Glossary

Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs) are capable of providing a secure "tunnel" between systems or applications. VPNs are valuable for providing confidentiality and integrity protection of communications for applications that do not understand or implement those protections—the most obvious being legacy applications, and in particular, the protection of ids and passwords transmitted across networks to those applications.

Note that, just because an application uses strong authentication (Public Key or Kerberos), does not mean the application also provides confidentiality and integrity protection for transmitted information. While strong authentication mechanisms typically (but not always) provide the key material necessary to protect subsequent communications, you can't assume an application is providing that protection.

In some cases, a VPN may be necessary to protect communications even for those applications which use strong authentication. In other cases, a VPN may simply be a convenience to remove the burden from the application developers. Another case to be made for VPNs is the ability to externally enforce policies on the protection of transmitted data, without the knowledge or cooperation of the target applications or systems.

VPNs generally fall into two categories: network-layer or application-layer. The market does not, as a rule, distinguish between these different types of VPNs. However, that distinction is very important if VPNs are used as part of a secure SSO solution.