VPN market choices: Aligning network planning to enterprises’ security and mobility requirements

Virtual Private Networks (VPNs) are an essential part of enterprises’ IT security policies. Unfortunately, with the variety of mobile device applications, empowering remote worker efficiencies—while preventing risky network behavior—is a challenge. Businesses are struggling to find a “one-size-fits-all” approach to providing these end-users with a secure network access solution. What is necessary is a well-planned VPN that fits with the company’s organization, decision-making processes, workplace decentralization and many deployment requirements.

This article examines the range of VPN market choices available and the considerations enterprises should take into account when selecting the technology that best fits their unique security needs without impacting mobility or efficiency.

Creating a VPN checklist
Implementing a VPN, especially one that is scalable and future-proof, requires planning. Basic decision criteria should include the mode of work (mobile or in-office), the working environment (single user or networked PC), the communication relationships (dial in or dial out) and the mode of operation (autonomous or through a provider—an outsourced network).

To build the optimal VPN for their enterprise, network administrators should bear the following in mind:

• How many employees are able to work with the system, mobile or stationary? This can affect the development of the central VPN gateway or number of simultaneous connections to the tunnel.
• From which locations will the company network be accessed? Is this local, regional, national or international? This can also affect the transmission network (i.e. WLAN, LAN, Wi-Fi, etc.).
• Which devices will be used to access the network remotely (i.e. desktop PCs, laptops and handhelds)? Enterprises need to ensure that the VPN clients can support the operating systems in place.
• Do teleworking employees alternate and divide their time between the office and the home? This could impact the scope of services provided by the VPN client.
• Which applications will be used on the remote computer? Will the efficiency of the remote device be affected? The enterprise needs to consider the type of transmission medium, or the connection point that enables Internet access.
• Which security level is necessary? What type of data will be transmitted? What security policies are currently in place for remote workers? User authentication is a factor for the enterprise.
• Can central IT components, such as user-defined databases, RADIUS directory services, etc., be used? This will help the organization identify the level of support and compatibility of standards.

Exploring the market choices
The current generation of hardware and operating systems are leaving both enterprises and end-users increasingly frustrated about their VPN options. For example, many of those purchasing new computers are obviously opting for the latest and fastest machines—but are later finding out that their company VPNs are not compatible. Therefore, the shiny new device cannot be used for work. Whether businesses are looking for hardware versus software or IPSec versus SSL VPN options, there are many different solutions on the market.

Freeware VPNs
These applications provide an inexpensive option for remote network access. Users can test certain functions within their network environments with no direct software costs. Optimal for the individual user, the software is open standards-driven; developers encourage the community to “donate’ and modify the source code. Consequently, it can offer features that aren’t commercially available yet.

While freeware is an interesting option for the individual ad-hoc use, it is not ideal for enterprise adoption on any scale. The lack of technology support is a big issue, and there is no central control or management of the software. In addition, many organizations are adopting freeware without any formal policies or governance in place. Serious flaws that were not fixed before release pose to be problematic and can easily compromise the network’s security and reliability; the software can also come with advertisements or programs that install spam software on users’ systems.

Web-based remote access utilities
This paid-for software is intended to provide users with access to a PC remotely, displaying on the laptop screen or system that is located outside of the office. It does allow for a secure encrypted connection, two-factor authentication and notifications of user logins. In addition, these Web-based utilities require little to no configuration to set up. The software is a convenience solution that provides simple remote desktop access.

A case for ditching the VPN entirely? Not exactly—first, the computer inside the corporate network must be fully available to the remote user. The systems have to be turned on and be functioning correctly. Second, remote access services can extend the network perimeter to unknown locations, sneaking untested software into the service portfolio and changing the user’s risk profile. The software can also be problematic with making connections inside the firewall and might not conform to an organization’s security best practices with regard to privacy and implementation. Enterprises should not rely on these Web-based utilities as viable VPN alternatives.

OpenVPN
Like freeware and remote access utilities, OpenVPN’s low ongoing costs are attractive to end-users. The open source software is a strong solution for smaller companies and individuals. It offers multi-platform support and can be installed in Linux, Unix, Windows and Mac OS X; many community support options are available for OpenVPN. Other strengths of this VPN choice include support for dynamic IP addresses and NAT, adaptive link compression and a modular design that offloads most crypto tasks to the OpenSSL library.

Because of its power and flexibility, OpenVPN can be difficult for an end-user; functionalities are limited without putting effort into configuring and setup. The software does not prevent unencrypted traffic from flowing along the connection, and it is able to circumvent firewalls when clients are in restrictive environments. From a network administrator’s standpoint, OpenVPN is actually forgoing the security policies in place. Enterprises should also bear in mind that OpenVPN is based on SSL; a hybrid IPSec and SSL solution offers better use for both the power-user and those that only need occasional remote network access.

Traditional, paid-for
Enterprises have long debated the benefits of software versus hardware VPNs. Traditional VPN software has been noted as a more cost-effective option, especially with regard to upgrades and scalability. Another advantage of the software approach is that the network does not change; no extra devices need to be installed, and configuration and management tools should remain consistent. As it is software, virtualization is possible, and fail-safe backup systems can “live’ in any corporate office, making redundancy much less expensive for enterprises.

The IPSec and SSL protocols are another area of contention around VPN technology. IPSec VPNs have traditionally had large management and administrative overheads associated with them, as they have relied on the manual installation of software agents on each device. SSL VPNs can be limited in their capabilities for achieving full remote access and may not work as well with complex applications. On the upside, a new generation of IPSec VPNs have streamlined the management headaches and automated the administration and maintenance of hybrid IPSec and SSL VPNs through a single point of administration.

Achieving the bottom line
There is no one best implementation for all situations. Performance, scalability, compatibility and central management are just a few of the criteria organizations’ should check off their list before selecting a secure remote network access solution. All VPNs are not created equal; every market choice has its advantages and disadvantages, depending on each enterprise’s individual security requirements and the mobility scenario they are used to support.