How Does a VPN Work?

Key Q&A

Why do businesses use VPNs?

VPNs are a cost-effective way to connect remote users to corporate network securely while also improving connectivity speeds. With VPNs, businesses can use high-bandwidth, third-party Internet access instead of expensive, dedicated WAN (wide-area network) links or long-distance, remote-dial links.

What is secure remote access?

Secure remote access is a method for connecting remote users and devices securely to a corporate network. It includes VPN technology, which authenticates users or devices, confirming that they meet certain requirements—also known as "posture"—before they can connect to the network remotely.

What is a VPN "tunnel"?

A "tunnel" is the encrypted connection a VPN establishes so that traffic on the virtual network can be sent securely across the Internet. VPN traffic from a device such as a computer or smartphone is encrypted as it travels through the VPN tunnel.

Types of encrypted VPNs

Remote-access VPN: computer to network

A remote-access VPN extends almost any data, voice, or video application to a remote device, also known as an "endpoint" or a host. Advanced VPN technology allows for security checks to be conducted on endpoints to make sure that they meet a certain posture before they can connect to the network.

SSL VPN and IPsec

Secure Sockets Layer (SSL) VPN and IP security (IPsec) are tunnels and authentication technologies. Businesses can use SSL VPN, IPsec, or both to deploy a remote-access VPN, depending on deployment requirements. SSL VPN and IPsec protect data traversing the VPN from unauthorized access.

For more information about using this type of VPN technology, see the Key Advantages of SSL VPN and the General Risks of SSL VPN sections on this page. For an overview of working with this type of VPN technology, see the Types of VPN topologies section, also on this page.

Site-to-site IPsec VPN: network to network

A site-to-site IPsec VPN lets businesses extend their network resources to branch offices, home offices, and business partner sites. Organizations use site-to-site VPNs when distance makes it impractical to have direct network connections between these sites. Establishing and maintaining site-to-site VPN connections requires dedicated equipment.

Key advantages of SSL VPN

It's built into modern web browsers

The SSL VPN function is already built into modern web browsers, allowing users from any Internet-enabled location to launch a web browser to establish remote-access VPN connections. SSL VPN technology not only can help boost workforce productivity but can also reduce costs for VPN client software and support.

Most users don't need to install client software

SSL VPN uses SSL protocol and its successor, Transport Layer Security (TLS), to provide a secure connection between remote users and internal network resources. Because most web browsers now have SSL/TLS, users do not typically need to install client software to use SSL VPN. That's why SSL VPN is also known as "clientless VPN" or "web VPN."

It's flexible for end users

SSL VPN is also easy to use. Different IPsec VPN vendors may have different implementation and configuration requirements. But SSL VPN only requires users to have a modern web browser. Users may even choose their favorite web browsers without being restricted by the operating system.

General risks of SSL VPN

User credential-related risks

VPN security is only as strong as the methods used to authenticate users and devices at the remote end of the VPN connection. Simple authentication methods are subject to password "cracking" attacks, eavesdropping, or even social engineering attacks. Two-factor authentication is a minimum requirement for providing secure remote access to a corporate network.

Spread of threats from remote computers

Remote access is a major threat vector to network security. A remote computer that does not meet corporate security requirements may potentially forward an infection, like a worm or virus, from its local network environment to the internal network. Up-to-date antivirus software on the remote computer is essential to mitigate this risk.

Split tunneling

Split tunneling occurs when a device on the remote end of a VPN tunnel simultaneously exchanges network traffic with both the public and private networks without first placing all the network traffic inside the VPN tunnel. This can allow attackers on the shared network to compromise the remote computer and gain network access to the private network.

Types of VPN topologies

The 3 main VPN topologies

A VPN topology specifies the peers and networks that are part of the VPN and how they connect to one another. Here is a quick overview of the three main types of topologies:

• Hub-and-spoke
  In this VPN topology, multiple remote devices (spokes) communicate securely with a central device (hub). A separate, secure tunnel extends between the hub and each spoke.
• Point-to-point
  Establishing this topology requires specifying two endpoints as peer devices that will communicate directly with each other. Either device can initiate the connection.
• Full mesh
  In this topology, which works well in complicated networks, every device in the network can communicate with every other device via a unique IPsec tunnel.

Implicitly supported topologies

The three main VPN topologies also can be combined to create more complex topologies, including:

• Partial mesh
  This is a network in which some devices are organized in a full mesh topology, and other devices form either a hub-and-spoke or a point-to-point connection to some of the fully meshed devices.
• Tiered hub-and-spoke
  This is a network of hub-and-spoke topologies in which a device can behave as a hub in one or more topologies and a spoke in other topologies. Traffic is permitted from spoke groups to their most immediate hub.
• Joined hub-and-spoke
  This is a combination of two topologies (hub-and-spoke, point-to-point, or full mesh) that connect to form a point-to-point tunnel.

Be mindful of IPsec policy constraints

An IPsec policy defines the characteristics of the site-to-site VPN, such as the security protocols and algorithms used to secure traffic in an IPsec tunnel. After an organization creates a VPN topology, it can configure the IPsec policies it applies to that topology, depending on the assigned IPsec technology.

Keep in mind that not all IPsec policies can be applied to all VPN topologies. What is applied depends on the IPsec technology assigned to the VPN topology. Also, the IPsec technology assigned to a VPN depends on the topology type.