wrote:

    > Okay, I was going to do this inline, but the thread is getting too long, so
    > here are my thoughts:
    >
    > Yes, it is hard to find any single authoratative definition of vpn. But,
    > here is my take on what the spirit of private means. In my opinion, Private
    > has nothing to do with security. It is not the data that is private, but
    > the networks. Here is the idea. Network A needs to talk with network B.
    > All the routers in between A and B need to know routes to both of these
    > networks and every single host on them that wants to communicate across the
    > link. A VPN will encapsulate the true IP information so that the source and
    > destination networks become private. Then, all the routers in between do
    > not need to know anything about networks A and B.


    I would call that a virtual network or just a tunnel if it doesn't make
    any attempt to prevent someone from reading it.

    >
    > As I'm thinking this out, I got this image in my head of some little boy
    > reading his sister's diary. She see's him and says "Hey, that's private".
    > He looks back and says "It can't be private, it's not encrypted". Sorry,
    > the mind wanders some times.


    Diaries have locks on them or the owner hides it somewhere. Encryption
    is the online equivalent of locks.

    Maybe YOU don't consider encryption to be an important aspect of VPNs,
    but your interpretation is not the way most in the industry use the
    term. When anyone else says VPN, they basically mean an encrypted
    tunnel. "Private" means that it tries to prevent disclosure.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  11. Re: Virtual private networks

    "Barry Margolin" wrote in message
    news:barmar-E26534.23412031052007@comcast.dca.giganews.com...
    > In article ,
    > "Scooby" wrote:
    >
    >> Okay, I was going to do this inline, but the thread is getting too long,
    >> so
    >> here are my thoughts:
    >>
    >> Yes, it is hard to find any single authoratative definition of vpn. But,
    >> here is my take on what the spirit of private means. In my opinion,
    >> Private
    >> has nothing to do with security. It is not the data that is private, but
    >> the networks. Here is the idea. Network A needs to talk with network B.
    >> All the routers in between A and B need to know routes to both of these
    >> networks and every single host on them that wants to communicate across
    >> the
    >> link. A VPN will encapsulate the true IP information so that the source
    >> and
    >> destination networks become private. Then, all the routers in between do
    >> not need to know anything about networks A and B.

    >
    > I would call that a virtual network or just a tunnel if it doesn't make
    > any attempt to prevent someone from reading it.
    >
    >>
    >> As I'm thinking this out, I got this image in my head of some little boy
    >> reading his sister's diary. She see's him and says "Hey, that's
    >> private".
    >> He looks back and says "It can't be private, it's not encrypted". Sorry,
    >> the mind wanders some times.

    >
    > Diaries have locks on them or the owner hides it somewhere. Encryption
    > is the online equivalent of locks.
    >
    > Maybe YOU don't consider encryption to be an important aspect of VPNs,
    > but your interpretation is not the way most in the industry use the
    > term. When anyone else says VPN, they basically mean an encrypted
    > tunnel. "Private" means that it tries to prevent disclosure.
    >
    > --
    > Barry Margolin, barmar@alum.mit.edu
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***
    > *** PLEASE don't copy me on replies, I'll read them in the group ***


    Barry,

    Well, sorry, if all you came away with from my posts is that I don't think
    security is important to vpn, then you either haven't read them in detail,
    or have completely missed the point.

    Jim



  12. Re: Virtual private networks


    > The point is that it TRIES to be private. Contrast it with normal
    > traffic, which is easily viewed if it can be intercepted. Encryption is
    > a necessary prerequisite. If you don't encrypt, what's the point of the
    > VPN? What about it makes it more Private than ordinary Internet
    > communication?
    >


    I agree that the encryption/authentication is an essential component
    of VPNs. You need encryption to ensure your privacy when the
    underlying cable is not owned by you and/or travels outside your
    premises.

    A classic E1/T1 line is a Virtual cable
    VLANs are virtual switches.
    MPLS VPNs are VWANs and VMANs.
    GRE is a method to create a VWAN/VMAN.

    And yes, I don't like the fact that all service providers sell MPLS
    VWANs as if they were VPNs.

    I'm tired of the brochures and all the sales guys who offer VPNs when
    in fact there is no encryption, but only some kind of logical
    isolation between customers.
    The problem is that the sales guys *believe* that they sell VPNs and
    yes, they do persuade IT managers to buy this virtual but not-so-
    private service.

    Who protects my privacy when every engineer working in a service
    provider can put a tap and see every bit of my traffic? what if the
    link between two routers of the service provider is a microwave/wifi
    link?

