Skip Links

VPN software is not created equal

Advanced features require advanced corporate network planning.

By , Network World
January 13, 2003 12:00 AM ET

Network World - With IP Security VPNs established as a preferred method of remote access, businesses now must weigh an array of options that can make deploying and managing these VPNs less daunting.

Optional features range from automatic installation of VPN client software to policy checkers that deny VPN access if personal firewalls aren't turned on and configured properly. The features differ among VPN client software, so customers have to shop carefully.

Remote-access VPNs call for single PCs and laptops to connect to the Internet and establish a VPN tunnel with centrally located VPN concentrators, an architecture that presents two main challenges: first, how to distribute and manage software on a large numbers of remote machines with minimal manpower; second, how to ensure that these machines don't threaten the security of the corporate network.

In the early days of VPNs, these clients weren't deployed in large enough numbers to make distributing and updating them a problem. But today, for large, remote-access VPN deployments, automated distribution and configuration tools are a must, says Larry Bolick, CIO of Aquent, a Boston IT consulting firm that uses Nortel Contivity VPN equipment. Otherwise, updates and policy changes would become too unwieldy to handle, he says.

Most vendors have solved the problem with downloadable software that installs itself so end users can handle it without IT assistance. "The help desk gives them the password to install, and after that, it's all silent and automated," says Gary Gatten, senior network engineer for LabOne, a medical testing firm in Lenexa, Kan., that uses Avaya VPN products.

Once remote-access VPN clients are up and running, policies control the use of their IPSec tunnels. The policies also dictate a variety of parameters such as the VPN concentrators to which they can connect and what level of encryption to use. The clients also must be informed of the removal or addition of new devices to the network.

To handle this task efficiently, Check Point, Cisco, NetScreen Technologies and others offer policy servers that update clients with new policies that have been added since the last time the client machine logged on. These servers can store multiple policies for different groups or individuals. In addition to keeping policies current, this arrangement means no policy remains on the client machine when the VPN connection is severed. This eliminates the security risk that the information would pose if the machine were stolen, Gatten says.

This type of auto-update feature is important because it keeps end users out of the equation when it comes to updating policies, says Zeus Kerravala, an analyst with The Yankee Group. Users might put off retrieving updates, especially if they tie into the VPN over slow connections. "No matter how simple you make a client, if it interfaces with an end user, you are going to have problems," Kerravala says.

Dents in the armor

Even with current policies in place, remote PCs can become chinks in the armor of a corporate network, so many VPN vendors are bundling personal firewalls with their client software to block hackers from using a remote machine as a backdoor to the corporate network, says Dave Kosiur, an analyst with Burton Group. But installing the firewall is no guarantee they are being used, so automatic scanning of remote machines for properly configured firewalls is also important, he says. The same is true for virus-scanning software that also is becoming part of VPN client bundles.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News