A VPN allows you to extend your local network to remote locations. Of course, if your local network is connected to the Internet, remote users may have access to the local network even without a VPN. A VPN offers two main advantages over direct non-VPN access:
One common use for a VPN is in linking multiple offices at distant locations. If your company has offices in Boston and San Francisco, you can use a VPN to tie them together, giving employees secure access to servers at one location from the other. Figure 26.1 illustrates this arrangement. The VPN routers in this figure are routers, much like ordinary routers, NAT routers, or firewall computers. Instead of or in addition to performing ordinary routing, though, the VPN routers set up an encrypted link over which they can transfer data destined for each other.
Figure 26.1. A VPN is usually implemented by routers that are capable of encrypting data destined for particular targets.
Another use of a VPN is to grant individual users access to a larger network. This application is common to serve telecommuters and traveling employees. An individual can link a home computer or notebook to a larger network via a broadband or even a dial-up connection to get the benefit of the main office's servers. The VPN router in this scenario communicates directly with the individual remote systems; essentially , they are VPN routers as well, but they route only their own traffic for the remote system. This situation is illustrated in Figure 26.2.
Figure 26.2. VPN systems can link individual clients to a host network.
When implementing a VPN, you should carefully consider your bandwidth needs. Particularly when linking multiple remote networks to a central one, the large central network may need a great deal of external bandwidth to handle the demands from the remote sites. Many protocols that are common on local networks, such as file-sharing protocols and X, transfer vast quantities of data. These transfers may be reasonable on a 100Mbps local Ethernet connection, but over a slower Internet link, such as a 1.5Mbps T1 line, the local protocols may be unacceptably slow. If any of your connections use low-end broadband connections, such as Asymmetric Digital Subscriber Line (ADSL) accounts for telecommuters, you should remember that some such accounts are asymmetric in nature. Typically, upstream bandwidth is much lower than downstream bandwidth. ADSL, for instance, frequently uses 600 “1,500Kbps downstream speeds tied to 100 “300Kbps upstream speeds. This may be acceptable for some VPN uses, but not for others. Worse, travelers will probably be limited to analog modem speeds of no more than 56Kbps, and often less.
VPNs are not without their drawbacks, even over fast external connections. For one thing, although they're designed as a secure way to link networks, if they're implemented improperly they can actually degrade your security. Consider a telecommuter who connects to a larger network via a VPN. If the larger network is protected by firewalls and similar measures, it should be fairly safe. The home computer, though, may not be very well protected against intrusion. If a cracker breaks into this system, it serves as a gaping hole through the larger network's firewall. These security risks are covered in more detail in the upcoming section, "Potential Security Risks with a VPN."
Another problem with VPNs is that they can be tedious to configure, particularly in conjunction with firewalls. If your need for linking telecom muters, traveling individuals, or remote offices is limited, you might find it simpler to use one or two secure protocols, such as SSH.