VPN software is not created equal
With IP Security VPNs established as a preferred method of remote access, businesses now must weigh an array of options that can make deploying and managing these VPNs less daunting.Optional features range from automatic installation of VPN client software to policy checkers that deny VPN access if personal firewalls aren't turned on and configured properly. The features differ among VPN client software, so customers have to shop carefully.
Remote-access VPNs call for single PCs and laptops to connect to the Internet and establish a VPN tunnel with centrally located VPN concentrators, an architecture that presents two main challenges: first, how to distribute and manage software on a large numbers of remote machines with minimal manpower; second, how to ensure that these machines don't threaten the security of the corporate network.
In the early days of VPNs, these clients weren't deployed in large enough numbers to make distributing and updating them a problem. But today, for large, remote-access VPN deployments, automated distribution and configuration tools are a must, says Larry Bolick, CIO of Aquent, a Boston IT consulting firm that uses Nortel Contivity VPN equipment. Otherwise, updates and policy changes would become too unwieldy to handle, he says.
Most vendors have solved the problem with downloadable software that installs itself so end users can handle it without IT assistance. "The help desk gives them the password to install, and after that, it's all silent and automated," says Gary Gatten, senior network engineer for LabOne, a medical testing firm in Lenexa, Kan., that uses Avaya VPN products.
Once remote-access VPN clients are up and running, policies control the use of their IPSec tunnels. The policies also dictate a variety of parameters such as the VPN concentrators to which they can connect and what level of encryption to use. The clients also must be informed of the removal or addition of new devices to the network.
To handle this task efficiently, Check Point, Cisco, NetScreen Technologies and others offer policy servers that update clients with new policies that have been added since the last time the client machine logged on. These servers can store multiple policies for different groups or individuals. In addition to keeping policies current, this arrangement means no policy remains on the client machine when the VPN connection is severed. This eliminates the security risk that the information would pose if the machine were stolen, Gatten says.
This type of auto-update feature is important because it keeps end users out of the equation when it comes to updating policies, says Zeus Kerravala, an analyst with The Yankee Group. Users might put off retrieving updates, especially if they tie into the VPN over slow connections. "No matter how simple you make a client, if it interfaces with an end user, you are going to have problems," Kerravala says.
Dents in the armorEven with current policies in place, remote PCs can become chinks in the armor of a corporate network, so many VPN vendors are bundling personal firewalls with their client software to block hackers from using a remote machine as a backdoor to the corporate network, says Dave Kosiur, an analyst with Burton Group. But installing the firewall is no guarantee they are being used, so automatic scanning of remote machines for properly configured firewalls is also important, he says. The same is true for virus-scanning software that also is becoming part of VPN client bundles.
The VPN client should support the policy server's verification that this additional security software is turned on and that the correct version is running before allowing a VPN session. This compliance check is important not only within a business, but also in dealings with clients and partners, Aquent's Bolick says.
In addition to firewalls and virus scanning, vendors are including security elements such as intrusion detection and content filtering. "You want to embed as many of these security features as possible in the client," Kerravala says. Having them all integrated - something no vendor has done yet - would make enforcement of corporate policies easier, Gatten says. LabOne keeps strict tabs on what Internet sites employees visit, so content filtering in conjunction with the VPN client would simplify monitoring. "That would be ideal," Gatten says.
Another way to secure remote machines is via a feature called split tunneling. Split-tunneling technology lets a remote machine connect to a VPN at the same time it connects to other sites on the Internet without compromising the secure tunnel.
That way general Internet traffic does not have to be shuttled through the VPN then onto the Internet via the Internet connection at the central site. This is attractive because it reduces the amount of traffic flowing through the central site, but at the same time, it isolates the VPN traffic from general Internet traffic, Gatten says.
"It lets you protect your endpoint," says Lawrence Pingree, global network security architect for PeopleSoft.
Turning off split tunneling can simplify enforcement of corporate restrictions on Internet use, Gatten says. If all Internet traffic is forced through the central site, it is easier to log, he says. But he also can appreciate Pingree's argument. "It's great to have the option either way," he says.
Crossing firewallsIn addition, Kosiur says users should look for clients to encapsulate VPN traffic inside protocols that can cross firewalls easily. "This is important to roaming users who might want to create a connection from behind a hotel firewall or different company's firewall," Pingree says.
If VPN traffic passes through a device - typically a firewall - that changes its header source address, the device that is supposed to receive it will reject it because of the alterations. To get around this, vendors wrap IPSec packets in some other protocol that easily passes through the device that translated the address. When it arrives at the destination the outer packet is stripped off and the IPSec payload can be decrypted.
Without this capability, firewalls effectively can block tunnels from being established. Check Point uses User Datagram Protocol (UDP) encapsulation and can adopt it on the fly when it encounters a device that would disrupt a VPN tunnel, Kosiur says. Major VPN vendors such as Cisco, Nortel, Enterasys Networks and NetScreen do this in one form or another as well.
In addition to working from behind firewalls, it is desirable for clients to work with gateways made by other vendors, according to Kerravala. "If you have to deliver results to a business partner, it's really handy to make a VPN connection with whatever they have at the other end," Gatten says.
And when companies merge, such interoperability can remove some of the pain and expense of merging networks. "If you're in that world where you're acquiring companies with installed infrastructure, you're not going to want to take out a $50,000 gateway because it was made by somebody else," Gatten says.
Because most vendors follow the IPSec set of standards, their VPN gear can be configured to interoperate at some level with other vendors' equipment, Kerravala says. This is good because it lets businesses create heterogeneous networks that don't rely on a single vendor, he says.
While all vendors don't have all features, they constantly add more to stay competitive. "They're all playing catch-up with each other," Kosiur says.
They also face a threat from outside the IPSec arena from Secure Sockets Layer (SSL) remote-access vendors that use standard browsers as remote clients, a simpler and satisfactory means of meeting many remote access needs, Kerravala says. And, he notes, the SSL option costs half as much.
Read more about security in Network World's Security section.