VPN audio primer Listen to a five-minute explanation of the technology, then follow links for addition info. Back to the IntraNet index page

By Joel Snyder
Network World, 1/26/98

Remote access via the Internet is cheap. Unfortunately, it's also insecure and unreliable.

But fear not: You can solve the security problem using client-to-LAN virtual private network (VPN) technology.

We tested five VPN products: InfoExpress, Inc.'s VTCP/Secure, Axent Technologies, Inc.'s PowerVPN, Aventail Corp.'s MobileVPN, Compatible Systems Corp.'s IntraPort and VPNet Technologies, Inc.'s VSU-1010/VPNremote. Based on our testing, we prefer VTCP/Secure for the simplicity of its client and power of its server.

Be aware, however, that the products we looked at are not your only alternatives. Network World recently reviewed several LAN-to-LAN VPN products, many of which include client-to-LAN capabilities (NW, Nov. 10, 1997, page 58). In particular, products from Digital Equipment Corp., Microsoft Corp., RedCreek Communications and TimeStep Corp. are worth evaluating for their client-to-LAN capabilities.

All client-to-LAN VPNs have two parts: software that runs on the remote client, such as a Windows PC or Macintosh, and a server at the central site. When operating correctly, the client and server form a tunnel, transmitting encrypted packets over the Internet and providing the client secure access to resources at the corporate LAN.

InfoExpress' VTCP/Secure, Axent's PowerVPN and Aventail's MobileVPN are software-based (we tested each on Windows NT Server). Compatible Systems and VPNet provide dedicated hardware VPN servers.

While the client side is architecturally similar in each product, the server varies widely, from Windows NT add-ons to dedicated hardware. And, unfortunately, none of these products are compatible - each vendor has taken a different approach to building VPNs.

The client has the key

Remote access is a nightmare for support desks. Staffers never know what combination of CPU, modem, operating system and software configuration they're going to have to support. Adding VPN software makes it worse.

For that reason, we looked most closely at the client side of the VPN: how easy it is to install, configure and manage.

Client support varies from product to product (see Table 1, page 12). None of the products we tested support Macs or Unix, and some only work with Windows 95.

We found InfoExpress' client software (also used in Axent's PowerVPN) and Compatible Systems' IntraPort the easiest to get going, thanks to well-constructed installation procedures. We were up and running without any phone calls and just a glance at the documentation - a good thing in Compatible Systems' case because the documentation is razor thin.

VPNet was slightly more difficult to install, while Aventail's software - a SOCKS Version 5 client - was the most complex. Because Aventail's generic client can be used with any SOCKS Version 5 server, some of the complexity comes from not hiding features, such as multiple simultaneous VPN support, that most VPN users would not want.

But ease of installation isn't always a good thing: In many cases, the easier the client is to install, the less secure it is.

This is because the client has to share some information with the server. Without shared information, the client cannot be sure that it's talking to the right server, and vice versa.

A password is shared information and is easy to enter, but it is not very secure. Most of the VPNs we looked at let the client off easily with simple passwords. In an environment in which client spoofing is a real fear, passwords may not be sufficient protection.

A more secure model is using public keys and certificates to positively identify both ends of the connection. Unfortunately, these are big chunks of data to type in. As such, the network manager may have to distribute a diskette to each VPN user.

Token security

Axent has taken a different tack with PowerVPN. It has combined its tried-and-true one-time challenge-response token system with the client and server offered by InfoExpress. VPNet's VPN solution also supports hardware tokens, giving the network managerthe option of using SecurID hardware tokens from Security Dynamics Technology, Inc. as an authentication system.

With the PowerVPN approach, the end user requires a password and a hardware token for building a tunnel. This assures the server side that it's talking to the real client.

Axent also offers a software version of the token. It is less secure than the hardware approach but is easier for remote users who would otherwise have to use their hardware token every time they log on.

Our greatest surprise was how easy it was to build VPNs with these products. We ran into some problems, but they were easily fixed. We had anticipated bigger problems because the VPN digs deep into the heart of the client PC.

