The great VPN debate

 

Connecting state and local government leaders

The saga of the Labor Department's attempt to outfit Mine Safety and Health Administration employees with remote access through virtual private networks serves as a minihistory of the technology.

The saga of the Labor Department's attempt to outfit Mine Safety and Health Administration employees with remote access through virtual private networks serves as a minihistory of the technology. In 2003, the agency tried VPNs based on the most popular technology of the time: Internet Protocol Security, which essentially provides a direct pipe to the agency network. But administrators got bogged down in tech support. IPSec requires installing a tricky-to-configure program on every remote machine. Plus, firewall and other network conflicts can mean help desk nightmares.The following year, the agency moved to Secure Sockets Layer VPNs. Touted as IPSec's heir apparent, SSL VPNs employ Web browser technology that requires little or no client software. The agency installed SSL VPN appliances from Juniper Networks and by spring 2005 had 2,200 employees using remote access'and a huge drop in service calls.Many agencies, if they have not already done so, will soon face the issue of what technology they should use to connect remote workers. While the push for more telecommuting by federal employees is a major driver of VPN demand, experts also cite strong interest from agencies implementing disaster recovery plans.'A lot of governments feel they need to have fail-safes in place so that if up to 75 percent of the employees have to work at home, they will be able to handle that spike,' said Robert Whiteley, senior analyst at Forrester Research.In fact, VPN sales are skyrocketing across all industries. According to International Data Corp., a market research firm, worldwide sales of just $75 million in 2003 nearly tripled to $200 million the following year and were estimated to close out 2005 at $325 million.In a nutshell, a VPN is a way to link network nodes over the public Internet while keeping the connection private, using encryption and other security techniques.Here's the critical difference between the two main technologies: IPSec essentially opens a fully functioning pipeline directly to the internal LAN, while SSL provides access to a select group of applications.'IPSec is like an extension of your LAN,' Whiteley said. 'It's a Layer 3 pipe, and pretty much every application will run over it. SSL sits above that, in Layer 4 or 5, so it doesn't necessarily work with all applications.' Still, SSL vendors have found ways around these limitations, Whiteley said.In practice, the difference in client-side software means IPSec may be preferable for securely linking two computers in different locations, called a site-to-site VPN. IPSec proponents also say it is superior for transferring large files.With its simple setup, SSL is generally better for quickly activating large numbers of remote users, even on an ad hoc basis.'IPSec VPNs are the clear choice when you have two dedicated endpoints,' said Tim Simmons, product marketing manager at Citrix Systems, a maker of SSL VPN appliances and remote-access servers for the Defense Department and other large agencies. 'SSL VPNs really excel at the connections to multiple unknown clients.' Several SSL-oriented vendors say they invested in the technology precisely to help organizations avoid problems they had getting IPSec to traverse network address translation and firewalls.Going forward, though, IPSec and SSL may start to look more alike. It used to be safe to say that SSL required no special client software. But SSL VPN vendors have been adding features that require small Active X or Java applets to be downloaded on the remote device'and sometimes they use IPSec for the download. 'Everybody is moving toward full VPN clients,' Simmons said. 'SSL VPNs are starting to look a lot like IPSec VPNs.''The problem is not having a client on the endpoint, per se, it's 'How do you get that client to the endpoint?' ' said Niv Hanigal, product manager for Juniper. Hanigal said users of Juniper VPNs don't have to worry about software. 'They go to the Web site to log in, and in the background, something's being downloaded,' he said. 'It's usually only 500K.'It's not always an either/or choice between IPSec and SSL. A few vendors, among them CheckPoint, Cisco and Nortel, offer hybrids, giving remote users more connection choices. Some SSL vendors rely on IPSec to provide client/server access or to string SSL appliances together. And several companies offer various flavors of VPN to meet agencies' unique requirements.While all VPN products support a slew of government-endorsed encryption schemes, such as Advanced Encryption Standard and Triple Data Encryption Standard, those meeting the most stringent standards go through testing overseen by the National Institute of Standards and Technology to achieve certification for Federal Information Processing Standard 140-2. A few are now also being certified under Common Criteria encryption and authentication testing by the National Information Assurance Program, a NIST partnership with the National Security Agency.As a full network connection, IPSec is more open to exploitation by hackers, especially through underprotected remote machines, according to John Girard, an analyst for Gartner Inc. of Stamford, Conn., who wrote a 2005 analysis of the competing technologies. Because IPSec doesn't force strong authentication, it is accessible through a simple user name and password, increasing the chance of break-ins, Girard said.But SSL is not without dangers. Thanks to widespread deployment, the total risk from the sheer number of unmanaged PCs is greater. It's a sentiment shared by Sonny Gutierrez, LAN/WAN security specialist at CDW Government, which sells both types of VPN products. 'You can sleep easy at night knowing you're running IPSec tunnels instead of SSL,' Gutierrez said. 'IPSec technology is basically built into every firewall.'Girard recommends that organizations establish policies to restrict SSL VPN use. Indeed, products geared to large enterprises, such as those from Aventail, F5 and Juniper, enhance security with administrative software. 'We really allow the administrator to control specific applications on a particular user's device,' said Chris Witeck, Aventail's director of product management. 'You're not really authorizing a user to access your network, you're letting them access specific resources.'Enterprise class VPN products also perform endpoint analysis (also called integrity checking), which tests the remote client for firewalls, antivirus programs, the latest patches, and other requirements specified in an agency's security policy. Such VPNs can limit access to certain applications or move them to a quarantined LAN. As an SSL VPN feature, this capability is especially useful for employees who access VPNs from shared machines, such as airport kiosks and public library terminals. In such situations, SSL VPNs may default to the most basic capabilities supportable in a browser, such as checking e-mail stored on an agency server or browsing the Web. The more advanced endpoint analysis programs will automatically shut down a VPN session if they detect, for example, that the user has turned off the antivirus program.VPN log-ins are also a good way to beef up security on employees accessing the wired LAN from inside.'Since the perimeter is going away, you have to look at access control not just for people coming in, but also contractors and partners who are sitting on the inside,' said Sanjay Uppal, executive vice president of product management at Caymas Systems. 'You could PKI-enable all applications, but that is going to be prohibitively expensive.'Most VPN products are sold as appliances: thin network boxes connected through Ethernet ports. Some come as upgrade boards that fit inside routers and switches.VPN boxes can sit in a network's demilitarized zone'behind the firewall, as an extra measure of security'or outside the DMZ.The key feature to look for is the maximum number of concurrent users'the best measure of scalability. Small-office systems top out at a few dozen, while enterprise systems reach several thousand. Some of the highest-capacity appliances also add reliability features that can prevent failures, such as redundant, hot-swappable drives and power supplies. They can also be clustered to expand capacity and improve performance as demand increases, but this can require additional load-balancing hardware.Intrusion detection devices and security information management technology, if not already present, can help guard against attacks coming through the VPN. In fact, many of these products come with VPNs built in.Besides buying hybrid devices, you can mix and match IPSec and SSL devices in the same network, linking their VPNs. 'Crypto is crypto,' said Charles Kolodgy, a research director for IDC of Framingham, Mass., who worked in DOD procurement. 'It's really just being able to create an SSL tunnel to an IPSec tunnel.'Software is the other option. Cranite Systems often pairs its Safe Connect proprietary software-based VPN with its FIPS 140-2-certified WirelessWall wireless security software, said Mike Coop, the company's vice president for consulting engineering. 'It prevents the Windows stack from being attacked externally,' he said. Blue Coat and Portwise also sell software VPN and other remote-access solutions.Software VPNs can drain server CPU performance, but they provide the greatest platform flexibility. 'The reason you go to software is if you want to use your own hardware model,' said Zeus Kerravala, vice president of enterprise research at Yankee Group Research of Boston.Of all the options, appliances are the most expensive'Caymas, for example, charges $15,000-$55,000 for its most popular models for government'followed by add-in cards, then software, said Whiteley.Gutierrez said many agencies try a limited pilot or deployment before rolling out nationwide. Sometimes, as in the case of the Labor Department, trial and error helps underscore the difference between the main VPN technologies'and leads you to the one that works best for you.

