There are approaches an SMB can take to provide VPN access to its road warriors and telecommuters that are reasonably inexpensive and easy to maintain with existing IT staff.
When looking at any VPN offering, the same three rules apply as when shopping for any other networking or access management equipment:
- Does it fit into my existing network architecture?
- Is it easy to maintain and, when necessary, upgrade?
- Is it secure?
IPSec vs. SSL
There are two basic types of VPNs: IPsec and Secure Sockets Layer (SSL). Both create a secure encrypted tunnel over the Internet, allowing for confidential communication over the Web. Unlike unencrypted communication, which is transmitted in clear text and could be read by anyone sniffing it along the wire, VPN traffic would look like gibberish.
The difference is in how they create that tunnel.
An SSL VPN is also a dedicated appliance for remote connections. However, it is more like a Web server. It operates at the application layer -- higher than the IP layer -- of the protocol stack and acts more as an application than a network device. SSL VPN users need only a Web browser to access the VPN. They go to the Web page of the company's VPN, where they sign in.
An IPsec VPN connects a client machine to the company network. An SSL VPN connects an individual user to specific applications. A desktop or laptop connected by an IPsec VPN is just another machine on the network. An SSL VPN is a Web application. Users are accessing specific applications on the network, rather than the entire network, through a Web browser.
Security soft spots
Both have security issues. Although the connection between the user and the company is secure, both still have vulnerabilities.
If the client connected to an IPsec VPN is infected with malware, it could infect the network. For example, if an employee connects from his or her desktop at home and it's not protected with antiviral software or a personal firewall, the VPN becomes a secure connection for piping in viruses, Trojans, spyware and malware from the home user's unprotected desktop.
SSL VPNs have a different set of security concerns. As a Web application, if not configured properly, an SSL VPN is vulnerable to a range of Web attacks, such as SQL injection, cross-site scripting, weak authentication and parameter manipulation.
Which one is for me?
For SMBs, the SSL route is cheaper to implement and maintain, and puts less strain on a small IT staff. IPsec requires the installation of the VPN gateway, connection software on all remote clients and considerable configuration, after that. It can also be much more costly than an SSL VPN. But the decision should also be based on your company's needs.
If full network access is required for a remote user, an IPsec can't be avoided. If a user can cherry pick applications he or she needs to access -- such as email, spreadsheets and presentations -- and doesn't need to be connected to the whole network, the SSL VPN option will work fine.
If an IPsec VPN is necessary, companies like Check Point Software Technologies Ltd., Juniper Networks Inc., SonicWall Inc. and Celestix Networks Inc. all have products in the $3,000 to $6,000 range. Check Point has the VPN-1 series and Safe@Office, both lighter VPNs geared toward SMBs. The Safe@Office product also works as a firewall, Web filter and antiviral tool.
The range of SSL VPN products for SMBs has exploded in the past few years. In addition to their IPsec products, Check Point, Juniper and Celestix also offer SSL VPNs for the SMB market. The Juniper Secure Access 700 is its base SSL VPN product. The product bills itself as easy to install -- within minutes -- and requires no client software and minimal maintenance.
The market leader in the SSL VPN market is Aventail Corp. in Seattle. Its Smart Tunneling technology is meant to offer SSL capabilities with IPsec durability. Its SSL VPN operates at the application layer but secures the connection at the IP layer -- the higher layer where IPsec initiates its connections. The products also offer centralized management, access to Citrix and Windows Terminal Services and customization for other mobile devices, like personal digital assistants. The Aventail Advanced End Point Control provides optional network access control by checking remote laptops and desktops for antiviral and personal firewall software.
Whichever VPN your company ultimately uses, both IPsec and SSL VPN tools are available to meet the needs of an SMB.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He also runs The IT Security Guy blog at www.theitsecurityguy.com.
This was first published in May 2007