    Virtual = Just an extra header and some electronics
    Private = Crypto+auth

    --John


  13. Re: Virtual private networks

    "John" wrote in message
    news:1180793192.505462.232130@p77g2000hsh.googlegr oups.com...
    >
    > > The point is that it TRIES to be private. Contrast it with normal
    > > traffic, which is easily viewed if it can be intercepted. Encryption is
    > > a necessary prerequisite. If you don't encrypt, what's the point of the
    > > VPN? What about it makes it more Private than ordinary Internet
    > > communication?
    > >

    >
    > I agree that the encryption/authentication is an essential component
    > of VPNs. You need encryption to ensure your privacy when the
    > underlying cable is not owned by you and/or travels outside your
    > premises.


    not really - the essential bit is privacy - encryption is just one way to
    try to ensure that

    encryption on its own is not going to help - surely if you need encryption
    then you also need control of the keys?

    >
    > A classic E1/T1 line is a Virtual cable
    > VLANs are virtual switches.
    > MPLS VPNs are VWANs and VMANs.
    > GRE is a method to create a VWAN/VMAN.
    >
    > And yes, I don't like the fact that all service providers sell MPLS
    > VWANs as if they were VPNs.
    >
    > I'm tired of the brochures and all the sales guys who offer VPNs when
    > in fact there is no encryption, but only some kind of logical
    > isolation between customers.


    the isolation is there (or can be there depending on the system design).

    MPLS keeps different user space networks apart - which at least is a
    reasonable definition of "private"....

    Surely needing encryption because you choose to trust the operator (or not)
    is a logically separate choice?

    > The problem is that the sales guys *believe* that they sell VPNs and
    > yes, they do persuade IT managers to buy this virtual but not-so-
    > private service.
    >

    there are some significant complications in using encryption pervasively -
    network diagnostics and sorting out QoS issues is one i have come across
    before.

    And anything that obscures the final source / destinations in the packets
    makes traffic flow monitoring using Netflow or SMON much less useful.

    Frankly - most MPLS networks seem to sold as replacements for F/Relay & ATM
    or to support QoS.

    > Who protects my privacy when every engineer working in a service
    > provider can put a tap and see every bit of my traffic? what if the
    > link between two routers of the service provider is a microwave/wifi
    > link?


    the same is true to anyone working at one of your sites or even an
    administrator on a server - so the fix for that is application to
    application encryption so that there are no flows sent "in the clear"

    but if those engineers have access to the CE routers at your premises, then
    encryption to protect traffic in transit between sites is a red herring -
    they can potentially use the router to get access to packet contents before
    encryption is imposed.

    and an underlying microwave link can be encrypted without needing IP end to
    end encryption.
    >
    > Virtual = Just an extra header and some electronics
    > Private = Crypto+auth
    >
    > --John
    >

    --
    Regards

    stephen_hope@xyzworld.com - replace xyz with ntl



  14. Re: Virtual private networks

    hiya

    Sorry for not replying sooner, but I was away for the past few days.

    Anyways, thank you all for your help

    cheers


  15. Re: Virtual private networks

    I'm not sure what happened, but my reply didn't get posted. Anyways,
    thank you all for your kind help

    cheers


  16. Re: Virtual private networks

    On Jun 2, 8:36 pm, "stephen" wrote:
    > "John" wrote in message
    >
    > news:1180793192.505462.232130@p77g2000hsh.googlegr oups.com...
    >
    >
    >
    > > > The point is that it TRIES to be private. Contrast it with normal
    > > > traffic, which is easily viewed if it can be intercepted. Encryption is
    > > > a necessary prerequisite. If you don't encrypt, what's the point of the
    > > > VPN? What about it makes it more Private than ordinary Internet
    > > > communication?

    >
    > > I agree that the encryption/authentication is an essential component
    > > of VPNs. You need encryption to ensure your privacy when the
    > > underlying cable is not owned by you and/or travels outside your
    > > premises.

    >
    > not really - the essential bit is privacy - encryption is just one way to
    > try to ensure that
    >
    > encryption on its own is not going to help - surely if you need encryption
    > then you also need control of the keys?
    >


    ok, more or less I agree with the problems that arise with the use of
    encryption.

    But, what I would like to point out is that "private" is just a word.
    Even Internet is basically a VPN.
    The difference is that the number of people who have access to this
    VPN is a lot bigger than the people who have access to a typical
    corporate VPN.
    And basically the problem is that you don't trust all the guys who can
    connect to the "Internet" VPN that's why you don't leave "valuable"
    data on this VPN.

    So yes, in this perspective, a MPLS VPN is a virtual private network.

    Each VPN technology, depending on how it is deployed, may allow access
    to more people than what was intended by the one who is deploying this
    technology.

    >From my point of view, in order to minimize the people who can have

    access to the VPN of company "xyzcorp" , I prefer to use Crypto-based
    VPNs, even when the data goes through a dedicated MPLS VPN.