RFP CHECKLIST: VPN

Setting up a new virtual private network? Experts recommend the following steps in preparing a request for proposals for VPN gear.

  • Provide vendors a list of the applications, operating systems and client hardware that you need to run. Claims of application compatibility can exceed reality, and some software runs too slowly. Ask the vendor what methods they use to ensure interoperability with your applications.


  • Get the numbers that will tell you if a VPN device can handle your expected workload: concurrent users and throughput in megabits per second (Mbps).
    n Be sure the VPN supports your existing authentication protocols. If you're planning to upgrade, look for VPN support of strong authentication technologies such as RSA's SecurID.


  • If your agency plans a move toward IPv6, the next-generation Internet Protocol, make sure the VPN device supports it, is upgradeable through software or works with a separate network box that handles translations with the more widely available current protocol, IPv4.


  • Inquire into the product's ability to support your multimedia applications, especially multicast video that goes out simultaneously to remote users.


  • Make sure a router or switch has enough spare slots for the VPN cards you'll need to handle both your internal and external networks.


  • Voice over IP is best run on VPN devices that explicitly support quality of service features such as prioritization of voice traffic. Network latency times on the VPN should not exceed your VOIP latency requirements. Also look for bidirectional network connections: PBXs need it to provide features such as callback to IP-based 'soft' phones that run on desktop PCs.


  • Don't take Web browser compatibility for granted. Some VPNs are only guaranteed to work with Microsoft Internet Explorer and have limited support for alternatives such as Mozilla Firefox and Netscape.


  • When taking bids from integrators, ask whether their authentication schemes require end-user hardware, such as smart cards. If you already have authentication hardware, make sure the VPN vendor or integrator supports it.


  • Check for compatibility with desktop security suites, which are notoriously quirky about accommodating new networked applications over the Internet. Users might be unable to run the VPN or worse, they might open security breaches by shutting off firewalls or antivirus programs to get the VPN to run.


  • Request a detailed breakdown of the security features of the VPN appliance itself. Ask how it's hardened against attacks and how it discovers and addresses vulnerabilities.










  • Pros and cons



















    Security profiles




















    Guard against attacks













    David Essex is a freelance technology writer based in Antrim, N.H.
    X
    This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
    Accept Cookies
    X
    Cookie Preferences Cookie List

    Do Not Sell My Personal Information

    When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

    Allow All Cookies

    Manage Consent Preferences

    Strictly Necessary Cookies - Always Active

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data, Targeting & Social Media Cookies

    Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

    If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

    Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

    Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

    If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

    Save Settings
    Cookie Preferences Cookie List

    Cookie List

    A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

    Strictly Necessary Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Functional Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Performance Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Social Media Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Targeting Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.