Gateway To Security

How It Works

A VPN works at Layer 3 of the OSI model, so all layers above 3 automatically benefit from the enhanced security. Unlike with HTTPS, Secure IMAP, SSH or a Socks proxy, all applications take advantage of the VPN without modification or requiring specific protocol support.

When selecting a VPN device, consider these four factors: supported protocols, supported platforms, speed and price.

To identify the protocol support you need, first determine whether you'll be using LAN-to-LAN or remote-access capabilities. A LAN-to-LAN VPN lets you connect two networks over a WAN link or Internet connection. Data is encrypted from one VPN device to its peer, not from endpoint to endpoint. This design works when both ends of the VPN are in trusted networks. A LAN-to-LAN VPN offers high performance, simple configuration and easy maintenance. Most LAN-to-LAN VPNs use the IPsec protocol, which relies on 3DES or AES encryption and handles everything from session setup to key exchanges. This configuration requires static IPs on both VPN gateways. Some vendors have created proprietary protocols to deal with dynamic IPs in a LAN-to-LAN environment, but there is no standard for this.A remote-access VPN is more of a challenge. Unfortunately, using standard IPsec won't work in this environment, as the IPsec protocol doesn't support dynamic and changing IPs, which would occur with remote users. Someday, IKE2 (Internet Key Exchange, a part of IPsec) will be standardized, but until then you must install a custom IPsec client program. Custom clients don't interoperate well, if at all. And though most remote-access VPNs also do LAN-to-LAN, the reverse isn't true.

An SSL VPN, a relative newcomer, is an alternative to a custom program for remote access. These VPNs use a standard Web browser--usually Internet Explorer for Windows--and HTTPS to communicate. Because these products don't require a client program, your VPN can be accessed from just about anywhere.

There are downsides to SSL VPNs: They often require specific browsers, plug-ins, ActiveX or Java. Host names must be accessed with DNS names, not by IP address. Finally, you must use a local proxy listener to access non-Web applications, so the SSL method requires a little more training than IPsec.

All-In-One Fun

An all-in-one security appliance--a VPN device with firewall, antivirus filtering, IDS and a number of trendy security functions--promises simplicity, consolidated management, less hardware and potential cost savings. But be forewarned: VPNs--especially SSL VPNs--require heavy computational power. Dedicated encryption accelerator cards can help alleviate this, but it's easy to overtax an all-in-one system.Unfortunately, there's no hard-and-fast rule for choosing between a dedicated box and a consolidated appliance, but benchmark scores are useful. Make sure the test includes small packet sizes and the full feature set. Eager vendors will show tests with only 1,400-byte packets or turn off all content inspection except that for VPN traffic when doing a benchmark. In general, the more throughput you need, the more likely you'll need a dedicated box.

Just about every vendor supports Windows 98 or later. Windows 2000 offers a built-in L2TP and PPTP client, but not an IPsec client. Some vendors support Macintosh, Linux, various Unix systems and handhelds. You may need higher-priced non-Windows IPsec clients from a third party.

Ultimately, you'll find a limited selection of remote-access IPsec clients. Some VPN vendors partner with third-party developers to offer firewall, antivirus or intrusion-detection capabilities with the VPN client for a slightly higher price. When organizations use both antivirus and firewalling, bundling client-side security into one package is less expensive than ordering la carte and may offer better centralized management capabilities.

Advanced Features

Some products let you set policies and configurations based on the user's group information. Others include client policy enforcement or verification. Products that tie authentication into an Active Directory, RADIUS or LDAP server will simplify your life. Instead of maintaining a set of VPN passwords, the user can just use his or her network password.

As far as features go, QoS (quality of service) and rate shaping are essential. They let you dictate a minimum and maximum amount of bandwidth available to each user. Without this, people connecting by broadband or across high-speed WANs could easily trump and crush bandwidth for dial-up users. QoS controls let you set bandwidth and priority rankings for particular protocols as well, so time-sensitive traffic such as voice over IP and video can receive the highest priority.

Failover and load balancing are also a concern for network designers: Remote users don't like being shut out of the corporate LAN. The three parts that can be failed over include the power supplies, the crypto cards and the entire VPN box. VPN vendors often offer additional crypto accelerator cards for purchase. Each new card increases the amount of sessions or throughput a box can handle. If one card fails or is removed, the box will still work. If you can't bear the risk of a total system failure, in which every VPN user is kicked off the network for a significant period of time, you must fail over to a separate VPN device.

This functionality comes at a premium price. Stateful failover, which lets sessions carry over, is more expensive than stateless failover, during which all sessions going through that device will be dropped and all connections and file transfers abort.

If a VPN is set up properly from the get-go, it's an install-it-and-forget-it technology. Once a system has been installed and verified to be working, it should require very little maintenance. Because they integrate with existing authentication systems, offer simple configuration parameters and provide ever-increasing throughput performance, VPNs are a simple and affordable way to enhance your network security.Michael J. DeMaria is a technology editor based at Network Computing's Syracuse University Real-World Labs®. Write to him at [email protected].