This article suggests four questions that you should ask
yourself or your customer when deciding what type of VPN to
implement. See the article Choosing the right VPN for
your customer: VPN options for background on the types of VPNs that
we discuss here.
What type of network do you want to protect?
If your customer is running an all-Microsoft network with
Microsoft gateways at the edge, then your best choice is
 |
| Virtual Private Networking Project Guide |
| Learn how to choose the right VPN for your customer, and get tips for deploying, troubleshooting and securing your customer's VPN in our Virtual Private Networking Project Guide. |
|
|
|
|
almost certainly L2TP/IPsec. This is the standard Microsoft
VPN and will probably already be installed on the client and
gateway machines. The major gateway vendors, such as Cisco
and Juniper, as well as many open source operating systems,
such as Linux and FreeBSD, also support L2TP/IPsec, so this
solution is still available if your customer is using these
third-party devices at the edge of their network.
In the case of a mixed network, the decision is more
complicated. Because of the extensive third-party support
for L2TP/IPsec, it may make sense to use (or at least
support) it in mixed networks too. In most cases, road
warriors will be using a version of Windows on their
laptops, so supporting it on your customer's network will make
configuration and support of those laptops much easier.
If you want to secure a corporate WiFi or need a few
low/moderately loaded VPNs (such as those for use by road
warriors), OpenVPN offers an attractive solution. This is
especially true if your customer doesn't have IPsec-
experienced IT staff available.
For a customer that needs a VPN with strong security that links two or
more company sites, IPsec is a good choice. Properly
configured, IPsec can make all the sites appear to be one
large network with seamless connectivity.
If your concern is to allow secure remote access to
corporate Web-based applications (and perhaps a few other
specific resources), then an SSL VPN is an effective choice.
These VPNs are generally easy to configure, but usually
require a separate SSL VPN gateway.
What applications does your customer want to have
available remotely?
More than anything else, the type of applications that
remote users will access drives the choice of VPN. If these
applications are all Web-based, an SSL VPN is probably the
best choice. If your customer wants to secure an 802.11b
WiFi, OpenVPN is a simple solution that is easier and
cheaper than upgrading to
WPA-enabled
equipment.
If your customer's remote users need access to the entire or
large portions of the corporate network, you should consider
IPsec or L2TP/IPsec. Note, however, that OpenVPN can be an
attractive alternative for an SMB with light or moderate
traffic. In some situations, such as an engineering shop,
something as simple as
SSH
can provide the needed connectivity with virtually no effort
on the part of system administrators.
Does your customer have an experienced IT staff to
provide support?
Although there is nothing intrinsically hard or deep about
configuring and running an IPsec VPN, there are
numerous parameters -- many mysterious -- that a system
administrator must specify. The average user will have a
difficult time making informed decisions about these
parameters and may make choices that render the VPN less
secure than it could be. For this reason, companies
considering IPsec should either have an experienced IT staff
or be willing to hire you to make sure the VPN is configured
correctly and to help troubleshoot problems. Because
OpenVPN and SSL VPNs are easier to configure and administer,
they may be a better choice for an SMB without an IT staff.
How much budget is your customer willing to devote to
implementing the VPN?
If your customer is a large enterprise with the need for a
heavy duty VPN, you should consider dedicated hardware from
one of the major vendors such as Cisco or Juniper. Smaller
companies with modest IT budgets can still have access to
all these VPN technologies by using commodity hardware and
free or open source software. OpenVPN is available without
charge as are the Linux and *BSD operating systems, which
have support for IPsec and L2TP/IPsec. Although most SSL
VPN implementations require special hardware and are fairly
expensive,
SSL-Explorer
is a software only SSL VPN available under the GPL.
About the author
Jon Snader is a TCP/IP and VPN expert whose background includes work
in networking, security, communications and radio network controllers.
He is the author of VPNs Illustrated: Tunnels, VPNs and IPSec and Effective TCP/IP Programming: 44 Tips to Improve Your Network Programs, both published by Addison-Wesley. You can reach him via his
Web site or via email. As an expert on SearchNetworkingChannel.com, he's also available to answer your VPN questions.