    The problem is that many IT managers do not understand the number of
    people who may have access to the MPLS VPN that was offered by the
    service provider. They listen to the acronym "VPN" and they think that
    the only one who can have access to this network are the employees of
    the company.

    But since this VPN may reach the employee's home PC via a WEP
    protected wifi net, through a regular ADSL service using a DSLAM which
    has a microwave uplink, to a metro ethernet ring which travels through
    a lot of places , using an L2TP forwarded PPPoE session to the MPLS
    provider, I think that it would be possible for a few more people to
    be able to see the traffic that is passing through the wires.


  17. Re: Virtual private networks

    "John" wrote in message
    news:1180987470.232267.227720@n4g2000hsb.googlegro ups.com...
    > On Jun 2, 8:36 pm, "stephen" wrote:
    >> "John" wrote in message
    >>
    >> news:1180793192.505462.232130@p77g2000hsh.googlegr oups.com...
    >>
    >>
    >>
    >> > > The point is that it TRIES to be private. Contrast it with normal
    >> > > traffic, which is easily viewed if it can be intercepted. Encryption
    >> > > is
    >> > > a necessary prerequisite. If you don't encrypt, what's the point of
    >> > > the
    >> > > VPN? What about it makes it more Private than ordinary Internet
    >> > > communication?

    >>
    >> > I agree that the encryption/authentication is an essential component
    >> > of VPNs. You need encryption to ensure your privacy when the
    >> > underlying cable is not owned by you and/or travels outside your
    >> > premises.

    >>
    >> not really - the essential bit is privacy - encryption is just one way to
    >> try to ensure that
    >>
    >> encryption on its own is not going to help - surely if you need
    >> encryption
    >> then you also need control of the keys?
    >>

    >
    > ok, more or less I agree with the problems that arise with the use of
    > encryption.
    >
    > But, what I would like to point out is that "private" is just a word.
    > Even Internet is basically a VPN.
    > The difference is that the number of people who have access to this
    > VPN is a lot bigger than the people who have access to a typical
    > corporate VPN.
    > And basically the problem is that you don't trust all the guys who can
    > connect to the "Internet" VPN that's why you don't leave "valuable"
    > data on this VPN.
    >
    > So yes, in this perspective, a MPLS VPN is a virtual private network.
    >
    > Each VPN technology, depending on how it is deployed, may allow access
    > to more people than what was intended by the one who is deploying this
    > technology.
    >
    >>From my point of view, in order to minimize the people who can have

    > access to the VPN of company "xyzcorp" , I prefer to use Crypto-based
    > VPNs, even when the data goes through a dedicated MPLS VPN.
    >
    > The problem is that many IT managers do not understand the number of
    > people who may have access to the MPLS VPN that was offered by the
    > service provider. They listen to the acronym "VPN" and they think that
    > the only one who can have access to this network are the employees of
    > the company.
    >
    > But since this VPN may reach the employee's home PC via a WEP
    > protected wifi net, through a regular ADSL service using a DSLAM which
    > has a microwave uplink, to a metro ethernet ring which travels through
    > a lot of places , using an L2TP forwarded PPPoE session to the MPLS
    > provider, I think that it would be possible for a few more people to
    > be able to see the traffic that is passing through the wires.
    >


    John,

    Yes, "Private" has certainly become a matter of debate, which is completely
    evident by this thread. FYI, Frame-Relay is also considered a vpn.

    I've spent a better part of this thread stating that irregardless of
    encryption (or even security), the real meaning of a vpn is to essentially
    simulate a direct connection from one network (or device) to another.
    Frame-relay, MPLS and even an unencrypted tunnel accomplish this, as a
    routing protocol will consider your devices to be next hops and not consider
    all the devices in between that would ultimately be part of the picture.

    Some in this thread have considered my comments to mean that I don't think
    security is important, which is incorrect. I think with any network design,
    security should be a major consideration. However, for the sake of
    definition, I believe that you can have a vpn that is not
    encrypted/authenticated.

    If you say that security is needed, then this really muddies the waters, as
    nobody in this thread has offered a definition of what amount of security is
    needed to make a connection qualify as a vpn. You get isolation with a
    simple unencrypted tunnel. Not very secure, but you get the isolation. DES
    is very insecure, so you may have encryption, but it is very easy to break.
    AES 256 is much strong and virtually unbreakable - today. In a few years,
    with faster processors and better hacking algorhytms, it may be easier to
    break.

    This is just my opinion and I've certainly received strong feedback against
    it. But, what has become completely evident from this thread is that there
    are a variety of opinions about what a vpn really is. I believe that many
    here are letting the end justify the means - meaning that they are going by
    their common understanding of how vpns are used rather than what the
    ultimate objective is. As I stated above, that is to create the appearance
    of remote networks being directly connected.

    Jim








+ Reply to Thread