Buyer's Guide: Remote Access VPN Appliances
The days when a virtual private network meant just employee access from a laptop are gone. Today's VPN appliances must juggle on- and off-site smartphones, tablets, notebooks, you name it -- giving VPN shoppers a new set of challenges.
According to Infonetics, the network security appliance market grew 11 percent last year and will reach $6.6 billion by 2015. Remote access virtual private network (VPN) appliances remain a significant part of this market, but their role is shifting. Enterprise wireless LAN expansion, combined with evaporating network perimeters, mean that VPN users may no longer be "remote." Today, VPNs deliver secure (authenticated, encrypted) access to corporate resources from any mobile device -- including smartphones that roam from office to home.
In this guide, we examine the capabilities and features offered by contemporary remote access VPN appliances. Although the specific needs of each enterprise may differ, we look at questions that every organization should ask to enable secure mobility. From off-site laptops to on-site tablets, we identify secure access needs and see how VPN appliances are stepping up their game to meet higher expectations.
Evolution of Remote Access VPNs
Twenty years ago, road warriors needing remote enterprise network access dialed into private modem pools. Over the next decade, most employers replaced dial-up with Internet-based access, using IP Security (IPsec) to tunnel between VPN gateways and clients. By 2006, the tide had shifted again, as Secure Sockets Layer (SSL) became a popular alternative for browser-based "clientless" remote access.
Today, VPNs based on SSLv3 and its successor TLSv1 (Transport Layer Security) are widely considered an enterprise security best practice. But somewhere along this road, enterprises began to favor accessibility and transparency over standards. Specifically, while TLS itself is an IETF standard, VPN products use TLS and DTLS (Datagram TLS) in diverse ways, balancing endpoint limitations and risks against the needs of each user and application.
This kind of flexibility has become essential, but it also complicates product selection and deployment. For example, contemporary SSL VPN appliances often support:
- Secure Web portal access to selected applications from limited/risky endpoints;
- Richer secure proxy access to common applications from most endpoints;
- Secure port forwarding to many applications by Java/ActiveX-capable endpoints;
- Secure network tunnels from endpoints with installed (TLS or IPsec) VPN clients.
Precisely how each of these alternatives work, which applications each can support, which endpoints can use them, and deployment implications vary widely. Considerable progress has been made over the years, such as using Layer 3 TLS or DTLS tunnels to support latency-sensitive voice and multimedia applications. However, customers still need to drill into details to determine if a given appliance can meet all workforce needs.
Consumerization of IT and BYOD
SSL VPNs emerged to reduce the cost and complexity of remote access support. By using Web browsers instead of installed clients, SSL VPNs enabled secure remote access from a wider variety of endpoints, including non-IT-managed home and public PCs. This not only facilitated expansion to larger workforces, but left VPNs well positioned to deal with the consumerization of IT and the bring-your-own-device (BYOD) trend.
Today, remote access VPNs can be accessed from any authorized PC, without software installation or IT procurement. Similarly, VPNs can be reached from many authorized smartphones or tablets, without IT ownership. But there's a big catch: many unmanaged/mobile endpoints are limited to VPN portal or proxy access.
Some access limitations are driven by policy. To manage endpoint risk, IT may want to deliver only virtual desktop to a BYO iPad, or give partners very narrow access to a small set of URLs. Contemporary remote access VPNs can deliver this granular access control.
However, many limitations result from the endpoint's OS or user's (lack of) permissions. TLS network tunnels tend to require installed VPN clients, often available for Win32/64 and Mac OS but rarely for iOS or Android. Port forwarding over TLS usually involves download-on-demand Java or ActiveX -- but ActiveX doesn't run everywhere and port forwards can require admin rights.
Furthermore, today's remote access VPN products offer an array of features to mitigate endpoint risk, ranging from pre-connect security scans to post-session cleanup. Any enterprise considering VPN for unmanaged endpoints should take a close look at these to identify business needs and evaluate support on required endpoints. In particular, watch out for policy checks or encrypted containers only available for Win32/64 endpoints.