Why is VPN Secure?

I am just curious as to how VPN is more secure than other ways of connecting to a remote server. How would you justify the investment in VPN to a manager?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The investment in VPN is secure because all of the traffic is encrypted, and only the endpoints know the encryption key.  It takes a major effort by someone that has a vested interest in cracking your encryption to do so - an MDA5 hash is NOT easy to crack.

The benefit of using a VPN as opposed to a point-to-point connection in a site-to-site scenario is it costs MUCH less for comparable bandwidth, and is carried over the Internet.  Rather than paying for T1, fractional T1, frame-relay, T3, OC-3, etc, (depending on how fast you want it to be) all you need to pay for is a big enough "pipe" to the Internet at each site you want to connect.  You can take advantage of the cost savings between point-to-point technologies and business-class SDSL or business-class cable-modem, AND have your company's internet connectivity all covered in the same bill for virtually no extra money.

If you are talking about a client-to-server VPN, what you gain is the ability to take advantage of broadband home connections like DSL or cable-modem to connect through that always-on internet link, rather than taking up a POTS phone line.  It leaves your phone line available for voice use while you connect to your server securely over the Internet.  This applies to both home and branch-office connections.  The connections are also much faster, and you don't have to worry about per-minute long-distance charges either.
Point-to-point is more secure than VPN, because the traffic does not flow over the Internet.  It is MUCH more expensive for equivalent throughput.

Dialup is actually less secure than VPN, because the traffic all goes over the public telephone lines, and once a determined hacker discovers your dialup line, access is only a matter of time and effort, which is less effort than trying to hack the VPN encryption.  Dialup security is usually based on RADIUS, using PPP, with either PAP or CHAP authentication.  Other dialup authentication schemes are less secure than RADIUS, and CHAP is more secure than PAP because PAP sends the password in clear text over the POTS line.  You also get only a fraction of the throughput of a broadband client-to-server VPN connection.
Leo_NelAuthor Commented:
How is the connection secured from the user's workstation to the Internet? Is the key the only source of security?
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

There are usually public keys and private keys.  

When establishing a VPN connection, at no point should any login or password information pass in clear-text format.

What I understand is that the connection and authentication request is encrypted before it leaves the client, and the server can decrypt it using the public key.  The authentication response is then encrypted using the private key and sent back to the client.  The client can then send an encrypted login request using the newly-established encryption code and the client's private key.  Once the authentication and login takes place, then the encryption has been agreed-upon between the client and server, and all traffic is encrypted and decrypted using that "hash" established during the connection and authentication phase.

Usually, VPN "tunnels" make use of a 128-bit encryption code, but the keys can be much larger, like up to 2Kbytes or more in length, making it virtually impossible, and definitely impractical to try, to come up with the combination needed to break into the VPN and capture any meaningful data.
As far as the keys being the only source of security, no.  You should still have to authenticate through your normal login and password method after the VPN is established.
I could have mixed a few metaphors or misstated a couple of key words in my description of how a client-to-server VPN works.  If you want, I can post some links to documents that accurately step through the actual process - if someone else doesn't post links before you say "sure, give me some links."  hehe.
Leo_NelAuthor Commented:
Give me some links
bbaoIT ConsultantCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Just a sidelight on vpn.  The tunnel is encripted and is secure.  The computers at the end points are still vonerable.  Your tunnel is secure but you still need to protect or disable your local ports on both ends.  
There are only two ports that need to be open to create a PPTP-TCP VPN Connection.  Those ports are 47 and 1723.  These should be the only ports open on the devices.  Port Sniffers will see these ports as open, but as long as you use a strong password policy, breaking in should be near impossible.  Also, the Encrypted Tunnel is created before any username and password information is sent.  The higher the encryption, the slower the overall throughput will be.  You can expect to get 40% of your full bandwidth with 128bit MPPE encryption.  This is due to the size of the encryption headers that are placed on each packet.  That is also something to consider when comparing to a managed Point to Point service (frame-relay, ATM, etc).  You may be paying less for business DSL, but you'll only get about 700kbps on a 1.5mbps ADSL connection.  It may be a little better on an SDSL connection.
Yes, but an SDSL connection costs a bunch less than a 768Kbps fractional T1... and the loss due to encryption/decryption is dependent on the speed of the processor.  In other words, you DON'T want to use that spare 486 for your VPN!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.