Despite the large (and rapidly expanding) number of VPN products, all fall into three broad categories: hardware-based systems, firewall-based VPNs and standalone VPN application packages.

Most hardware-based VPN systems are encrypting routers. They are secure and easy to use, since they provide the nearest thing to "plug and play" encryption equipment available. They provide the highest network throughput of all VPN systems, since they don't waste processor overhead in running an operating system or other applications. However, they may not be as flexible as software based systems. The best hardware VPN packages offer software-only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices.

Firewall-based VPNs take advantage of the firewall's security mechanisms, including restricting access to the internal network. They also perform address translation; satisfy requirements for strong authentication; and serve up real-time alarms and extensive logging. Most commercial firewalls also "harden" the host operating system kernel by stripping out dangerous or unnecessary services, providing additional security for the VPN server. OS protection is a major plus, since very few VPN application vendors supply guidance on OS security. Performance may be a concern, especially if the firewall is already loaded -- however, some firewall vendors offer hardware-based encryption processors to minimize the impact of VPN management on the system.

Software-based VPNs are ideal in situations where both endpoints of the VPN are not controlled by the same organization (typical for client support requirements or business partnerships), or when different firewalls and routers are implemented within the same organization. At the moment, standalone VPNs offer the most flexibility in how network traffic is managed. Many software-based products allow traffic to be tunneled based on address or protocol, unlike hardware-based products, which generally tunnel all traffic they handle, regardless of protocol. Tunneling specific traffic types is advantageous in situations where remote sites may see a mix of traffic --some that needs transport over a VPN (such as entries to a database at headquarters) and some that doesn't (such as Web surfing). In situations where performance requirements are modest (such as users connecting over dial-up links), software-based VPNs may be the best choice.

But software-based systems are generally harder to manage than encrypting routers. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms. And some software VPN packages require changes to routing tables and network addressing schemes.

Be aware that as the VPN market evolves, the distinctions between VPN architectures are becoming less clearly defined. Some hardware vendors have added software clients to their product offerings, and extended their server capabilities to include some of the security features more "traditionally" offered by software or firewall-based VPNs. A few stand-alone products have added support for hardware-based encryptors to improve their performance. And for all types of VPNs, further implementation of the proposed IPSec protocol is making it easier (tho' not trivial) to mix and match VPN products. So bear in mind that these VPN categories are becoming less meaningful as time goes on.