The Wireless Edge: Using VPNs With Wireless Networks
A variety of recent developments have improved VPN usage options with wireless networks, but make sure you choose the right approach based on your usage scenario.
November 30, 2006
I've been involved with multiple projects to assess the use of VPN (virtual private network) technologies over wireless networks. The most recent is pulling content together for a Webcast I'll be doing on December 5 for Cingular Wireless titled "Optimal Use of VPNs Over Cellular Networks." (See http://developer.cingular.com/ for details.) The good news is that an increasing number of effective options result in improved performance, reliability and control. The bad news is that all the options and tradeoffs are complicated.
Two items have driven progress. First, the networks themselves have become much faster, with current 3G networks delivering average speeds of over 500 kbps, and as of the end of 2006, they are fairly widely available. This development has helped networking applications in general, and VPNs specifically, because most VPNs were not designed for wireless and impose tunneling overhead in their additional packet headers. Second, a number of vendors have developed VPNs specifically for mobile operation, and these are now becoming extremely sophisticated with features such as traffic shaping.
Many organizations are already using VPNs for remote access, replacing their dial-up remote-access servers with systems that allow users to simply connect to the Internet from anywhere and then engage in secure (encrypted, authenticated, tamper resistant) sessions. The advantage is that both ends of the connection simply need an Internet connection. Remote users can connect via dial-up to their ISP, DSL, cable modems, Wi-Fi and, increasingly, wide-area wireless such as EV-DO or HSDPA.
There are a number of reasons you would want to use a remote-access VPN with a wireless network. First, you can't depend on the provider encrypting the radio link. Most public Wi-Fi networks operate in the clear. In the cellular world, many networks use encryption, but not all. And even for the networks that use encryption, it is usually to a node in the infrastructure beyond which data passes in the clear. Granted, this may be over a private operator network. But for sensitive data, this might still make you nervous. Most important of all, wireless network connections, be they cellular or public Wi-Fi, generally use the Internet to traverse from the operator network to your organization. By using a remote-access VPN, you can secure the communications on an end-to-end basis, you are not dependent on any of the security features of the underlying networks, and you can deploy a consistent security solution regardless of the access network.
But the question is what kind of VPN to use. There are three main categories, including IPsec VPNs, the ever more popular SSL VPNs and mobile VPNs. We'll quickly look at all three. IPsec VPNs are the workhorses in the industry, and many organizations have deployed them for remote access. They work fine over wireless connections, but they do add protocol overhead, with some 50 bytes per packet. For larger packets, as in a file download, this may not be that noticeable, but chatty applications may operate perceptibly slower. The performance penalty may range anywhere from 5 percent to 30 percent, depending on the type of application. This is less of a factor with 3G networks than 2G networks. Also, VPN sessions are vulnerable to connection loss, which can force users to restart their VPN as well as the applications they were running. In addition, you may need to configure the VPN for NAT traversal by enabling UDP encapsulation. Bottom line: IPsec VPNs work best with stable and fast connections.An increasingly popular option for remote access is to use an SSL VPN, which leverages the Secure Sockets Layer found in most browsers. This allows clientless operation, though it restricts operation to Web-based and file-access applications. However, since many handheld devices have browsers with SSL, this type of VPN makes it relatively easy to support a wide range of mobile devices. Companies like Aventail have also created mobile versions of their SSL VPN products, where the security gateway shows a portal page formatted for small-screen devices and allows users to limit mobile device access to applications and content that make sense for the particular device. With the addition of client code, SSL VPNs can support a wide range of applications. Just make sure client code is available for the device of interest.
Finally, there are mobile VPNs, from companies such as NetMotion Wireless, designed from the ground up to handle the complications of mobile networking. These have become extremely sophisticated and now support a wide range of features, including protocol optimization with compression, session maintenance when you temporarily lose a connection or suspend a device, roaming between different network types such as 3G and Wi-Fi, and new features like traffic shaping that let you prioritize traffic--giving VoIP higher priority over other tasks, for example, and even blocking some applications (such as Windows Automatic Update) when operating on slower connections. NetMotion Wireless announced this capability for its product earlier this month. Almost any wireless application involving frequent use and use while mobile will benefit from a mobile VPN. The tough part is if you have already standardized on an IPsec or SSL VPN for remote access, which means you might need to maintain two separate remote-access solutions.
Between improving VPN choices and faster wireless networks, using VPNs for wireless remote access has never worked better. Just make sure you use the right one for your situation.
Peter Rysavy is the president of Rysavy Research (http://www.rysavy.com/), a consulting firm that specializes in wireless technology assessment and integration.
You May Also Like