Join the Cisco Secure Insights Summit on July 7 to hear from cybersecurity experts on today's top issues.Save the date
A virtual private network (VPN) extends a company's network, allowing secure remote user access through encrypted connections over the Internet. This allows VPN traffic to remain private as it travels between devices and the network. As a VPN user browses the web, their device contacts websites through the encrypted VPN connection.
VPNs are a cost-effective way to connect remote users to corporate network securely while also improving connectivity speeds. With VPNs, businesses can use high-bandwidth, third-party Internet access instead of expensive, dedicated WAN (wide-area network) links or long-distance, remote-dial links.
Secure remote access is a method for connecting remote users and devices securely to a corporate network. It includes VPN technology, which authenticates users or devices, confirming that they meet certain requirements—also known as "posture"—before they can connect to the network remotely.
A "tunnel" is the encrypted connection a VPN establishes so that traffic on the virtual network can be sent securely across the Internet. VPN traffic from a device such as a computer or smartphone is encrypted as it travels through the VPN tunnel.
A remote-access VPN extends almost any data, voice, or video application to a remote device, also known as an "endpoint" or a host. Advanced VPN technology allows for security checks to be conducted on endpoints to make sure that they meet a certain posture before they can connect to the network.
Secure Sockets Layer (SSL) VPN and IP security (IPsec) are tunnels and authentication technologies. Businesses can use SSL VPN, IPsec, or both to deploy a remote-access VPN, depending on deployment requirements. SSL VPN and IPsec protect data traversing the VPN from unauthorized access.
For more information about using this type of VPN technology, see the Key Advantages of SSL VPN and the General Risks of SSL VPN sections on this page. For an overview of working with this type of VPN technology, see the Types of VPN topologies section, also on this page.
A site-to-site IPsec VPN lets businesses extend their network resources to branch offices, home offices, and business partner sites. Organizations use site-to-site VPNs when distance makes it impractical to have direct network connections between these sites. Establishing and maintaining site-to-site VPN connections requires dedicated equipment.
The SSL VPN function is already built into modern web browsers, allowing users from any Internet-enabled location to launch a web browser to establish remote-access VPN connections. SSL VPN technology not only can help boost workforce productivity but can also reduce costs for VPN client software and support.
SSL VPN uses SSL protocol and its successor, Transport Layer Security (TLS), to provide a secure connection between remote users and internal network resources. Because most web browsers now have SSL/TLS, users do not typically need to install client software to use SSL VPN. That's why SSL VPN is also known as "clientless VPN" or "web VPN."
SSL VPN is also easy to use. Different IPsec VPN vendors may have different implementation and configuration requirements. But SSL VPN only requires users to have a modern web browser. Users may even choose their favorite web browsers without being restricted by the operating system.
VPN security is only as strong as the methods used to authenticate users and devices at the remote end of the VPN connection. Simple authentication methods are subject to password "cracking" attacks, eavesdropping, or even social engineering attacks. Two-factor authentication is a minimum requirement for providing secure remote access to a corporate network.
Remote access is a major threat vector to network security. A remote computer that does not meet corporate security requirements may potentially forward an infection, like a worm or virus, from its local network environment to the internal network. Up-to-date antivirus software on the remote computer is essential to mitigate this risk.
Split tunneling occurs when a device on the remote end of a VPN tunnel simultaneously exchanges network traffic with both the public and private networks without first placing all the network traffic inside the VPN tunnel. This can allow attackers on the shared network to compromise the remote computer and gain network access to the private network.
A VPN topology specifies the peers and networks that are part of the VPN and how they connect to one another. Here is a quick overview of the three main types of topologies:
The three main VPN topologies also can be combined to create more complex topologies, including:
An IPsec policy defines the characteristics of the site-to-site VPN, such as the security protocols and algorithms used to secure traffic in an IPsec tunnel. After an organization creates a VPN topology, it can configure the IPsec policies it applies to that topology, depending on the assigned IPsec technology.
Keep in mind that not all IPsec policies can be applied to all VPN topologies. What is applied depends on the IPsec technology assigned to the VPN topology. Also, the IPsec technology assigned to a VPN depends on the topology type.
Our resources are here to help you understand the security landscape and choose technologies to help safeguard your business.
Learn how to make the right decisions for designing and maintaining your network so it can help your business thrive.