Remote access is the ability to log on to a computer network from a “remote” location. Remote does not refer to physical distance, but rather locations that are not part of a configured network. One conventional form of remote access is the virtual private network (VPN). A VPN is a type of private network constructed by using public network infrastructure to connect divergent network nodes. Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, physical connection such as a leased line, a VPN uses “virtual” connections routed through the Internet from, for example, a company's private central network to a remote site or to a remote employee on the road or working from home. VPNs are constructed to operate over a public network typically through the use of a combination of data encapsulation, data encryption and user authentication.
A variety of mechanisms are used to provide network security for access and data integrity in a VPN. VPNs may use either symmetric-key encryption or public key encryption. A protocol commonly used in VPNs is IPsec. IPsec, which stands for Internet Protocol Security, is a set of protocols developed by the Internet Engineering Task Force to implement VPNs. IPsec supports the secure exchange of data packets at the Internet Protocol (IP) network layer. IPsec supports two encryption modes: transport, and tunnel. Transport mode encrypts only the data portion, that is, the payload, of each packet, but leaves the header untouched. Tunnel mode is more secure as it encrypts both the header and the payload. In tunneling, the packet to be sent to the central network is encapsulated within another packet and is then sent over the VPN connection to the central site. On the receiving side, an IPsec-compliant device decrypts each packet. In IPsec, the sending and receiving devices share a public key. IPsec uses a protocol called Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates.
VPNs are frequently used to connect a central computer site with one or more remote computer sites. This type of VPN is called a remote-access VPN. One of the several types of remote-access VPN environments in the current art involves using a client application at the remote site. The client application may be a software client application or a hardware client application.
The general configuration for VPNs using a software client application involves installing client software on each remote computer. A typical example of a VPN in which a software client device is employed is a home-office computer or a laptop of a mobile worker. In a typical software client deployment, the VPN client software is installed on the computer and the client computer connects to the central site via a telephone connection or an Internet Service Provider connection to the Internet. The VPN software client establishes a secure encrypted tunnel from the client device to the central site over the Internet. Access and authorization to the central site are controlled from the central site. After the client computer is authenticated, the client computer receives IP parameters such as a virtual IP address that is used for VPN traffic and the location of domain name servers.
An example of a hardware client application is a VPN client device residing at the remote site connecting a plurality of remote computer devices, called stations, to the central site. An example of a remote site that might use a hardware client is a small remote office connected to a main office. Another example of a remote site connected to a central site using a VPN is a group of cash registers in a remote facility networked to a central site. Printers and other output devices can also be networked in a VPN in order to be remotely controlled from a central site. The individual stations connected to the hardware client do not need to have client software in order to access the VPN through the hardware client. The client device, i.e., the hardware client, after authentication, receives an IP address that is used for VPN traffic. The client stations behind the hardware client appear as a single user on the central site through the use of many-to-one network address translation (NAT).