A typical end-to-end VPN data path could contain:

• Several machines not under control of the corporation (for example, the ISP access box in a dial-in segment and the routers within the Internet).
• A security gateway (firewall or router) that is located at the boundary between an internal segment and an external segment.
• An internal segment (intranet) that contains hosts and routers. Some could be malicious, and some will carry a mix of intracompany and intercompany traffic.
• An external segment (Internet) that carries traffic not only from your company's network but also from other sources.

Once again, a VPN can never trust the network's security. It must make its own.