Putting a PC network onto the Web used to mean taking a bit of a walk on the wild side, at least for small businesses. But not any longer.

In the past, businesses frequently preferred the reliability of wide-area networks (WANs) connecting two locations (e.g., headquarters and a remote sales office, branch, store, warehouse, etc.). WANs were built on high-speed lines leased from the telephone company and used exclusively by the company leasing them.

These leased lines came with a guarantee of quality and were inherently secure. However, this quality and security came at a high price, in the form of hefty monthly leasing charges (whether or not the bandwidth was used), network equipment purchase costs, and day-to-day technical operations.

Not surprisingly, as the Internet matured, companies began to explore the possibility of using this public network for private transport. The Internet, after all, offers more coverage at a greatly reduced price. What it didn't offer, in its early years, were the quality and security assurances of private WANs.

However, the development of virtual private networks (VPNs) has provided small companies the means to enjoy the benefits of dedicated leased-line facilities without the associated expense and overhead. Now, a VPN creates a private network by using the public IP network, the Internet, as a backbone.

But what makes a VPN a secure network "tunnel"? And what should you look for in a secure VPN solution? Here are four items:

1. Tunneling and encryption

The core of a VPN is tunneling, the technology that allows data to be carried over a public network such as the Internet. At the originating end of a tunneled transmission, a data packet is "wrapped" with new header information that allows the intermediary network to recognize and deliver it. At the terminating end of the transmission, the "wrapper" is stripped off, and the original packet is transferred to the destination local-area network for delivery.

Tunneling is the technology that enables companies to develop temporary "dedicated" links from remote sites and users back to a headquarters (or another location). But tunneling does not ensure privacy.

A secure VPN encrypts data before it travels through the public network and decrypts it at the receiving end. Encryption uses mathematical algorithms to "scramble" messages and their attachments. Encryption ensures that messages cannot be intercepted or read by anyone other than the authorized recipient. Several types of encryption algorithms exist, but some are more secure than others.

A secure VPN solution should support the toughest encryption standards, including:

• IPSec: an Internet Engineering Task Force (IETF) standard in development for multilevel encryption, including Public Key Infrastructure (PKI) for user authentication.
• Data Encryption Standard (DES): a 56-bit secret key encryption standard.
• Triple DES (3DES): a 168-bit secret key encryption standard.

2. The role of the firewall

Generally, a firewall handles the data encryption for a VPN, while the tunneling function is provided by the access router or a dedicated VPN concentrator.

A firewall should be set up to scan transmitted data, including the contents of the information itself, before letting it enter the network. This is called packet authentication, where the firewall applies a header to each packet that reveals any attempt to modify the contents.

In addition, the firewall should verify the identity of the users and servers, and record the source of the messages it receives and the time they arrived. This is user and device authentication, which provides reliable identification of all users and identity-based access control of sensitive network resources.

3. Security in "the air"

In 2000, a mere 15% of all corporate business travelers had VPN access to their corporate networks. At the end of 2002, In-Stat/MDR estimated that 80% of all business travelers were using VPN technology on the road.

It's a common sight today to see business travelers in airport concourses, convention centers, and hotel lobbies sitting with their laptops, working away as though they were at their desks. With the increased popularity of mobile computing, service providers, vendors, and the travel industry itself have been working to provide uninterrupted access to the services that workers need to continue being productive while on the road.

Today, a mobile worker can connect securely to headquarters at broadband speeds, whether traveling through an airport with a wireless laptop or after hours in a hotel room with a wired connection. To ensure that a mobile worker can connect securely to the corporate network via a secure VPN, he or she needs a wireless LAN interface card that can encrypt transmissions, preventing hackers from stealing data "out of the air."

4. A manageable solution

By definition, VPNs entail the management of remote users and sites, which immediately increases the demands on internal staff.

To simplify VPN support, look for the ability to allow a technical specialist at a central location to "push" security policies (including encryption and authentication algorithms) to the remote office router, so there is no need for technical intervention at the remote end.