Chapter 22

How Virtual Secure Private Networks Work


An intranet by itself may help a company make better use of its computing resources, allow for better intra-company communications, and allow for the company to present a better face to the world. But for many corporations, that isn't enough. Many companies also need to do business directly with other business partners, such as subcontractors, or companies from whom they're buying goods and services.

Intranets can help there as well. They can allow companies to do business directly with each other over the Internet - and to do so securely. The technology that allows this to be done is called Virtual Secure Private Networks (VSPNs) or Virtual Private Networks (VPNs). In essence, the technology allows two companies with intranets to create a "virtual" link between them across the Internet that is as secure as if they were connected via a private connection. VSPN technology can also be used to create a "virtual" intranet for a company that can link branch offices together over the Internet, while at the same time ensuring that the data that passes between them can't be seen by anyone except people in the "virtual" intranet.

These VSPNs can save corporations a substantial amount of money, both for communicating with business partners and for hooking together branch offices. Today, businesses commonly spend significant amounts of money every month leasing private lines that no one else can use. The data sent along these private lines cannot be seen by anyone else; they are used by the company only. Because of that, they are secure from prying eyes. If, however, there were a way to link company's intranets over the Internet, there would be no need to pay for leased lines-all the traffic could be handled over the Internet. In addition to saving money on lines, the creation of secure links from intranet to intranet would also allow companies to communicate more effectively electronically, leading to more efficiency and even more in savings.

VSPNs use a combination of routing technology, encryption technology, and a technique called tunneling. When someone from one intranet wants to send information to another intranet via a VSPN, VSPN server software recognizes that the destination is a VSPN, and so knows to handle the data differently than if it is being sent to an unsecured site on the Internet. Using powerful encryption technology, the software encrypts the IP packets so that no one will be able to read it. It then places those IP packets inside an IP "envelope" or "wrapper." That envelope is essentially a normal IP packet, so it gets delivered as does any other data, via routers. No one can read what is inside the wrapper, though, because it has been encrypted. When packets are sent this way over the Internet, it is called tunneling.

On the receiving intranet, the VSPN software throws away the wrapper, and then decrypts the data inside of it. The data is then delivered over the intranet via intranet routers.

How Virtual Secure Private Networks Work

A Virtual Secure Private Network (VSPN) or Virtual Private Network (VPN) allows business partners, each of whom has an intranet, to send secure communications to each other over the Internet, and know that no one else will be able to read the data. In essence, it creates a private, secure channel between intranets, even though the data sent between them travels over the public Internet. This means that companies will not have to lease expensive lines between them to send data over a secure link. The technology can also be used to allow a company to link branch offices with each other, without having to lease expensive lines, and know that the data can only be read by people on the VSPN.

  1. When someone on an intranet wants to send private data to another company via a VSPN, they don't do anything different than when they send public data-they merely send the data as they would to any location on the Internet. As with any data sent through an intranet, it is broken up into TCP/IP packets.
  2. All packets sent out from the intranet go through a special VSPN server. The server examines each IP packet to see whether the packet is bound for another VSPN intranet, or instead to the Internet. It determines whether it's bound for another VSPN by examining the IP addresses in the packet headers. It checks the destination address against a database of VSPN addresses. If the packet doesn't match a VSPN address in the database, it means that the packet is bound for the general Internet, not a VSPN, and so the VSPN software takes no further action. The packet is sent to its destination as a normal packet, via routers.
  3. If the packet matches a VSPN ad-dress, the software knows to take further action. It takes the entire TCP/IP packet-the header as well as the data-and encrypts it with powerful encryption technology. This means that no one who looks at the packet would be able to read any part of it.
  4. A new IP "envelope" or "wrapper" is put around the encrypted packet. This envelope contains IP information such as destination and source address, so that the encrypted packet can be delivered over the Internet. To the Internet, it looks like a normal TCP/IP packet, but the encrypted information in the packet will not be able to be read by anyone.
  5. The packet is sent to a router, and then sent over the Internet to its VSPN destination. When an encrypted packet inside a normal IP envelope or wrapper like this is sent over the Internet like this, it is often referred to as "tunneling."
  6. The packet is delivered to the destination VSPN, where the VSPN server examines the packet. It checks the IP address of the sender. If the address is not in the database of other VSPN intranets, it simply sends the packet along to an intranet router to deliver it. If the address is in the database, it strips off the IP wrapper, and decrypts the original TCP/IP packet. The packet is now in its original form.
  7. The packet is sent to an intranet router, which delivers it to its final destination. It can be used as any normal TCP/IP packet.