There is widespread agreement that access to corporate networks should be secured with a virtual private network (VPN), and chances are, your customers know they need one. But which VPN do they need? That's where you come in. This article looks at three popular types of VPNs (IPsec, OpenVPN, and SSL VPNs), and when each is appropriate, to help you recommend the right VPN to your customers. We don't consider PPTP, a popular but deprecated Microsoft solution, because PPTP has severe security
problems that render it unsuitable for anything but the most casual security (see these two papers by Schneier, Mudge and Wagner for details).
IPsec VPNs
IPsec is the IETF standard VPN. IPsec is an industrial strength VPN that is very flexible and configurable. It comprises three protocols: Authentication Header (AH), which provides message authentication; Encapsulating Security Payload (ESP), which provides message encryption and authentication; and Internet Key Exchange (IKE), which provides key management and protocol negotiation. Because almost all of the AH functionality is duplicated in ESP, AH is usually used only for special purposes, and we won't consider it further.
The most useful way to configure ESP is tunnel mode, in which the VPN connects two networks or a single computer and a network. This covers the familiar cases of connecting two corporate sites and of connecting a road warrior to the corporate network. Traffic carried through such a VPN is encrypted, making it safe from snooping, and authenticated, making it safe from undetected alteration.
Because IPsec operates at the network (IP) layer, it works with any protocol carried by IP. This makes it an ideal general purpose VPN for customers that require strong
security and flexibility. IPsec implementations are available from all the major vendors, including Cisco, Juniper and
Microsoft. On the other hand, IPsec can be difficult to configure and requires an experienced technician to keep it running. Although it is standardized, the specifications contain enough ambiguity that different implementations sometimes have difficulty interoperating. IPsec is the VPN of choice for your customers with serious security requirements and that are large enough to have an IT staff to support it -- or
are willing to pay you to do so.
OpenVPN
Another general purpose network-to-network or computer-to-
network VPN is OpenVPN.
Although similar in functionality to tunnel mode ESP,
OpenVPN is more lightweight and easier to configure than
IPsec.
OpenVPN is a user mode program that runs on Unix/Linux,
Windows and Mac systems. It uses TLS (SSL) for key and
configuration negotiation and an ESP-like protocol to
transport the IP datagrams. It can be configured to use
shared keys -- simple but less secure -- or certificates for key
management. When used with certificates, OpenVPN provides a
very robust VPN solution.
OpenVPN is simple enough for use by your SMB customers that
don't have a dedicated IT staff. Although this VPN is
robust enough for most security requirements, the fact that
it is a user mode program means that it may experience some
performance problems under very heavy load and thus may not
be appropriate for large businesses with heavy traffic.
However, it is an ideal solution for securing enterprise
WiFi systems.
SSL VPNs
Finally, there are
SSL
VPNs, which link a single computer to an application
gateway on the corporate network. Because SSL VPNs leverage
the client's Web browser as an interface, additional
software is often not needed on the client machine. This
means that installation and support of client computers are
simplified tremendously and that the client machines can run
any operating system that supports a browser and SSL.
The disadvantage of this type of VPN is that to avoid extra
software on the client machine and to realize OS
independence, they are restricted to proxying Web pages and
therefore are restricted to HTML/HTTP-aware applications. By adding a small amount of software on the client, SSL VPNs
can perform application translation. This allows the
VPN to handle specific non-Web applications for which the
vendor has built support into the SSL VPN gateway -- mail,
telnet and file services are examples. By adding more
client software and further limiting platform independence,
the range of supported applications can be increased, but it
may make more sense to use a traditional VPN to meet these
types of requirements.
If your customer requires secure
remote access to Web-based applications such as online
catalogues, price lists, directories or manuals; order
entry; customer contact reporting; or similar applications,
SSL VPNs are an ideal solution, regardless of the size of
the business.
About the author
Jon Snader is a TCP/IP and VPN expert whose background includes work
in networking, security, communications and radio network controllers.
He is the author of VPNs Illustrated: Tunnels, VPNs and IPSec and Effective TCP/IP Programming: 44 Tips to Improve Your Network Programs, both published by Addison-Wesley. You can reach him via his
Web site or via email. As an expert on SearchNetworkingChannel.com, he's also available to answer your VPN questions.
