VPNs wanted, but which kind?
With telework, business continuity top-of-mind, agencies will look for secure remote access
- By David Essex
- May 26, 2006
The saga of the Labor Department's attempt to outfit Mine Safety and Health Administration employees with remote access via virtual private networks serves as a mini-history of the technology.
In 2003, the agency tried VPNs based on the most popular technology of the time: Internet protocol security, which essentially provides a direct pipe to the agency network.
But administrators got bogged down in tech support. Internet protocol security requires installing a hard-to-configure program on every remote machine. Plus, firewall and other network conflicts can mean help-desk nightmares.
The following year, the agency moved to secure sockets layer VPNs. Touted as Internet protocol security's heir apparent, secure socket layer VPNs use Web browser technology that requires little or no client software.
The agency installed SSL VPN appliances from Juniper Networks Inc. of Sunnyvale, Calif., and by spring 2005 had 2,200 employees using remote access ? and enjoyed a huge drop in service calls.
Many agencies, if they have not already done so, soon will face the issue of what technology they should use to connect remote workers, and they'll be looking to integrators to help make a decision. While the push for more telecommuting by federal employees is a major driver of VPN demand, experts also noted a strong interest from agencies implementing disaster-recovery plans.
"A lot of governments feel they need to have fail-safes in place, so that if up to 75 percent of the employees have to work at home, they will be able to handle that spike," said Robert Whiteley, senior analyst at Forrester Research Inc. of Cambridge, Mass.
VPN sales are skyrocketing across all industries. According to market research firm International Data Corp. of Framingham, Mass., worldwide sales tripled from $75 million in 2003 to $200 million the following year. IDG estimated sales would close out 2005 at $325 million.
A VPN links network nodes over the public Internet while keeping the connection private through encryption and other security techniques. Here's the critical difference between the two main technologies: Internet protocol security opens a fully functioning pipeline directly to the internal LAN, and secure socket layer provides access to a select group of applications.
Internet protocol security is like an extension of a LAN, Whiteley said.
"It's a layer 3 pipe, and pretty much every application will run over it. SSL sits above that in layer 4 or 5, so it doesn't necessarily work with all applications." But SSL vendors have found ways around these limitations, he said.
In practice, the difference in client-side software means Internet protocol security may be preferable for a site-to-site VPN, the secure linking of two computers in different locations. Internet protocol security proponents also said it is superior for transferring large files.
With its simple setup, SSL generally is better for quickly activating large numbers of remote users, even on an ad hoc basis.
"Internet protocol security VPNs are the clear choice when you have two dedicated endpoints," said Tim Simmons, product marketing manager at Santa Barbara, Calif.-based Citrix Systems Inc., a maker of SSL VPN appliances and remote-access servers for the Defense Department and other large agencies. "SSL VPNs really excel at the connections to multiple unknown clients."
Several SSL-oriented vendors said they invested in the technology precisely to help organizations avoid the problems they had getting Internet protocol security to traverse network-address translation routers and firewalls.Don't I know you?
Internet protocol security and SSL soon may start to look more alike. It once was safe to say that SSL required no special client software, but SSL VPN vendors have been adding features that require the remote device to download small Active X or Java applets ? and sometimes they use Internet protocol security for the download.
"Everybody is moving toward full VPN clients," Simmons said. "SSL VPNs are starting to look a lot like Internet protocol security VPNs."
"The problem is not having a client on the endpoint, per se, it's how do you get that client to the endpoint?" said Niv Hanigal, product manager for Juniper.
Hanigal said users of Juniper VPNs don't have to worry about software. "They go to the Web site to log in, and in the background, something's being downloaded," he said. "It's usually only 500K."
It's not always an either-or choice between Internet protocol security and SSL. A few vendors, among them Check Point Technologies Inc. of Redwood City, Calif., Cisco Systems Inc. and Nortel Networks Corp. of Brampton, Ontario, offer hybrids that give remote users more connection choices.
Some SSL vendors rely on Internet protocol security to offer client-server access or to string SSL appliances together. And several companies offer different versions of VPN to meet agencies' unique requirements.
All VPN products support a slew of government-endorsed encryption schemes, such as advanced encryption standard and triple data encryption standard.
But the products that meet the most stringent standards go through testing overseen by the National Institute of Standards and Technology to achieve certification for Federal Information Processing Standard 140-2. A few also are certified under Common Criteria encryption and authentication testing by the National Information Assurance Program, a NIST partnership with the National Security Agency.
