The term Virtual Private Network (VPN) means "an encrypted connection from one point to another over any network giving the illusion of being a private network." Originally, Marcus Ranum and I coined the term "virtual network perimeter," which in today's language means a VPN with trust — i.e., a network security perimeter extended to include other offices and remote users through a VPN link plus common name space, security policies, and management. Of course, networks are not private unless encryption is being employed. To put it plainly, unless you own the space around every wire, fiber, or radio signal used in the communication path, your connection is not private unless it is encrypted.
Those companies who were early adopters of firewalls are the ones using VPNs today. VPNs are still early in the use cycle. Three years ago, they hardly existed. Then firewall products started to include them — first ANS Interlock, then TIS Gauntlet. Soon, customers started demanding VPN functionality in their firewalls, even though few of them actually used it. But the Security Architecture for Internet Protocol (IPSEC) standard is changing that — with IPSEC-compliant off-the-shelf products, using encryption to protect the privacy of communications will be an automatic decision. It may take awhile. I predicted that 1998 would be the "Year of the VPN," but maybe 1999 is more realistic. Look, over four years after the famous Internet password sniffing incident, most people still seem to be working with reusable passwords.
VPNs are long-term solutions. VPNs may become ubiquitous and transparent to the user, but they will not go away. Because the problem VPNs address — privacy over a public network — will not go away. VPNs will exist from the desktop to the server, and at the IP packet level as well as the application data level.
VPNs directly protect the privacy of a communication, and indirectly provide an authentication mechanism for a gateway, site, computer, or individual. Whether you need privacy or not is a function of your business, the nature of what you discuss electronically, and how much it is worth to someone else. Authentication is a side effect, even without IPSEC, because if site A knows it talks to site B over an encrypted channel, and someone else pretends to be site B, they will also have to be able to talk encrypted to site A, since site A expects it and will reciprocate. Typically, the secrets are sufficiently protected that no one could pretend to be site B and pull it off. Again, it comes down to the risk, which is a function of the information you are transmitting. The threats and vulnerabilities are there, in any case. It is very easy to capture traffic on the Internet or on your phone line. Is it important enough information to care? That is the question that most people answer wrong. It is my experience that while people may understand the value of what they have and they may understand the risk of losing or compromising what they have, few understand both at the same time.
Even though VPNs provide ubiquitous, perimeter security, firewalls are still needed. Walls around cities went away because it became inexpensive to bring them in closer to individual homes. Only a perimeter enforcement mechanism can guarantee adherence to an organization's security policies. However, as part of policy enforcement, a firewall might need to be able to look at the information in a packet. Encryption makes that rather difficult. VPNs — improperly deployed — take away a firewall's ability to audit useful information, or to make decisions beyond the level of "who is allowed to talk to whom." There are ways around this. The easiest way is to make the firewall a trusted third member of the conversation. People who value privacy above everything else chafe at this. But people who value the security of their organization realize that this is a necessity.