The advantages of a network-based VPN

The advantages of a network-based VPN aretwofold. First, data aggregation and scalability areachieved by terminating all VPN sessions from clientsat the IPSS and transporting data packets over a single VPN session from the IPSS to the enterprise VPNgateway. Because the enterprise VPN gateway has toterminate only one VPN session, even when the number of VPN client sessions increases, the amount ofVPN session information—including security association (SA) information—that must be maintained atthe enterprise VPN gateway does not increase. Thus,data aggregation for VPN sessions is itself a valueadded service that an NSP can offer to its customers.Second, because packets are decrypted at the IPSS, it is possible to offer value-added services (e.g., firewallservice, URL filtering, and caching service) that require packet and application header inspection withinthe service provider network and then to offloadpackets that have to be sent directly over the networkwithout sending them to the enterprise. In contrast, aservice provider cannot provide these services to packets in transit toward an enterprise over an end-to-endnetwork, because the necessary packet and application headers are not visible in the clear in the network. Note that these services not only increaserevenue opportunities for NSPs, but also benefitenterprises by enabling them to outsource these services to the NSP