A network connection requires the computers on the network to share a common protocol. A protocol is the language computers use to communicate over the connection medium.
For a standard Internet connection, computers use the TCP/IP protocol over a PPP (Point-to-Point Protocol) connection. In the case of a VPN, this concept is taken a step further. The Windows 98 implementation of virtual private networking relies on a protocol called PPTP (Point-to-Point Tunneling Protocol).

PPTP is simply an extension of the PPP protocol. PPTP provides a tunnel through the logical connection medium that allows the two computers to communicate.
Because of the way PPTP works, you can use it regardless of the communications protocol your corporate network normally uses. For example, suppose your corporate network normally uses Internetwork Package Exchange/Sequenced Package Exchange (IPX/SPX). You can set up IPX/SPX on your remote computer and communicate with your corporate network using IPX/SPX packets traveling across PPTP.

Given the insecure nature of the Internet, security is a big concern with VPNs. You don't want someone to steal your packets as they flow freely across the Internet. Nor do you want your corporate network to be compromised. Fortunately, virtual private networking is designed to be secure.
The first step in having a secure environment is to have strong passwords. When you dial in to your ISP, it typically asks for a password. However, this password only grants you an Internet connection-it has absolutely nothing to do with your VPN access. Instead, when you establish the VPN session, you'll be prompted for a second password. This is your usual Windows NT (or Windows 2000) domain password. The password is authenticated using the same method a RAS server uses. You can use Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP), or Password Authentication Protocol (PAP) to authenticate Windows NT passwords.

Once a user has been authenticated into a Windows NT domain, all the usual security mechanisms continue to apply. For example, all NTFS permissions and share permissions apply to a user who's connected through a VPN just as if the user were connected to a network locally. An added level security comes from encryption. Once a user has specified his or her password, the remote client and the VPN server generate a 40-bit encryption key that can be used to encrypt and decrypt packets. If you're using Windows NT Server with Service Pack 1, 2, or 3, this encryption key changes with every 256 packets. If you're using Service Pack 4 or above, the encryption key changes with every packet. To further enhance security, users in the United States and Canada may use 128-bit encryption as opposed to the standard 40-bit encryption.