Virtuality At its simplest, "virtual " should indicate that a network connection is dynamic, exi sting according to organizational needs, and not a nailed-down connection; it is formed logically, regardless of underlying structure. Vendors in the IPSec camp contend that IPSec allows end points to connect using the available IP network as a backbone. The virtuality stems from the flexibility of the VPN devices to build up and tear down tunnels as needed. Furthermore, security parameters for the individual tunnels can be negotiated among sites so that separately managed sites can achieve acceptable levels of security. Socks adherents spout similar views, but Socks implementations operate at the application level, and Socks applications don't really tunnel traffic as much as encrypt it before the stack even sees it.

What Privacy? The "private" part of VPN becomes more critical when you use the Internet, or any unprotected network, as your virtual backbone. Privacy is typically considered in the context of hiding data from prying eyes or tampering. The complete VPN network should be as strong as your internal network. IPSec encrypts data and, in some cases, entire IP packets. The mechanisms for encryption are modular and the exact security parameters are negotiated during the tunnel setup, so you can use just about any combination of authentication and encryption that suits your needs. Socks 5 implementations, such as Aventail's Autosocks client, operate in a similar manner, though the implementation will differ.

Non-IPSec followers think of privacy in a radically different way. They say it means that a user has a tunnel down which only its traffic runs. This is a bit of a stretch, because all the data must traverse shared media--and the data, with no other modification to the packets, travels across networks in the clear. The only thing private about PPTP, L2F and L2TP is is that when a tunnel is associated with a particular user, the tunnel appears as a private link. Microsoft has a PPTP client for Windows95 and Windows NT and can use its own proprietary encryption, but the majority of remote VPN u sers generally must dial into a point of presence (POP). The POP makes a VDPN connection to a server on the corporate LAN, and the user's Point-to-Point Protocol (PPP) traffic is sent to it.