In-Depth

VPN Concentrators: A Must for Small Business

You may not have heard of them, but VPN concentrators can help you properly secure your virtual private network.

We're all network gurus, right? We were connecting routers and cables and networks long before all these fancy devices came out to make it easy. Yet when my business partner threw out the term "VPN concentrator" recently, I was at a loss. Fascinated, I asked him to back up and explain what he was talking about. The concept was simple enough. I just couldn't believe I had missed it.

Remember the days of dial-up modems and users connecting to NT 4.0 servers using Remote Access Service (RAS) through a dialup connection? Combining multiple modems in a multilink helped increase bandwidth. It seems so long ago, but it has only been about 10 years. Now you can create a secure connection -- a virtual private network (VPN) -- with which users can dial in to their ISP from anywhere and access their organization's network through a protocol tunnel that enhances security.

There's a greater need than ever for increased security over VPNs. Small businesses usually have a limited amount of funds or IT expertise, but that doesn't mean they can ignore the need to secure their VPNs properly. A VPN concentrator can help.

Leaving the Door Open
Consider the situation my business partner explained to me as he schooled me in the ways of VPN concentrators.

"One of our clients was using Windows Routing and Remote Access in order to access their network from home. This was providing a free VPN they accessed using Remote Desktop from anywhere with a Web connection," he said. "The problem this presented was that it left a domain controller wide open to the Internet.

Anyone that happened to come across that IP address was free to try their best to guess a password, or bypass the small amount of security that did exist," he continued.

Obviously, they needed a new solution. But money was a major concern, as was ease of use for all their employees. Their best option seemed to be to install a VPN router and VPN client software. This is an excellent and cost-effective approach to this type of situation, depending on the type of clients being managed.

Options Galore
When considering a VPN concentrator, we first had to assess the needs of the users. Were we talking about stationary users needing to access a VPN from their home office PC? Were they sales or support people who are constantly traveling? What would happen if they were in a facility where a traditional IPSec connection wasn't permitted to pass through the firewall? (Surprisingly, more than a few popular hotspots don't enable VPN pass-through.) This is where the VPN concentrator really rises to the occasion.

On the higher end, you have appliances with multiple features like firewall support, high availability, high performance and scalability. The Netgear ProSafe SSL VPN Concentrator -- currently selling for about $350 -- is one of the more affordable choices. ProSafe allows for 25 concurrent tunnels and is tailored for small to midsize businesses.

You can still use a traditional VPN combo device as well. Linksys sells four-port routers with both IPsec and Secure Sockets Layer (SSL)-VPN capabilities for less than $200. These options should help you consider the SSL-VPN concentrator angle.

Through Netgear Inc.'s concentrator, we were able to give the client a Web interface access page into their VPN. This gave them fast, easy-to-use connections. Their users not only had speedy and secure access to their VPN, but when they used a Terminal Services ActiveX or Java client right from their Web browser, they could take control of any computer they had the rights to.

This structure removed the risk of having direct access to any one server on their domain. It was secure, using SSL-128 or 256-bit encryption. There was no need to install anything more than a few ActiveX controls on the client machine.

Let's now consider the real benefit to that. First, many scenarios can make it difficult to access client computers to install VPN client software. If access isn't a problem, what about the time it will take to install and configure this software on each user's computer? Having that software on a machine lets users change their own settings, a process that could otherwise waste hours of support time.

The benefits extend well beyond user convenience. There are real advantages for IT professionals as well. All of this amounts to a cost savings similar to providing an individual copy of "GoToMyPC." Up to 25 employees, depending on the gateway licensing, have this type of access.

Many analysts claim SSL VPNs are going to become more popular than their IPSec counterparts due primarily to their increasing reliability and ease of implementation, all of which lowers the total cost of operation. Keep in mind that you may still need your firewall. You'll place your VPN concentrator behind your firewall (see Figure 1).

Figure 1
[Click on image for larger view.]
Figure 1. A typical VPN concentrator configuration.

Pros and Cons
VPN concentrators typically come in one of two architectures: SSL VPNs and IPSec VPNs. VPN concentrators are ideal when you require a single device to handle a large number of incoming VPN tunnels. Some VPN concentrators only support one protocol or the other. Cisco Systems Inc. and other large vendors support either with their concentrators.