Note, however, that we were only using standard Microsoft TCP/IP stacks. If you plan to use Windows 3.1 or Windows for Workgroups, you'll want to check compatibility with your TCP/IP stack.

Managing the mess

The VPNs we evaluated included graphical user interface management software for server and clients. Server management software is simple and was not a distinguishing factor among the VPN products.

One major difference among the products is the way they handled user authentication information. InfoExpress, Aventail and VPNet let the network manager use a standard remote authentication database such as Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System.

Local authentication with a simple user/password file also is available in InfoExpress, Aventail, Compatible Systems and VPNet products.

The Aventail product also works with the Windows NT authentication system.

Compatible Systems' VPN router had the weakest client management among the products tested. The IntraPort server maintains client information in flash memory, and it requires a server reboot to change user information.

Although the hardware-based approach is inherently high-performance, it clearly is not designed for large numbers of end users. IntraPort is inappropriate for environments in which a lot of moves, adds and changes take place.

Protocols such as RADIUS appear to solve these issues, but the problem runs deeper. VPN client information also includes access controls for designating what services the client can use. All VPNs support access controls on a per-client basis, but merging and managing the controls with a third-party RADIUS server is a complex task.

VPNet and Aventail have suboptimal RADIUS configurations. They require substantial coordination between the local and RADIUS databases. The InfoExpress and Axent servers have the smoothest interconnections and allow the RADIUS databases to contain all client information.

Other management features, such as logging and reporting, vary from product to product. None of the features stand out for their strengths or weaknesses.

VPN servers built on an existing operating system have an inherent advantage with their built-in file systems. However, even those servers based on dedicated hardware provide a way for a management console to receive auditing and logging information.

Picking a style

Although client installation and management will be critical to a successful project, different environments require different VPN architectures.

InfoExpress and Axent have a software-only solution that uses NT or Unix servers to handle the server end of the VPN. Aventail has the same strategy, but adds LAN-to-LAN VPNs to its software.

VPNet's hardware is a combination client-to-LAN and LAN-to-LAN VPN. By centralizing the touch-down point for all VPNs, other security management, such as poking the appropriate hole through the corporate firewall, can be simplified and centralized.

However, VPNet also could be a performance bottleneck. This is because the product has to sit between the secured network and the rest of the world.

Compatible Systems offers a different, scaled-down approach. Its IntraPort server's low cost and relative simplicity make it particularly attractive to organizations with a small and relatively static remote access community.

Because most remote access VPNs are limited by the slow speed of their modem links, performance isn't usually a major consideration for client-to-LAN VPNs. Nevertheless, the generally speedier hardware-based VPN servers also are more reliable because there are no other applications on the same system, and they can be less expensive than software-based servers.

Putting it all together

VPN services are, at least for a time, a single-vendor purchase.

Although LAN-to-LAN VPNs are firmly moving in the direction of standardized protocols for encryptions and key management, client-to-LAN vendors have yet to agree on a single method (see Table 2, page 12). Part of the reason for this is the capability set.

For example, while Aventail uses the relatively mature Secure Sockets Layer and SOCKS protocols, it doesn't handle User Datagram Protocol (UDP)-based applications very well or IPX applications at all.

As the VPN market decides what capabilities and functions are required in client-to-LAN VPNs, products will begin to converge on a single set of interoperable protocols. This situation complicates your buying decision. You should attempt an extended pilot rollout with your chosen vendor before making any commitment to large-scale deployment.

One particularly important issue to note when evaluating these products is addressing. Will the client have access to VPN services only on the corporate LAN? Or will the client also be allowed to communicate with the insecure network, either directly or by bouncing through the secure net? What address will the client see, and will it be compatible with all applications and protocols?

You must know your application and protocol mix before selecting a product.

To pick the best remote access VPN product, you need to consider end-user installation and compatibility, management, security model and longevity - all moderated by budget.

Snyder is a senior partner at Opus One, in Tucson, Ariz. He can be reached at jms@opusl.com.