Choosing the Right Remote Access VPN: 9 Important Questions

Last time I looked at some important questions to ask when selecting a site-to-site VPN protocol or technology. This time I will discuss some the important questions to ask when choosing a remote access VPN. 

A remote access VPN allows you to provide connectivity to a central site for remote users such as telecommuters or “road-warriors”. But if you want to deploy a remote access VPN, which protocol or technology should you choose? Should it be IPsec? Should it be L2TP/IPsec? Or should it be SSL/TLS? And how about PPTP, or even L2F? 

Here are some questions that you can ask yourself in order to help you choose a remote access VPN protocol or technology:

1. Is it secure?

2. Do remote users want to access the central site from airport kiosks, Internet cafés, and other similar types of location or (untrusted) devices?

3. Is the use of zero-administration remote access client software (web browser) desirable?

4. Do remote users require only limited file/application access?

5. Do remote users require full access comparable to that experienced by people on the central site LAN?

6. Do remote users require access to non-IP applications?

7. Is compliance with industry (IETF) standards important?

8. Is richer functionality including control of split-tunneling, client software auto-update, enforcement of client firewall policies, and so on most important?

9. Are you a service provider that wishes to backhaul PPP connections across a network?

1. Is it secure? 

The first question to ask is whether the remote access VPN protocol or technology in question is secure, or can be made secure. 

Security is a prime concern in remote access VPNs because the traffic will be transiting the Internet between the remote users’ software or hardware VPN clients and the central site remote access VPN gateway. 

So which of the remote access VPNs is secure? Well, IPsec, correctly designed and configured, can be very secure (have I mentioned that already?!); SSL/TLS can be secure assuming the proper version and cipher suites (cryptographic algorithms) are chosen; plain L2TP (without IPsec protection) lacks any meaningful security; and PPTP just can’t be considered secure. 

Because of the insecurity of PPTP, and the fact that it was superseded by L2TP/IPsec, that’s all I am going to say about it, except – ‘Don’t deploy it – deploy something else instead.

If you want a secure remote access VPN, therefore, it’s going to have to be IPsec, SSL/TLS, or L2TP over IPsec (L2TP/IPsec).

2. Do remote users want to access the central site from airport kiosks, Internet cafés, and other similar types of location or (untrusted) devices? 

This one is pretty simple. If you remote access VPN users need to connect from untrusted devices such as those at Internet cafes or airport kiosks then a good option is SSL. 

But, because of the insecure nature of the machines from which users will connect, you’ll also need to deploy a solution such as Cisco’s Secure Desktop to help address security concerns. 

If you do allow connectivity from untrusted devices, however, also be aware of potential limitations and vulnerabilities of solutions such as Secure Desktop. 

3. Is the use of zero-administration remote access client software (web browser) desirable? 

If zero administration is important (ie. no installation and maintenance of VPN client software), then clientless SSL remote access VPNs are a good choice. 

In this case, no client software needs to be installed on remote access VPN users’ laptops and other machines because the necessary SSL functionality is already included in web browsers.  

But it’s important to remember that you won’t get the same richness of functionality with clientless SSL remote access VPNs as you would get, for example, with IPsec, SSL with specific client software, or L2TP/IPsec.  

4. Do remote users require only limited file/application access? 

If users only need limited file and/or application access then clientless SSL remote access VPNs are again a good option. 

File and/or application access could also be provided by more functional/feature-rich remote access VPN types such as IPsec, but, as previously mentioned, the advantage of clientless SSL VPNs is the fact that no specific client software needs to be installed on users’ machines.  

5. Do remote users require full access comparable to that experienced by people on the local central site LAN? 

If remote users need full access then clientless SSL remote access VPNs are not going to do the job. In this case, you’re going to need IPsec, L2TP/IPsec, or SSL (with full client software).  

6. Do remote users require access to non-IP applications? 

IPsec and SSL remote access VPNs are IP-based, while L2TPv2/IPsec is designed to tunnel PPP. PPP, in turn, can be used to transport pretty much any layer-3 protocol.

So, while it is technically possible to tunnel pretty much anything over IPsec or SSL, L2TP/IPsec is the (most straightforward) way to go if you need to tunnel non-IP applications in a remote access VPN.  

7. Is compliance with industry (IETF) standards important? 

This question is typically important if you have a multi-vendor solution. In that case, you are almost certainly going to have to go with a standards-based solution. 

While both IPsec and SSL are standards-based protocols, they have been stretched or extended by specific vendors using particular client software or non-standards based ‘add-ons’ in order to allow ‘fully functional’ remote access VPNs. 

In a multi-vendor environment, therefore, you’re probably going to have to go with a fully standards-based remote access VPN solution based on L2TP/IPsec.  

8. Is richer functionality including control of split-tunneling, client software auto-update, enforcement of client firewall policies, and so on most important? 

If you need a feature rich remote access VPN, including functionality such as client software auto-updates, enforcement of firewall policies, and so on, then you are almost certainly going to have to deploy a single vendor solution based on IPsec or possibly SSL. Which you choose depends on which features you want and which features particular vendors support with each protocol. 

While L2TP/IPsec is a very good solution in a multi-vendor environment, vendors typically offer more functionality with their own proprietary end-to-end solutions (VPN gateway and client software/hardware) using IPsec and SSL.  

9. Are you a service provider that wishes to backhaul PPP connections across a network? 

Finally, if you are a service provider looking to backhaul PPP (or other layer-2) connections across your network, then L2TP is the way to go.

L2F and even PPTP can also backhaul PPP, but they are both now considered legacy protocols, and have been superseded by L2TP.  

Next time, in a complete change from talking about VPNs, I’ll be taking a look at what you need do in order to get yourself ready for the CCIE Voice written exam. 

Mark 

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)