The traditional tunnel for VPNs relies on IPSec, which resides at the network layer of the Open Systems Interconnection (OSI) model. At this level, a client is considered a virtual member of the connected network and can pretty much access the network as if locally connected. This is a positive aspect of IPSec, because applications run without any awareness that the client is coming from outside the network. One drawback, though, is that you have to configure additional security controls to ensure lower risk.

For a client to access an IPSec VPN, you'll have to configure the client-side software. While this adds security, it also means additional cost to implement and additional time and energy spent by tech support. This is what steers many toward an SSL solution.

SSL is already built into most computers by virtue of using a Web browser, so there isn't any additional work to install and configure the client side for an SSL VPN because all the clients already have the software.

Additionally, instead of residing at the network layer and allowing access to all aspects of a network, SSL lets you control access a bit more precisely for Web-enabled applications. You can also establish a finer level of control over other SSL-VPN connections. One negative angle to this is that some applications may give you a problem through an SSL-VPN connection. This is where IPSec trumps SSL.

You'll need to be careful that the apps you use will work through an SSL-VPN client. With a little bit of work, you can Web-enable additional apps, but this adds configuration time and may make SSL an unattractive solution for some. Also, some of your SSL-VPN solutions may not support centralized storage, shared access to resources -- like printers -- or files, and other options that you can achieve through an IPSec connection.

Some also worry about Web caching, and the amount of private information left behind. You'll find that many solutions offer a desktop "sandbox" mode where a user logs in to a protected workspace that leaves behind no residue when they leave. This is the perfect solution for that connection from the Internet café.

The needs and restrictions in every environment are unique. Using SSL-based VPNs does have certain drawbacks. The security is generally weaker than with a typical IPSec VPN. Does the ease of use for your users and relief for your support team outweigh that concern? Only you can answer that question with a thorough review. If you're implementing remote access for the first time, the convenience of configuring an SSL-VPN concentrator will certainly make a strong argument.

comments powered by Disqus

Reader Comments:

Wed, Feb 8, 2012 Iz Not Where I'd Like To Be

Sorry, one more comment: I think the visual model could have been a little better by showing other devices that reside behind the firewall. I'm sure to seasoned IT vets it's implied but showing the exclusivity of the VPN concentrator to VPN traffic while other non VPN traffic goes to their appropriate devices may help other noobs like me visualize the full picture.

Wed, Feb 8, 2012 Iz Not Where I'd Rather Be

This article was helpful to me because I'm just learning more about IT management. I actually continued reading this to beef up knowledge as I look to get a Sec+ certification. The description of IPsec vs SSL was helpful and something I never really considered. I've used VPNs for personal use and this article shed some light on how they may be used in business applications. The visual model for implementation was helpful to see where the concentrator is physically located. From sec+ training I gathered that the concentrator is another way of saying "aggregation" of VPN user traffic. From this article I understand further the meaning of preventing access to the domain controller which may be attached by username/password cracking attempts.

Mon, May 12, 2008 Anonymous Anonymous

Reality check--what network engineer didn't know this? If you didn't, please drive to your nearest Walmart and fill out an application!

Mon, May 12, 2008 Arby Anonymous

Reality check--what network engineer didn't know this? If you didn't, please drive to your nearest Walmart and fill out an application!

Wed, May 7, 2008 Jennine New Jersey

Finally...someone who knows what they are talking about.

Wed, May 7, 2008 MeMuffin NY

Sandbox mode can sure be a pain when you don't realize it's enabled! But it's a good option for extra security. Nice article.

Wed, May 7, 2008 mic lovin Hawaii

this was an awesome read! now that i found new ways to use my VPN im sure the company will benefit. im eargerly awaiting another mind blowing article from this duo

Wed, May 7, 2008 Alexis NJ

Great article, well written! I have to look into this...

Wed, May 7, 2008 Stonga NJ

I like my VPN like I like my OJ, CONCENTRATED!

Good article.

Wed, May 7, 2008 Steven NJ

I've been setting these up for quite awhile now, (anonymous.... you setup VPNs and have never looked into a concentrator? really?) anyway... nice article, its a great appliance for any business

Wed, May 7, 2008 Anonymous Anonymous

That is a nice solution for some clients i have... i've used VPNs forever, but I think this is something we could benefit from more

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.