Types of VPN-Virtual Private Network

Virtual Private Network – VPN are categorised in two ways:

• Based on Layered Approach of OSI or TCP/IP
• Based on Protocols

Previous Article: Introduction to Virtual Private Network-VPN

VPN Based on layered approach of OSI Model or TCP/IP

Layer 1 Overlay VPN

As mentioned previous article i.e Introduction to VPN we can use leased lines for connectivity between branches. These are dedicated connections which provide us a reliable link which is not shared with anyone else. When data is being transmitted between branches it is using a network path which is not under our control. Now if there is a logical or physical thing that provides security to our communication, we refer to that as “VPN”. This is the reason some people refer to T1, T3 or E1, E3 leased lines as layer 1 overlay VPN.

Layer 2 Overlay VPN

When we want to connect our branches using a multi-access network we use frame-relay. It is a protocol standard, which provides us multi-access network functionality as well as a secure transmission channel. At this channel only we can communicate with our branches not others i.e. why we can also call it as Layer 2 Overlay VPN.

Layer 2 and half Overlay VPN

MPLS (Multi-protocol Label Switching) is a very widely used technology these days for multi-access network. When a packet enters a MPLS network a 32 bits MPLS header tag is inserted between layer 2 & layer 3 headers. This is the reason why many folks call MPLS a layer 2.5 technology thus making it Layer 2 and Half Overlay VPN. When we use MPLS our entire routing table is shared with service provider and entire data travels in plain-text format, to make it secure there is a special VPN called GETVPN which will be covered later.

You may also want to check details about MPLS Training, CCIE Training, CCNP Training, CCNA Training. I-Medita is considered as Best Institute for CCNA, CCNP, CCIE Certification Training Course in India.

Layer 3 Overlay VPN

Until now we have discussed about VPN which are not using public network like internet. If we are using internet to connect branches of organisation then we need to make sure the data transmitted should remain private and unaltered. To secure communication we use IPSec (IP Security) which encrypts the data to make it private and also ensures that it is delivered unaltered.

IPSec is not capable to exchange routing and multicast traffic between branch routers. For this purpose GRE (Generic Routing Encapsulation) is used. By default GRE has no security mechanism to protect data. To obtain security for routing and multicast traffic IPSec must be used along with GRE.

These Two Protocol IPSec & GRE are represented as a Layer 3 Overlay VPN.

Layer 4 Overlay VPN

Many times when we are using internet, we want the communication between servers and clients to be secure. For instance when using a bank website we don’t want to transmit data like credit card information, passwords, etc. in clear text. For this purpose Secure Socket Layer (SSL) or Transport Layer Security (TLS) was invented. SSL was developed initially and later replaced by TLS. It is used for a wide variety of applications like web browsing, VoIP, email, etc. It works at transport layer along with other protocols and encrypts the data before it is transmitted. This leads to it being referred as layer 4 Overlay VPN

VPN classification based on OSI model is summarised in the Table

VPN Based on Protocols

Site-Site VPN

Connectivity between branches is a necessity for any organization. It enables the access of resources at two branches from each other. Site-Site VPN is used to secure this data transmission between two sites. Thus all the devices in LAN of one site can transmit data to devices in LAN of other site. Things like employees placing VoIP calls between two sites can be made possible if we have VPN configured. It is one of the most commonly deployed VPN.

Remote Access VPN

Work from home is a very common thing in organization these days. Employees can perform their duties while they are at their home. The biggest challenge for this is to get them connected to organization network in a secure way. This problem is solved by deployment of Remote Access VPN.

Dynamic Multipoint Virtual Private Network

When we have multiple sites connected to each other via internet and secure communication between them is required Site-Site VPN can be used. The only problem is Site-Site VPN in fully mesh connectivity is hard to create, maintain & troubleshoot if the number of sites is huge. This problem is solved by DMVPN (Dynamic Multipoint Virtual Private Network). In DMVPN we create Hub & Spokes, where hubs are called servers & spokes are called clients. When client will boot up, it will register itself with the server. When one spoke wants to communicate with other a dynamic tunnel is created between two spokes automatically. After the communication is done tunnel is destroyed. This solution is more manageable and scalable.

Group Encrypted Transport Virtual Private Network

All VPN solutions like Site-Site, Remote Access and DMVPN provide point-point connectivity. GETVPN is only the solution, which provides tunnel less any-any connectivity. It makes the communication secure in a private WAN deployments. GETVPN was especially designed for secure data communication over MPLS network.

Secure Socket Layer VPN

SSL protocol was designed for secure data communication between web server and web browser. Later it was modified and renamed as Transport Layer Security (TLS). The biggest benefit of using SSL VPN is it does not necessarily require installation of VPN client on the end user device. SSL VPN can be used on any device that supports web browsing, so end user device can be a PC, Mac, Tablet or a Smartphone.

VPN classification based on protocol is summarised in the below mentioned table.