Decision Maker

Are You Ready for the Always-On VPN?

• By Don Jones
• 07/01/2012

The classic Virtual Private Network (VPN) is an enormous waste of time. It's abusive to users, requiring several steps and, sometimes, extra passwords to connect. It's a nightmare for IT pros, forcing them to alter management practices for fleets of occasionally connected computers. And the VPN is a red herring for security, adding layers of complexity for little reason other than to make security people feel good.

So why do we still use VPNs? For most of us, they're all we've known.

That small-mindedness is changing, though. Many organizations are slowly phasing out the traditional and clunky IPSec VPN for newer SSL VPNs. Even those are being augmented with a less-obtrusive, always-on approach. Welcome to the modern world, decision maker, where your laptop is always on your LAN -- even when you're out of the office.

Protection for Everyone
Microsoft calls its always-on solution DirectAccess; Cisco offers AnyConnect Secure Mobility. Even tiny LogMeIn supports a small but growing Hamachi product for low-complexity situations. This prevalence of always-on options, at face value, should automatically legitimize the concept.

While different solutions use different approaches, the unifying concept is a clever repurposing of the classic VPN tunnel. Rather than relying on users to initiate connections, the always-on VPN starts automatically as soon as the computer recognizes an Internet connection.

Because that connection happens automatically and transparently, so then must its authentication. That authentication most commonly occurs via the use of computer authentication certificates, although enterprise solutions tend to support a variety of secondary authentication methods. Features built into IPv6 provide another transparent layer in some solutions.

While improving endpoint security is one reason to deploy an always-on VPN, it's far from the only reason. Understanding that value proposition requires getting out of the office. With a laptop configured for always-on access, try this: Go to your nearest Starbucks, order a latte, power on your laptop and begin working. You'll find that every application functions no different than if you were drinking coffee in your office. That's because every application is already on your LAN. Outlook just works, as do line-of-business applications. Windows updates and Group Policies simply get deployed. Connecting to file servers happens by regular UNC path. Even iTunes connects to any shared libraries.

Admittedly, the experience might be a touch slower. That depends on how many of your fellow Starbucks customers are consuming bandwidth. What's important to recognize is the consistent experience no matter where you are.

Factors to Consider
Deploying an always-on VPN with today's enterprise products isn't for the faint of heart. Microsoft DirectAccess leans heavily on IPv6 in combination with a dizzying array of certificates and encapsulation protocols. It also supports only Windows 7. Rumors suggest that its implementation process will get easier in the next OS version. The Cisco product supports a wider client base, but requires an investment in hardware. LogMeIn Hamachi is ridiculously easy to deploy, but isn't designed for large-scale usage.

Notwithstanding what solution you implement, IT's networking future appears to be dissolving the former walls surrounding the datacenter. These products are compelling. Start looking at them now, because I can absolutely guarantee that your competition is doing the same.