Buyer's Guide: Remote Access VPN Appliances - Page 2
The vanishing perimeter
As mobility grew, enterprise network perimeter defenses were pushed, pulled and shredded. Back when all endpoints were remote, it made sense to deploy VPN gateways at the network edge, connecting authenticated encrypted tunnels to private subnets or resources therein. But today, endpoints may spend a good bit of their time on-premises -- from LAN-connected consultant netbooks to Wi-Fi-connected employee smartphones.
How has this impacted remote access VPN products? For starters, VPNs have been forced to grow more transparent -- from always-on VPNs that encrypt only where necessary to "mobile" VPNs that smooth over connectivity gaps to keep users logged in and applications happy. Additionally, offsite VPNs have started to converge with onsite Network Access Control (NAC), helping IT organizations deliver consistent secure access to each user/endpoint, independent of location.
In short, anyone shopping for a remote access VPN appliance today should be thinking "big picture." Even if on-site endpoints will not be the first to connect, design your VPN architecture with mobility in mind and assess roaming impact on policy and user transparency. Finally, consider regulatory needs; VPN appliances control access by authenticated users and can thus enforce segmentation rules and report on compliance.
To map your requirements to individual product capabilities and features, a VPN features guide can help. For example, see SP 800-113 Guide to SSL VPNs, published by the National Institute of Standards and Technology (NIST). Those seeking VPN appliances that also speak IPsec should also consult the older SP 800-77 Guide to IPsec VPNs. Below is a summary of the VPN features you'll find covered in these guides.
- Authentication: VPN security is based upon authentication -- preferably mutual. SSL VPNs usually support many user authentication methods, including password, smart card, two-factor token, and certificate. Many IPsec VPNs use IKEv2 to support any method conveyed by the Extensible Authentication Protocol (EAP). Choose an appliance that supports your required authentication method(s) and integrates with your user database (e.g., Active Directory). Less common features to look for include single sign-on and roaming without re-authentication.
- Encryption and integrity protection: Secure tunneling protocols like SSL, TLS, DTLS, and IPsec all use cryptography for message encryption, integrity, replay protection, and (sometimes) source authentication. The IPsec Encapsulating Security Protocol (ESP) is applied at Layer 3 to protect the entire IP packet; the others may be applied at Layer 3 or 4. Choose an appliance that satisfies your in-transit data protection policies, including cipher, certification, and interoperability requirements.
- Access controls: Early VPN appliances tunneled all traffic from user to gateway or only traffic destined for private subnets (i.e., split tunneling). With SSL VPNs came increased granularity, including access to specified applications, URLs, or even actions (e.g., file read but not write). This continues to be an area of innovation; look for new features such as policies that transparently adapt for each user, based upon endpoint risk, compliance, or location, and group/role-based access controls.
- Endpoint security controls: Varying access based on risk requires recognizing the endpoint, assessing its health, evaluating its compliance, or a combination thereof. For example, if access is attempted from a managed notebook, a "checker" may verify the endpoint has required OS patches and anti-malware. If access is attempted from a smartphone, these may not be possible -- but the VPN can still look for an IT-installed "watermark." This is another area of rapid innovation, both in OS breadth and depth of controls. For notebooks, consider advanced features such as data vaults. For mobile devices, look for server-side aids like fingerprinting.
- Intrusion prevention: Pre-connect checks are helpful, but may not be enough. To reduce risk, VPNs can grant narrow access to riskier endpoints -- or apply ongoing intrusion prevention to stop malware from riding secure tunnels. This is another area of differentiation between VPN products, as vendors scramble to integrate security offerings and drill deeper -- especially into port 80 traffic to enforce per-application policies and block malicious activity. Features here run the gamut from mobile security agents to reputation-based web defenses, but beware of a la carte feature licenses that inflate TCO.
- Manageability: This is an important characteristic for any product, but especially for remote access VPNs. Factors like purchase price, maintenance fees, installation effort, policy tuning, and routine maintenance all impact total cost of ownership (TCO), but enterprises with large workforces often cite managing users as their single-highest VPN cost.
- High availability and scalability: Enterprise-class remote access VPN products offer high-availability and scalability options, such as hot-synced active/active load balanced gateways. Look not only at scalability and survivability, but also at licensing. For example, those deploying remote access VPN for disaster planning may want "burstable" or pay-as-you-go licenses.
- Customization: Remote access VPNs often benefit from customization. This can range from organizing resource links on per-user/group portal pages to adding proxy VPN translations for proprietary applications. Especially for small mobile devices, look for aids like auto-display-adaptation and bookmarks to improve usability.
Product roll call
These are just some of the many features and capabilities found in contemporary remote access VPN appliances. Vendors in this market include Cisco Systems, Citrix Systems, Check Point, F5 Networks, Juniper Networks, and SonicWall (to name just a few).
To more fully illustrate this category, EnterpriseNetworkingPlanet will profile several remote access VPN lines, including SonicWall's Aventail E-Class SRA appliances, Cisco's ASA 5500 Series appliances, and Juniper's MAG Series JunOS Pulse Gateways. Stay tuned ...
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed and tested network security products for nearly a decade.