Buyer's Guide: Remote Access VPN Appliances
According to Infonetics, the network security appliance market grew 11 percent last year and will reach $6.6 billion by 2015. Remote access virtual private network (VPN) appliances remain a significant part of this market, but their role is shifting. Enterprise wireless LAN expansion, combined with evaporating network perimeters, mean that VPN users may no longer be "remote." Today, VPNs deliver secure (authenticated, encrypted) access to corporate resources from any mobile device -- including smartphones that roam from office to home.
In this guide, we examine the capabilities and features offered by contemporary remote access VPN appliances. Although the specific needs of each enterprise may differ, we look at questions that every organization should ask to enable secure mobility. From off-site laptops to on-site tablets, we identify secure access needs and see how VPN appliances are stepping up their game to meet higher expectations.
Evolution of Remote Access VPNs
Twenty years ago, road warriors needing remote enterprise network access dialed into private modem pools. Over the next decade, most employers replaced dial-up with Internet-based access, using IP Security (IPsec) to tunnel between VPN gateways and clients. By 2006, the tide had shifted again, as Secure Sockets Layer (SSL) became a popular alternative for browser-based "clientless" remote access.
Today, VPNs based on SSLv3 and its successor TLSv1 (Transport Layer Security) are widely considered an enterprise security best practice. But somewhere along this road, enterprises began to favor accessibility and transparency over standards. Specifically, while TLS itself is an IETF standard, VPN products use TLS and DTLS (Datagram TLS) in diverse ways, balancing endpoint limitations and risks against the needs of each user and application.
This kind of flexibility has become essential, but it also complicates product selection and deployment. For example, contemporary SSL VPN appliances often support:
- Secure Web portal access to selected applications from limited/risky endpoints;
- Richer secure proxy access to common applications from most endpoints;
- Secure port forwarding to many applications by Java/ActiveX-capable endpoints;
- Secure network tunnels from endpoints with installed (TLS or IPsec) VPN clients.
Precisely how each of these alternatives work, which applications each can support, which endpoints can use them, and deployment implications vary widely. Considerable progress has been made over the years, such as using Layer 3 TLS or DTLS tunnels to support latency-sensitive voice and multimedia applications. However, customers still need to drill into details to determine if a given appliance can meet all workforce needs.
Consumerization of IT and BYOD
SSL VPNs emerged to reduce the cost and complexity of remote access support. By using Web browsers instead of installed clients, SSL VPNs enabled secure remote access from a wider variety of endpoints, including non-IT-managed home and public PCs. This not only facilitated expansion to larger workforces, but left VPNs well positioned to deal with the consumerization of IT and the bring-your-own-device (BYOD) trend.
Today, remote access VPNs can be accessed from any authorized PC, without software installation or IT procurement. Similarly, VPNs can be reached from many authorized smartphones or tablets, without IT ownership. But there's a big catch: many unmanaged/mobile endpoints are limited to VPN portal or proxy access.
Some access limitations are driven by policy. To manage endpoint risk, IT may want to deliver only virtual desktop to a BYO iPad, or give partners very narrow access to a small set of URLs. Contemporary remote access VPNs can deliver this granular access control.
However, many limitations result from the endpoint's OS or user's (lack of) permissions. TLS network tunnels tend to require installed VPN clients, often available for Win32/64 and Mac OS but rarely for iOS or Android. Port forwarding over TLS usually involves download-on-demand Java or ActiveX -- but ActiveX doesn't run everywhere and port forwards can require admin rights.
Furthermore, today's remote access VPN products offer an array of features to mitigate endpoint risk, ranging from pre-connect security scans to post-session cleanup. Any enterprise considering VPN for unmanaged endpoints should take a close look at these to identify business needs and evaluate support on required endpoints. In particular, watch out for policy checks or encrypted containers only available for Win32/64 endpoints.
The vanishing perimeter
As mobility grew, enterprise network perimeter defenses were pushed, pulled and shredded. Back when all endpoints were remote, it made sense to deploy VPN gateways at the network edge, connecting authenticated encrypted tunnels to private subnets or resources therein. But today, endpoints may spend a good bit of their time on-premises -- from LAN-connected consultant netbooks to Wi-Fi-connected employee smartphones.
How has this impacted remote access VPN products? For starters, VPNs have been forced to grow more transparent -- from always-on VPNs that encrypt only where necessary to "mobile" VPNs that smooth over connectivity gaps to keep users logged in and applications happy. Additionally, offsite VPNs have started to converge with onsite Network Access Control (NAC), helping IT organizations deliver consistent secure access to each user/endpoint, independent of location.
