Previous Section  < Day Day Up >  Next Section

VPN Types Based on OSI Model Layer

VPNs can also be classified based on the OSI model layer at which they are constructed. This is an important distinction to make. For example, in the case of encrypted VPNs, the layer at which encryption occurs can determine how much traffic gets encrypted, as well as the level of transparency for the VPN's end users.

Based on the OSI model layers, VPNs can be divided into the following three main categories:

  • Data link layer VPNs

  • Network layer VPNs

  • Application layer VPNs

Data Link Layer VPNs

With data link layer VPNs, two private networks are connected on Layer 2 of the OSI model using a protocol such as Frame Relay or ATM. Although these mechanisms provide a suitable way of creating VPNs, they are often expensive, because they require dedicated Layer 2 pathways to be created. Frame Relay and ATM protocols inherently do not provide encryption mechanisms. They only allow traffic to be segregated based on which Layer 2 connection it belongs to. Therefore, if you need further security, it is important to have some sort of encryption mechanism in place.

Network Layer VPNs

Network layer VPNs are created using Layer 3 tunneling and/or encryption techniques. An example is the use of the IPsec tunneling and encryption protocol to create VPNs. Other examples are GRE and L2TP protocols. It is interesting to note that although L2TP tunnels Layer 2 traffic, it uses Layer 3, the IP layer, to do this. Therefore, it is classified as a network layer VPN.

The following chapters focus on network layer VPNs. Network layers provide a very suitable place to do encryption. The network layer is low enough in the stack to provide seamless connectivity to all applications running on top of it and is high enough to allow suitable granularity for the traffic that needs to be part of the VPN based on the extensive IP Addressing architecture in place. Due to its natural positioning in the IP market, Cisco focuses on network layer encryption as the main mechanism for creating VPNs.

Application Layer VPNs

Application layer VPNs are created to work specifically with certain applications. One very good example of such VPNs are SSL-based VPNs. SSL provides encryption between Web browsers and servers running SSL. Another good example is SSH. SSH is pushed as a mechanism for encrypted and secure login sessions to various network devices. SSH can encrypt and thus create VPNs for other application layer protocols, such as FTP and HTTP.

One of the main drawbacks of application layer VPNs is that often they are not seamless. The user must perform an action to enable the end devices for creating the VPN for each of the various applications. As new services and corresponding applications are added, support for them must be developed as well. This is unlike network layer and link layer VPNs, which provide seamless VPN connectivity for all applications after the basic VPN has been set up.

Figure 10-1 shows VPNs at the various OSI model layers.

Figure 10-1. The Three Main Types of VPNs Based on the OSI Model Layers

graphics/10fig01.gif


    Previous Section  < Day Day Up >  Next Section