As a full network connection, Internet protocol security is more open to exploitation by hackers, especially through underprotected remote machines, according to John Girard, an analyst for Gartner Inc. of Stamford, Conn., and author of a 2005 analysis of the competing technologies.
Because Internet protocol security doesn't force strong authentication, it is accessible via a simple user name and password, which increases the chance of break-ins, Girard said.
But SSL is not without dangers. Thanks to widespread deployment, the total risk from the number of unmanaged PCs is greater. It's an opinion shared by Sonny Gutierrez, LAN/WAN security specialist at CDW Government Inc. of Vernon Hills, Ill., which sells both types of VPN products.
"You can sleep easy at night knowing you're running Internet protocol security tunnels instead of SSL," Gutierrez said. "Internet protocol security technology is basically built into every firewall."
Organizations should establish policies to restrict SSL VPN use, Girard said. Products geared to large enterprises, such as those from Aventail Inc. and F5 Networks Inc., both of Seattle, and Juniper, enhance security with administrative software.
"We allow the administrator to control specific applications on a particular user's device," said Chris Witeck, Aventail's director of product management. "You're not really authorizing a user to access your network, you're letting them access specific resources."
Enterprise class VPN products also perform endpoint analysis, also called integrity checking, which tests the remote client for firewalls, anti-virus programs, the latest patches and other requirements specified in an agency's security policy.
Such VPNs can limit access to specified applications or move the apps to a quarantined LAN. As an SSL VPN feature, this is useful especially for employees who access VPNs from shared machines, such as airport kiosks and public library terminals. In such situations, SSL VPNs may default to the most basic capabilities supportable in a browser, such as checking e-mail stored on an agency server or browsing the Web.
The more advanced endpoint analysis programs will automatically shut down a VPN session if they detect, for example, that the user has turned off the anti-virus program.
VPN logins are also a good way to beef up security for employees accessing the wired LAN from inside. "Since the perimeter is going away, you have to look at access control not just for people coming in, but also contractors and partners who are sitting on the inside," said Sanjay Uppal, executive vice president of product management at Caymas Systems Inc., San Jose, Calif. All applications could be enabled through a public-key infrastructure, "but that is going to be prohibitively expensive," he said.
Most VPN products are sold as appliances: thin network boxes connected via Ethernet ports. Some come as upgrade boards that fit inside routers and switches. VPN boxes can sit either in a network's demilitarized zone behind the firewall as an extra measure of security, or outside the demilitarized zone.
The key feature to look for is the maximum number of concurrent users, which is the best measure of scalability. Small-office systems top out at a few dozen; enterprise systems can reach several thousand.
To prevent failures, some of the highest-capacity appliances add reliability features, such as redundant, hot-swappable drives and power supplies. They also can be clustered to expand capacity and improve performance as demand increases, but this can require additional load-balancing hardware.Get your guard up
Intrusion detection devices and security information management technology,
if not already present, can help guard against attacks coming through the VPN. Many of these products come with built-in VPNs.
An alternative to hybrid devices is for integrators and their customers could mix and match Internet protocol security and SSL devices in the same network, linking their VPNs.
"Crypto is crypto," said Charles Kolodgy, an IDC research director who worked in defense procurement. "It's really just being able to create an SSL tunnel to an Internet protocol security tunnel."
Software is the other option. Cranite Systems Inc. of Los Gatos, Calif., often pairs its Safe Connect proprietary software-based VPN with its FIPS 140-2-certified WirelessWall wireless security software, said Mike Coop, vice president for consulting engineering. "It prevents the Windows stack from being attacked externally," he said.
Blue Coat Systems Inc. of Sunnyvale, Calif., and PortWise Inc. of Mountain View, Calif., also sell software VPN and other remote-access solutions.
Software VPNs can drain server performance, but they offer the greatest platform flexibility.
"The reason you go to software is if you want to use your own hardware model," said Zeus Kerravala, vice president of enterprise research at market research firm Yankee Group Inc. of Boston.
Of all the options, appliances are the most expensive. Caymas Systems Inc. of San Jose, Calif., for example, charges $15,000 to $55,000 for its most popular models for government, followed by add-in cards, then software, Forrester's Whiteley said.
Many agencies might be interested in a limited pilot or deployment before rolling out nationwide, CDW-G's Gutierrez said. Sometimes, as in the case of the Labor Department, trial and error helps illustrate the differences between the leading VPN technologies and leads your customers to the one that works best for them.David Essex is a freelance technology writer in Antrim, N.H.