In short, anyone shopping for a remote access VPN appliance today should be thinking "big picture." Even if on-site endpoints will not be the first to connect, design your VPN architecture with mobility in mind and assess roaming impact on policy and user transparency. Finally, consider regulatory needs; VPN appliances control access by authenticated users and can thus enforce segmentation rules and report on compliance.
Using this foundation, identify your own requirements for remote access VPN appliances. To get a handle on workforce mobility needs, try breaking your workforce into groups based on role. For each group, enumerate the kinds of endpoint devices they use, the kinds of applications they must reach, the specific resources they should be allowed to access, and under what conditions.
To map your requirements to individual product capabilities and features, a VPN features guide can help. For example, see SP 800-113 Guide to SSL VPNs, published by the National Institute of Standards and Technology (NIST). Those seeking VPN appliances that also speak IPsec should also consult the older SP 800-77 Guide to IPsec VPNs. Below is a summary of the VPN features you'll find covered in these guides.
- Authentication: VPN security is based upon authentication -- preferably mutual. SSL VPNs usually support many user authentication methods, including password, smart card, two-factor token, and certificate. Many IPsec VPNs use IKEv2 to support any method conveyed by the Extensible Authentication Protocol (EAP). Choose an appliance that supports your required authentication method(s) and integrates with your user database (e.g., Active Directory). Less common features to look for include single sign-on and roaming without re-authentication.
- Encryption and integrity protection: Secure tunneling protocols like SSL, TLS, DTLS, and IPsec all use cryptography for message encryption, integrity, replay protection, and (sometimes) source authentication. The IPsec Encapsulating Security Protocol (ESP) is applied at Layer 3 to protect the entire IP packet; the others may be applied at Layer 3 or 4. Choose an appliance that satisfies your in-transit data protection policies, including cipher, certification, and interoperability requirements.
- Access controls: Early VPN appliances tunneled all traffic from user to gateway or only traffic destined for private subnets (i.e., split tunneling). With SSL VPNs came increased granularity, including access to specified applications, URLs, or even actions (e.g., file read but not write). This continues to be an area of innovation; look for new features such as policies that transparently adapt for each user, based upon endpoint risk, compliance, or location, and group/role-based access controls.
- Endpoint security controls: Varying access based on risk requires recognizing the endpoint, assessing its health, evaluating its compliance, or a combination thereof. For example, if access is attempted from a managed notebook, a "checker" may verify the endpoint has required OS patches and anti-malware. If access is attempted from a smartphone, these may not be possible -- but the VPN can still look for an IT-installed "watermark." This is another area of rapid innovation, both in OS breadth and depth of controls. For notebooks, consider advanced features such as data vaults. For mobile devices, look for server-side aids like fingerprinting.
- Intrusion prevention: Pre-connect checks are helpful, but may not be enough. To reduce risk, VPNs can grant narrow access to riskier endpoints -- or apply ongoing intrusion prevention to stop malware from riding secure tunnels. This is another area of differentiation between VPN products, as vendors scramble to integrate security offerings and drill deeper -- especially into port 80 traffic to enforce per-application policies and block malicious activity. Features here run the gamut from mobile security agents to reputation-based web defenses, but beware of a la carte feature licenses that inflate TCO.
- Manageability: This is an important characteristic for any product, but especially for remote access VPNs. Factors like purchase price, maintenance fees, installation effort, policy tuning, and routine maintenance all impact total cost of ownership (TCO), but enterprises with large workforces often cite managing users as their single-highest VPN cost.
- High availability and scalability: Enterprise-class remote access VPN products offer high-availability and scalability options, such as hot-synced active/active load balanced gateways. Look not only at scalability and survivability, but also at licensing. For example, those deploying remote access VPN for disaster planning may want "burstable" or pay-as-you-go licenses.
- Customization: Remote access VPNs often benefit from customization. This can range from organizing resource links on per-user/group portal pages to adding proxy VPN translations for proprietary applications. Especially for small mobile devices, look for aids like auto-display-adaptation and bookmarks to improve usability.
Product roll call
These are just some of the many features and capabilities found in contemporary remote access VPN appliances. Vendors in this market include Cisco Systems, Citrix Systems, Check Point, F5 Networks, Juniper Networks, and SonicWall (to name just a few).
To more fully illustrate this category, EnterpriseNetworkingPlanet will profile several remote access VPN lines, including SonicWall's Aventail E-Class SRA appliances, Cisco's ASA 5500 Series appliances, and Juniper's MAG Series JunOS Pulse Gateways. Stay tuned ...
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed and tested network security products for nearly a decade.