Your company has grown to the point where you have employees working from home, executives and sales people who work while they're on the road, and collaborative partners who are working with you to develop or provide products and services. All of these people need a way to securely access resources on your network from off-site locations.
The old dial-in remote access server just doesn't cut it anymore; you don't want to keep adding modems to accommodate the increasing need, and long distance charges are mounting.
You know you need to implement a virtual private network (VPN) solution, but you're confused by all the options. Should you set up Windows VPN servers, buy a dedicated VPN appliance or use a firewall-integrated VPN solution? Which tunneling protocol(s) should you use? Your VPN needs are still relatively light, but the company is growing fast, and you don't want to have to "rip and re-do" in a couple of years, so scalability is an important factor.
Here's a look at how you can build a cost-effective VPN solution that has scalability built in from the beginning.
Protocol scalability considerations
A VPN is a secure tunnel through the Internet that is created through a connection between an individual user's computer (remote access VPN) or a remote site such as a branch office (site-to-site VPN) and a VPN server on the corporate network. There are several different tunneling protocols that can be used to create VPN or VPN-like connections. The most common are:
- Point to Point Tunneling Protocol (PPTP)
- Layer 2 Tunneling Protocol (L2TP)
- Internet Protocol Security (IPSec) tunnel mode
- Secure Sockets Layer (SSL)
Some VPN solutions support more than one of these protocols; others are more limited. Scalability needs will affect which tunneling protocols are most appropriate. Remote access users must have the proper client software to support the protocols you choose. For site-to-site VPNs, the VPN gateways at each end must support a common protocol.
PPTP was developed by Microsoft and almost all Windows operating systems have built in PPTP client software. There are also PPTP clients available for Linux/UNIX and Macintosh operating systems. This makes PPTP a good protocol choice for remote access VPNs in terms of scalability. However, it is not considered as secure as some of the other tunneling protocols. The PPTP encryption method, Microsoft Point-to-Point Encryption (MPPE) is not certificate-based. It is supported by Microsoft's ISA Server firewall, Cisco PIX and some models of WatchGuard. However, because it is not supported by other firewall/integrated VPN products (such as Check Point and some models of WatchGuard and Netscreen appliances), it may not offer the scalability you need for site-to-site VPNs where those products are used at the remote gateway.
L2TP was developed as a joint effort between Microsoft and Cisco and combined features of PPTP and Cisco's Layer 2 Forwarding (L2F) protocols. It uses IPSec for encryption, providing strong security that - unlike PPTP - includes certificate-based authentication and data integrity as well as data confidentiality. An L2TP client is built into Microsoft's Windows 2000, XP and Server 2003 operating systems. Client software can be downloaded free and installed on Windows 98, Me and NT 4.0 computers. Software such as OpenL2TP can be used for Linux clients. Macintosh OS X 10.3 (Panther) includes an L2TP/IPSec VPN client. L2TP is also supported by Check Point, Cisco PIX and WatchGuard firewall/integrated VPN products and Microsoft's ISA Server, making it easy to create site-to-site VPNs.
In addition to doing the encryption for L2TP connections, IPSec can be used in tunnel mode to create the connection. IPSec VPNs are widely supported by firewall/integrated VPN appliances. It is the only tunneling protocol supported by all of the major firewall vendors (Microsoft's ISA Server, Check Point, Cisco PIX, Netscreen, SonicWall, WatchGuard and Symantec). This makes it very scalable for site-to-site VPNs.
The most scalable VPN protocol of all may be the one that is not, strictly speaking, a full-fledged VPN solution. That's SSL, the so-called "clientless" solution that actually uses the Web browser as the client and is an excellent solution if users need access only to Web-enabled servers. Since almost every computer has a Web browser that supports SSL, you can provide access to as many clients as you need, using any operating system, without the cost or trouble of installing client software.
VPN Server Software vs. Appliance
Windows 2000 Server and Windows Server 2003 have built in VPN server functionality. Software firewalls such as Microsoft ISA Server, Check Point and Symantec Enterprise Firewall also include built in VPN gateway functionality. Alternatively, you can buy a dedicated VPN appliance or VPN concentrator such as those from Cisco, Shiva, Citrix, AEP Networks, Evidian (TrustWay). Most firewall appliances, such as those from Cisco, SonicWall, WatchGuard, Netscreen, Nokia (based on Check Point) and others provide some kind of VPN gateway functionality.
Which is the more scalable solution? Whereas turn-key appliances may be easier to set up and deploy, they are also often more limited in the number of connections they support, and it is more difficult to upgrade the hardware to accommodate more users.
With a VPN server running on a regular network OS on a standard server box, you can easily add RAM, upgrade the processor, upgrade the network interface cards, and otherwise increase the hardware capabilities without buying a whole new box.
On the other hand, as you scale up, you may also want to consider scaling out, distributing your VPN services across multiple servers or appliances. Users can connect to specific servers based on geographic location or access needs. This provides fault tolerance and failover if one of the VPN boxes is down; the users assigned to that box can simply connect to another. In fact, you can set up the infrastructure so that this happens automatically; if the connection to the primary VPN connection fails, the client automatically connects to an alternate VPN box. Third party solutions are available that make this process completely transparent, so the user never even sees the disconnect/reconnect.
Assessing your needs
The best choice for a VPN solution will depend on your current business model and how you expect the company to evolve in the future. If you anticipate a large corporate facility located in one or a few geographic areas, you'll want to go with a high-end solution that can support fast throughput and a large number of users, and you'll want them to be easily integrated with your firewalls, authentication servers, routers, and other components. If your business will follow a more distributed path, with many branch offices, you'll need multiple VPN boxes, but they'll need to be compatible with each other for site-to-site implementation and you'll also want to maintain centralized management. If you anticipate many telecommuters and traveling users (remote access), you'll want client compatibility and expandability as the number of remote access users increases.
As always, the first step in ensuring that your VPN solution scales with your business is planning, and taking into consideration your anticipated business structure and needs as well as those you are addressing now.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.