Networking

Decision Support: Cost benefit of VPN appliances vs. VPN servers

Decide which is better for your network: VPN appliances or VPN servers


An increasing number of organizations are using VPNs to connect branch offices, telecommuting workers, business partners, and other users to the corporate network. A superior alternative to long-distance dial-in, leased-line, or Frame Relay connections, VPNs can be used to securely carry information at a fraction of the cost.

These cost savings are the catalyst driving IT managers and administrators to develop end-to-end secure VPN solutions for their organizations. Specifically, these professionals are asking the question, “VPN appliance or VPN server, which solution provides the greatest cost benefit?” Here is a look at those options and a third: managed service providers.

Integrated appliance
When we take a look at the VPN appliances offered today, we notice two different flavors: stand-alone VPN appliances and integrated VPN appliances such as VPN-enabled firewalls and routers. With the integrated VPN appliance, we find our first and possibly most important cost benefit. Currently, deployed hardware firewalls such as the Cisco PIX, Nokia Checkpoint Firewall, and Watchguard Firebox include optional VPN capabilities out of the box.

Virtually all routers, including Cisco’s access and modular routers, also include VPN support. The cost associated with this solution is often included in the firewall or router. Getting VPN services going in this scenario often means making just a few configuration changes in the firewall or router itself. Since a discussion on VPNs falls within a comprehensive network security policy, the ability to have an integrated VPN appliance can save thousands in simplified security policy administration, particularly in environments where multiple firewalls, routers, and VPN gateways are required.

Stand-alone VPN appliances, some referred to as VPN concentrators, primarily find a place in organizations where simultaneous VPN connections need to number in the thousands. They provide high availability, high performance, and scalability that is unmatched by any integrated appliance or VPN server. The increase in reliability, capacity, and throughput is not without its costs, however. Expect to pay several times more for an enterprise level VPN concentrator with these capabilities.

VPN servers
So far, we have heard how integrated VPN appliances offer impressive cost benefits. From this, it would seem the question of whether to choose a VPN appliance or build a VPN server would be a rather simple one to answer. To determine if this scenario is true, let’s take a closer look at the option of building and using a VPN server(s) for secure Internet communications.

Microsoft, Novell, UNIX, AS400, and Linux are all capable of providing VPN services (granted, some better than others). Chances are you run one of these common operating systems in your organization today and are very familiar with them. This can be a tremendous cost benefit to organizations that do not have an existing firewall or router with VPN capabilities.

The integration of VPN services into the operating system means that IT professionals who work with these operating systems are already familiar with how to navigate these systems and do not have to worry about learning a new product. Since most VPN appliances do not integrate well with existing networks, using servers for VPN services often means greater integration with the network, particularly in the area of authentication. Microsoft-centric organizations can take advantage of the seamless integration Windows 2000 and possibly ISA Server has to offer when creating VPNs in conjunction with Active Directory, certificates, and smart cards. Client computers or sites that run current Microsoft operating systems will not encounter proprietary VPN issues or require an install of separate VPN client software.

Here’s where the cost benefits of using a VPN server stop. The issues of security, reliability, and cost stand out when evaluating a server-based VPN solution. There should be no surprise that a hardware-based VPN solution brings a greater degree of reliability and security than one built around a server operating system such as Microsoft. The same is true in the case of firewalls and routers. The cost associated with maintaining security patches and basic server administration add up on a monthly basis. Additionally, the cost of building a VPN server solution can run in excess of $2,500 once the costs of hardware and software are added (although Linux does offer some exceptions).

The managed option
Traditionally, VPN solutions could be categorized in one of only two areas: VPN appliances or VPN servers. Today, the introduction of managed service providers has created a third possible solution. Well-known vendors such as WorldCom, Quest, and AT&T are now offering regional, nationwide, and even international managed VPN services. This service allows companies to have an enterprisewide VPN solution without a heavy investment in infrastructure or personnel. Most managed VPN providers will monitor your organization's VPN connections 24/7 to ensure they are available at the times when your remote users may need it most. Pricing varies but generally starts around $200 per month, per location and often includes managed firewall services and service level agreements as well.

VPNs are permitting organizations to establish secure, end-to-end, private network connections over the Internet while reducing communication costs. Implementing and maintaining VPNs requires choosing the right solution and an in-depth understanding of public network security issues. Whether you are looking at a VPN appliance, server, or managed service provider, performing proper cost/benefit analyses can be the most important step in a successful VPN solution.

Which VPN solution have you chosen?
Are you going with VPN appliances or servers? Or maybe you’ve chosen a managed service provider. Drop us a line or post a comment to this article.

 

Editor's Picks