VPN Concentrators: A Must for Small Business
You may not have heard of them, but VPN concentrators can help you properly secure your virtual private network.
We're all network gurus, right? We were connecting routers and cables and networks long before all these fancy devices came out to make it easy. Yet when my business partner threw out the term "VPN concentrator" recently, I was at a loss. Fascinated, I asked him to back up and explain what he was talking about. The concept was simple enough. I just couldn't believe I had missed it.
Remember the days of dial-up modems and users connecting to NT 4.0 servers using Remote Access Service (RAS) through a dialup connection? Combining multiple modems in a multilink helped increase bandwidth. It seems so long ago, but it has only been about 10 years. Now you can create a secure connection -- a virtual private network (VPN) -- with which users can dial in to their ISP from anywhere and access their organization's network through a protocol tunnel that enhances security.
There's a greater need than ever for increased security over VPNs. Small businesses usually have a limited amount of funds or IT expertise, but that doesn't mean they can ignore the need to secure their VPNs properly. A VPN concentrator can help.
Leaving the Door Open
Consider the situation my business partner explained to me as he schooled me in the ways of VPN concentrators.
"One of our clients was using Windows Routing and Remote Access in order to access their network from home. This was providing a free VPN they accessed using Remote Desktop from anywhere with a Web connection," he said. "The problem this presented was that it left a domain controller wide open to the Internet.
Anyone that happened to come across that IP address was free to try their best to guess a password, or bypass the small amount of security that did exist," he continued.
Obviously, they needed a new solution. But money was a major concern, as was ease of use for all their employees. Their best option seemed to be to install a VPN router and VPN client software. This is an excellent and cost-effective approach to this type of situation, depending on the type of clients being managed.
When considering a VPN concentrator, we first had to assess the needs of the users. Were we talking about stationary users needing to access a VPN from their home office PC? Were they sales or support people who are constantly traveling? What would happen if they were in a facility where a traditional IPSec connection wasn't permitted to pass through the firewall? (Surprisingly, more than a few popular hotspots don't enable VPN pass-through.) This is where the VPN concentrator really rises to the occasion.
On the higher end, you have appliances with multiple features like firewall support, high availability, high performance and scalability. The Netgear ProSafe SSL VPN Concentrator -- currently selling for about $350 -- is one of the more affordable choices. ProSafe allows for 25 concurrent tunnels and is tailored for small to midsize businesses.
You can still use a traditional VPN combo device as well. Linksys sells four-port routers with both IPsec and Secure Sockets Layer (SSL)-VPN capabilities for less than $200. These options should help you consider the SSL-VPN concentrator angle.
Through Netgear Inc.'s concentrator, we were able to give the client a Web interface access page into their VPN. This gave them fast, easy-to-use connections. Their users not only had speedy and secure access to their VPN, but when they used a Terminal Services ActiveX or Java client right from their Web browser, they could take control of any computer they had the rights to.
This structure removed the risk of having direct access to any one server on their domain. It was secure, using SSL-128 or 256-bit encryption. There was no need to install anything more than a few ActiveX controls on the client machine.
Let's now consider the real benefit to that. First, many scenarios can make it difficult to access client computers to install VPN client software. If access isn't a problem, what about the time it will take to install and configure this software on each user's computer? Having that software on a machine lets users change their own settings, a process that could otherwise waste hours of support time.
The benefits extend well beyond user convenience. There are real advantages for IT professionals as well. All of this amounts to a cost savings similar to providing an individual copy of "GoToMyPC." Up to 25 employees, depending on the gateway licensing, have this type of access.
Many analysts claim SSL VPNs are going to become more popular than their IPSec counterparts due primarily to their increasing reliability and ease of implementation, all of which lowers the total cost of operation. Keep in mind that you may still need your firewall. You'll place your VPN concentrator behind your firewall (see Figure 1).
[Click on image for larger view.]
|Figure 1. A typical VPN concentrator configuration.
Pros and Cons
VPN concentrators typically come in one of two architectures: SSL VPNs and IPSec VPNs. VPN concentrators are ideal when you require a single device to handle a large number of incoming VPN tunnels. Some VPN concentrators only support one protocol or the other. Cisco Systems Inc. and other large vendors support either with their concentrators.
The traditional tunnel for VPNs relies on IPSec, which resides at the network layer of the Open Systems Interconnection (OSI) model. At this level, a client is considered a virtual member of the connected network and can pretty much access the network as if locally connected. This is a positive aspect of IPSec, because applications run without any awareness that the client is coming from outside the network. One drawback, though, is that you have to configure additional security controls to ensure lower risk.
For a client to access an IPSec VPN, you'll have to configure the client-side software. While this adds security, it also means additional cost to implement and additional time and energy spent by tech support. This is what steers many toward an SSL solution.
SSL is already built into most computers by virtue of using a Web browser, so there isn't any additional work to install and configure the client side for an SSL VPN because all the clients already have the software.
Additionally, instead of residing at the network layer and allowing access to all aspects of a network, SSL lets you control access a bit more precisely for Web-enabled applications. You can also establish a finer level of control over other SSL-VPN connections. One negative angle to this is that some applications may give you a problem through an SSL-VPN connection. This is where IPSec trumps SSL.
You'll need to be careful that the apps you use will work through an SSL-VPN client. With a little bit of work, you can Web-enable additional apps, but this adds configuration time and may make SSL an unattractive solution for some. Also, some of your SSL-VPN solutions may not support centralized storage, shared access to resources -- like printers -- or files, and other options that you can achieve through an IPSec connection.
Some also worry about Web caching, and the amount of private information left behind. You'll find that many solutions offer a desktop "sandbox" mode where a user logs in to a protected workspace that leaves behind no residue when they leave. This is the perfect solution for that connection from the Internet café.
The needs and restrictions in every environment are unique. Using SSL-based VPNs does have certain drawbacks. The security is generally weaker than with a typical IPSec VPN. Does the ease of use for your users and relief for your support team outweigh that concern? Only you can answer that question with a thorough review. If you're implementing remote access for the first time, the convenience of configuring an SSL-VPN concentrator will certainly make a strong argument.