Virtual Private Networks   Although the Internet can't quite do our laundry yet (or even cook a decent meal for that matter), it has changed the way we are able to transact business. One of its latest offerings for organizations that are motivated to reduce costs and increase services is the Virtual Private Network, or VPN.   In a nutshell, a VPN is a private connection between two machines or networks over a shared or public network. In practical terms, VPN technology lets an organization securely extend its network services over the Internet to remote users, branch offices, and partner companies. In other words, VPNs turn the Internet into a simulated private WAN.   The appeal is that the Internet has a global presence, and its use is now standard practice for most users and organizations. Thus, creating a communications link can be done quickly, cheaply, and safely.    How It Works   To use the Internet as a private wide area network, organizations may have to overcome two main hurdles. First, networks often communicate using a variety of protocols, such as IPX and NetBEUI, but the Internet can only handle IP traffic. So, VPNs may need to provide a way to pass non-IP protocols from one network to another.   Second, data packets traveling the Internet are transported in clear text. Consequently, anyone who can see Internet traffic can also read the data contained in the packets. This is clearly a problem if companies want to use the Internet to pass important, confidential business information.   VPNs overcome these obstacles by using a strategy called tunneling. Instead of packets crossing the Internet out in the open, data packets are first encrypted for security, and then encapsulated in an IP package by the VPN and tunneled through the Internet (see Figure).   To illustrate the concept, let's say you're running NetWare on one network, and a client on that network wants to connect to a remote NetWare server. The primary protocol used with traditional NetWare is IPX. So, to use a generic layer-2 VPN model, IPX packets bound for the remote network reach a tunnel initiating device - perhaps a remote access device, a router, or even a desktop PC, in the case of remote-client-to-server connections - which prepares them for transmission over the Internet.    The Methods   Currently, there are a handful of VPN protocols rising to the surface in the industry - namely L2TP, IPsec, and SOCKS 5. Because they provide tunneling functions, these protocols are the building blocks used to create VPN links. Some of the protocols overlap in functionality, and some offer similar but complementary functionality. Each of the protocols requires further investigation when shopping for a solution. In the meantime, here's a quick summary of the protocols.   Also known as the Layer-2 Tunneling Protocol, L2TP is the combination of Cisco Systems' Layer-2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP supports any routed protocol, including IP, IPX, and AppleTalk. It also supports any WAN backbone technology, including frame relay, ATM, X.25, and SONET.   One key to L2TP is its use of PPTP. This Microsoft protocol is an extension of PPP and is included as part of the remote access features of Windows 95, Windows 98, and Windows NT. So, in the big picture, most PC clients come equipped with tunneling functionality. PPTP provides a consistent way to encapsulate Network-layer traffic for remote access transmission between Windows clients and servers. The protocol doesn't specify a particular encryption scheme, but the remote access functions included in the Microsoft stable of operating systems are supplied with Microsoft Point-to-Point Encryption (MPPE).   The L2F portion of L2TP lets remote clients connect and authenticate to networks over ISP and NSP links. Besides the basic VPN capability, L2TP can create multiple tunnels from a single client. In practice, a remote client can create tunneled connections to various systems simultaneously - for instance, to a corporate database application and to the company's intranet.