I've been involved with multiple projects to assess the use of VPN (virtual private network) technologies over wireless networks. The most recent is pulling content together for a Webcast I'll be doing on December 5 for Cingular Wireless titled "Optimal Use of VPNs Over Cellular Networks." (See http://developer.cingular.com/ for details.) The good news is that an increasing number of effective options result in improved performance, reliability and control. The bad news is that all the options and tradeoffs are complicated.
Two items have driven progress. First, the networks themselves have become much faster, with current 3G networks delivering average speeds of over 500 kbps, and as of the end of 2006, they are fairly widely available. This development has helped networking applications in general, and VPNs specifically, because most VPNs were not designed for wireless and impose tunneling overhead in their additional packet headers. Second, a number of vendors have developed VPNs specifically for mobile operation, and these are now becoming extremely sophisticated with features such as traffic shaping.
Many organizations are already using VPNs for remote access, replacing their dial-up remote-access servers with systems that allow users to simply connect to the Internet from anywhere and then engage in secure (encrypted, authenticated, tamper resistant) sessions. The advantage is that both ends of the connection simply need an Internet connection. Remote users can connect via dial-up to their ISP, DSL, cable modems, Wi-Fi and, increasingly, wide-area wireless such as EV-DO or HSDPA.
There are a number of reasons you would want to use a remote-access VPN with a wireless network. First, you can't depend on the provider encrypting the radio link. Most public Wi-Fi networks operate in the clear. In the cellular world, many networks use encryption, but not all. And even for the networks that use encryption, it is usually to a node in the infrastructure beyond which data passes in the clear. Granted, this may be over a private operator network. But for sensitive data, this might still make you nervous. Most important of all, wireless network connections, be they cellular or public Wi-Fi, generally use the Internet to traverse from the operator network to your organization. By using a remote-access VPN, you can secure the communications on an end-to-end basis, you are not dependent on any of the security features of the underlying networks, and you can deploy a consistent security solution regardless of the access network.
But the question is what kind of VPN to use. There are three main categories, including IPsec VPNs, the ever more popular SSL VPNs and mobile VPNs. We'll quickly look at all three. IPsec VPNs are the workhorses in the industry, and many organizations have deployed them for remote access. They work fine over wireless connections, but they do add protocol overhead, with some 50 bytes per packet. For larger packets, as in a file download, this may not be that noticeable, but chatty applications may operate perceptibly slower. The performance penalty may range anywhere from 5 percent to 30 percent, depending on the type of application. This is less of a factor with 3G networks than 2G networks. Also, VPN sessions are vulnerable to connection loss, which can force users to restart their VPN as well as the applications they were running. In addition, you may need to configure the VPN for NAT traversal by enabling UDP encapsulation. Bottom line: IPsec VPNs work best with stable and fast connections.