VIRTUAL PRIVATE NETWORK (VPN) is a general industry term that actually covers many different technologies. Anyone who works in a large company and needs to access a corporate network remotely will probably confirm using a VPN to connect to the network for email, intranet, and other corporate applications. Ask anyone how that VPN works, however, and you will almost always get a blank stare. End users are typically interested only in the result of a solution, not in how it works. For you, the information security practitioner, however, just how a VPN works is as important as the benefits a VPN provides your organization.

VPNs are deployed in a number of different ways, leveraging a variety of technologies, platforms, and protocols. Determining which VPN is the right fit for your organization requires successfully gathering and interpreting your business requirements. Once you have documented those requirements, it is up to you as the security practitioner to understand the various options and capabilities to fit the VPN technology to the appropriate business requirements.

A variety of technical factors affect the selection and installation of a VPN solution. Some VPNs are available as software installed on a workstation or a server. Other VPNs are software components of other devices, like a router or a firewall. Finally, dedicated VPN hardware appliances provide secure remote connectivity.

A variety of underlying protocols can provide different functions, features, and levels of encryption. When a vendor starts talking about L2TP, IPv6, SSL and SSH, or IPSec, you will need to understand the jargon and make the right technology decision for your organization.

Finally, other infrastructure considerations when working with VPN technologies include how networks function—including network address translation (NAT) and Internet Protocol (IP) version—and the use of virtualization, which can affect how you deploy, maintain, and troubleshoot a VPN.