Peeling Away the VPN Layers

There are a great variety of virtual private network (VPN) solutions available today. Some vendors provide solutions that let organizations create VPNs using firewalls; other vendors feature VPN solutions using remote access protocols, such as the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP). Another group provides IPSec- or non-IPSec-based products to accomplish similar goals. On top of this already confusing scenario are ISPs that sell managed VPN services with Internet access, strong security options, and service-level agreements.

Aventail Corp. (Seattle, provides what many people refer to as non-IPSec-based devices. The company uses a Secure Proxy Architecture and the SOCKS 5 protocol to offer a VPN product with authentication, encryption and strong access control capabilities. However, it is a misstatement to indicate that since Aventail VPN is not an IPSec-based device, it does not support IPSec or other IETF protocols such as PPTP. Aventail VPN runs at layer 5, above the layer 2 PPTP tunneling protocol. It provides authentication and/or access control on top of PPTP's encrypted tunnel. In this case, according to Rob Spence, director of product marketing at Aventail, "PPTP provides the encrypted tunnel, and SOCKS 5 provides access control and authentication."

Aventail uses the strong access control capabilities provided by the layer 5 SOCKS protocol to target primarily two VPN market segments: companies that let individuals connect to their intranet (remote access VPN), and companies that let business partners connect to their internal network (extranet VPN). According to Kiran Narsu, director at Giga Information Group (Santa Clara, Calif.), "the two market segments that Aventail targets need very sophisticated access control, and Aventail provides it."

Complementing companies such as Aventail are companies that stress their endorsement of IPSec. These companies include Red Creek Communications (San Jose, Calif.,, TimeStep (Carlisle, Pa., and VPNet (San Jose, Calif.,, among others. For the most part, these companies focus heavily on providing a secure site-to-site VPN implementation. According to Narsu, "IPSec lacks some functions, such as dynamic IP addressing, that would make it good for individual connectivity to a remote network or remote site. Therefore, it is more difficult to configure IPSec for an individual gaining access to a network."

VPNet was the first vendor focused solely on the VPN market, and has built its products around IPSec. As a result of its longevity in the market, many of the ISPs and network service providers incorporate VPNet products in their managed VPN service offerings.

Although VPNet endorses IPSec and its packet-level authentication, it also provides authentication and access control at the user level rather than at the IP address level. Rick Kagan, vice president of marketing at VPNet, says that in addition to this user authentication, "VPNet also provides the ability to dynamically retrieve policy from a directory server when a user is authenticated. This is implemented via RADIUS." VPNet has extended RADIUS databases to include policy definitions by the user. That means that if someone tries to come into the corporate network, a challenge will be issued and require a password or token in response. This response goes to the RADIUS server, which not only authenticates the user, but also provides access to specific parts of the network.

The most important element to remember when evaluating the two approaches to VPN creation is to focus on the application. Aventail, with its implementation of SOCKS 5.0, for example, creates a tunnel that is specific to applications with strong access control. This approach is ideal for secure remote access or extranet implementation. However, despite this strong access control, the IP data is not necessarily secure unless a protocol such as IPSec or a layer 2 tunneling protocol such as PPTP or L2TP is implemented. With the second group of vendors, the primary focus is on creating a secure connection between sites, and organizations do not have to worry about securing individual sessions or transactions over the physical connection.