How to stay in front of VPN management
 
|
|||
 | |||
|
As companies build larger and larger VPNs, they are faced with a chore that grows with the networks: effective management. It's an important issue to pay attention to because a good VPN management platform is not just a matter of convenience; it can also save companies money.
"Management is the key financial feature in deciding what VPN equipment to buy. It really comes down to which one is easier to manage, because that is where your costs are going to go," says John Lawler, an analyst with Infonetics. The simpler it is to provision VPN devices, add more devices to the network or make changes to their security policies, the less time IT staff spends making these changes and the less training they require, he says.
With all networks, the complexity of management and its costs increase with the number of devices, and this is also true with VPNs, perhaps even more so. Each site connected to a VPN must have gear that secures traffic before it crosses the Internet or some other public IP network that is being used as the VPN backbone. Because VPNs are so often used for remote access, the number of VPN devices that need to be managed can range up into the tens of thousands.
Managing large corporate VPNs requires adding multiple shifts of highly trained staff that would be difficult to retain given the high demand for these skilled workers, says a report from market research firm IDC, and that could translate into a breakdown of VPN protection. "Companies would have to deal with the rapid turnover of technology staff, creating possibly unacceptable risks to reliability and security," IDC states.
Some platforms have a differing number of features, but there are some key elements to look for, experts say. Policy-based management tops the list.
"You want the ability to manage large numbers of systems site-to-site without having to do element management," device-by-device, says Joel Snyder, a senior partner at Opus One and Network World columnist.
While each element must be configured and reconfigured as a VPN grows and changes, a good management platform will mask that level of detail from the user. "I want to manage features, not devices. I should be able to mix and match features without having to worry about the grubby details behind it," Lawler says.
Element management is not only time-consuming, but it also invites misconfigurations. The more individual commands administrators have to enter, the more likely they are to make mistakes. As you add more sites to a network, the number of relationships that need to be established among them blossoms. If all you wanted to do was let each site talk to each other, you would need to authorize six VPN tunnels for a four-site VPN. If you have 10 sites, the number jumps to 45 and if you have 500, the number of tunnels jumps to 124,750.
Now complicate that configuration. For example, let the engineering department at each site connect only to the engineering department at all of the other sites. At the same time, let the marketing department at each site connect to the marketing, finance and accounting departments at other sites, and let the accounting department connect to the accounting and finance departments at other sites but not to marketing. As such associations grow, the number of policies for a VPN can spiral out of control.
A central policy management server can enable VPN policies to be set once and distributed to VPN servers at all of the other sites connected to the VPN. Servers can also be configured by groups and subgroups. When a new site is added, the configuration of its server and the configuration adjustments the other servers require can be generated by the platform.
"With policy management it takes far fewer man-hours to deliver policy and enforce it," says Martin Breslin, network specialist for United Messaging in Malvern, Pa., which builds VPNs for some of its customers. "I can take someone with decent network skills and teach them to manage VPN equipment without them needing to know the command set for the devices. It lowers the skill set you need to manage a VPN."
Graphical user interfaces (GUI), common enough in management platforms, can vary. Experts say to shoot for one that actually maps out your VPN and depicts the levels of security over each virtual link. These diagrams can function to reduce configuration errors and security-rules conflicts, says Nir Zuk, CTO for OneSecure, a service provider that manages VPNs for companies. He also was the director of software for Check Point Software when it wrote its VPN-1 software.
Without GUI tools, users have to decide on policies, then distribute them to devices and hope the policy they have designed is what gets enforced. With a GUI, users can see a representation of their network and the types of links that are authorized and required between sites, he says. The idea is to confirm that new policies are enforced and don't conflict with other policies.
What to look for in a VPN management packageWhen evaluating management platforms that come with VPNs, look for the following: Policy Does the software automatically convert policy changes into configuration changes that must be made to the servers at each node of the VPN? |
|
Configuration Does the platform automatically send configuration changes to VPN servers after these changes have been made on a central management station? |
|
Clients Is there a mechanism to distribute, configure and update software on remote PCs without someone manually setting up each machine? Are software updates and policy changes pushed automatically when remote machines log on? |
|
Graphics Does the software create a VPN map that depicts the types of connections that have been authorized by policy settings? Can the platform pull data from existing databases to reduce the amount of time it takes to define user groups and authorizations? |
Some service providers have taken these GUIs one step further, including OneSecure. The company's platforms not only set policies, but they also translate them into commands to reconfigure the VPN gateways involved and executing the configuration changes. The key difference between these service-provider-written platforms and those written by vendors is they can configure multivendor VPNs.
These platforms must be built with specific vendors' gear in mind to generate the commands to reconfigure the gateways. So Zuk's OneSecure, for example, has management software that supports Cisco, NetScreen and Check Point gear. Competing provider SmartPipes has software that supports Cisco- and Microsoft-based VPNs.
So far, such software is custom-made by service providers for their own use and is not for sale, but that could change if demand were high, Zuk says.
Most VPN management platforms support SNMP, but do not have special arrangements for integrating their customer features with overriding management structures such as those from Hewlett-Packard and Tivoli Systems.
Users should look for a tool that lets them download the VPN client software, an installation wizard that makes it possible for nontechnical end users to install it. Also, they should seek a mechanism for making policy changes on a server that then pushes the changes to appropriate client groups as they log on.
"The key is, you don't want to have to touch every PC, laptop, whatever," says Chris Christiansen, an analyst with IDC.
Related Links
