Remote Access Security

For performance and security reasons, large organizations with many simultaneous remote users should consider specialized hardware to terminate the VPN at the enterprise. These options are available as additional software for an existing firewall to dedicated VPN concentrators, and are priced from the low hundreds to tens of thousands of dollars. Regardless of the VPN technology you choose, you'll need to determine user demand to decide if the extra hardware expense is necessary.

There are several varieties of VPN protocols -- IPsec, PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and SSL. Each can be the most affordable choice in a given situation.

IPsec, a Layer 3 protocol, is used as an encryption method (in conjunction with PPTP or L2TP) and as the VPN protocol. IPsec is often used to create VPNs between offices. Many VPN concentrators and firewalls, including those from Cisco Systems, Check Point Software Technologies, Microsoft, NetScreen Technologies (acquired by Juniper Networks in April), SonicWall, Symantec and WatchGuard Technologies, support IPsec as a terminated VPN method.

Because IPsec is built into later versions of Windows 2000 and beyond, and included in devices such as those listed above, it can be an affordable option for securing remote access--even when you consider firewalls that require the purchase of additional software for full IPsec support.

IPsec uses stronger encryption than PPTP or L2TP, which is why it's favored by many professionals, but PPTP provides a VPN that may be good enough for your needs at a lower overall cost in most situations.

A PPTP client is included in current Windows versions, and the protocol makes few demands on network bandwidth. These two facts make PPTP an affordable option for those who don't have specific (hardware-generated) requirements for other VPN protocols. PPTP clients are also available for Linux and Macintosh; it's relatively easy for both admins and users to use; and it natively supports multiple Layer 3 protocols.

L2TP, a standards-track (IETF RFC 2661) Layer 2 protocol, builds on a Cisco routing protocol. Some parts were built off L2F, an encapsulation protocol. To build a VPN tunnel that provides an authenticated connection along with frame correction, L2TP uses digital certificates for authentication and requires additional protocols (such as IPsec) for encrypting traffic.An L2TP client is standard in current Windows versions. It can build tunnels across networks other than IP, so frame relay or ATM links can be included in a standard security plan. L2TP's flexibility makes it an affordable option for larger organizations with multiple network and link technologies in use, since the IT staff must learn to deploy and support only a single VPN protocol.

SSL operates at Layer 5 of the OSI model (versus Layer 2 or Layer 3 for the other VPN protocols), so it typically provides access at a different level--to specific applications rather than an entire network segment, for example. SSL is not simply a protocol-specific technology--an SSL VPN can tunnel non-HTTP traffic using a downloadable host agent to redirect non-HTTP traffic over the SSL tunnel. SSL typically uses digital certificates for authentication, and that cost and overhead should be figured in unless you're using Microsoft's free Certificate Authority to issue certificates.

From a client-side perspective, SSL is an affordable method because a Web browser is all that is usually required--you'll need to run software only on devices that don't have a browser installed, such as some handhelds.Server-side termination costs are higher with SSL than with the other major VPN protocols, however. The number of simultaneous SSL VPN users must be factored in when determining the affordability of this method, as SSL carries a relatively heavy processing load for any device that terminates at the tunnel--the greater the number of users, the heavier the load.

Low-cost SSL add-ons exist but may not provide enough processing power to prevent endpoint devices, such as firewalls and routers, from being overwhelmed. Look to vendors such as Cisco that include SSL VPN capabilities in their VPN concentrators, firewalls and other end-point equipment.

Equipment designed specifically to ease the SSL-termination burden, such as Symantec's Clientless VPN Gateway and SonicWall's SSL-R, carries a purchase price that looks high, but this type of gear can handle the high computational demands of SSL for a large number of users without causing network delays.

Remote File Access

Once a secure remote connection has been established, you need to figure out ways to allow access to files stored on various servers. If you use a variety of OSs, a you'll also need a network file-sharing program.Open-source Samba provides authenticated access to or from a wide variety of OSs, including Windows, Linux, Unix and Macintosh, and can be implemented as part of a deployment along with a VPN and an authentication system to create a solid remote file-system access package.

There's no need to use Samba if you're a Windows shop. If you're using an IPsec or PPTP VPN, you may not need to buy any applications for file sharing. You simply configure the hosts to talk to a WINS server or modify the relevant LMHOSTS file appropriately. Similarly, Novell NetWare handles file-sharing duties without the need for Samba.

Outsourcing

A growing number of ISPs and security vendors are offering VPN-termination services as part of a total managed-security package. These systems are typically based on a combination of proprietary and open systems and carry a relatively low initial purchase price and ongoing annual subscription fees.

Many of the managed systems bundle numerous security aspects, including authentication, authorization, policy enforcement (of client firewall and antivirus protection, for example) and VPN encryption, along with basic connectivity through dial-up or broadband Internet access. Hence, they may be very affordable for companies with a large number of workers who access the enterprise network from many different types of locations. An outsourcing company that handles all the details for the various connection types will save considerable staff time compared with developing multiple policy implementations. You can save significant time and money by handing over the management of remote access to a third party with the expertise and infrastructure in the junction of telephony and networking. One growing area of remote-access outsourcing is in providing a single login experience at any number of remote 802.11b hotspot locations. From here, users must adhere to security policies--antivirus, VPN, firewall, authentication--before the connection is confirmed and completed. The upside is that, in a functional area that requires successful initiation and operation of many components and services, someone else is responsible for keeping it all working properly. The downside is that the "someone else" introduces another layer of potential failure in an already complex transaction environment. For many companies, though, the expertise and service-level agreements of an outsourcing partner make the financial arrangement attractive, regardless of the precise numbers involved.For remote access, outsourcing is an affordable option, whether you choose to work with a partner for all remote-access functions, select functions, or only some locations of remote network access. Here are some points to consider: