Enterprise VPNs are critical for connecting remote workers to company resources via reliable and secure links to foster communication and productivity. Read about six viable choices for businesses.
We are almost a year into the coronavirus pandemic and the value of VPN solutions to help employees conduct business operations from remote locations continues to be proven on a daily basis. Thousands of businesses have stayed afloat, and hundreds of thousands of jobs have been preserved thanks to VPN options, which are available for mobile devices and computers.
The significance of secure connectivity cannot be emphasized enough. A VPN offers access to company resources that were, in many cases, once limited to on-premises systems. The physical security benefits of using company-owned workstations that use restricted in-house networks to access in-house systems and data is now being traded the for the flexibility and convenience of having a remote workforce that can connect to systems from all around the globe. Those connections must be safeguarded, especially when originating from employee-owned devices (a practice I do not encourage).
SEE: VPN: Picking a provider and troubleshooting tips (TechRepublic free download)
Multi-factor authentication, disabling split tunneling, implementing a maximum connection-time window after which employees must re-authenticate and mandating complex, rotating passwords are several examples of how to bolster enterprise VPN security.
In addition, I recommend setting up a dedicated subnet for VPN users exclusively and then implementing role-based rules to determine which systems and networks they can access. For instance, system administrators would likely have a broader level of access than end users, who can be segregated into groups based on department and only provided the ability to get to the bare minimum of systems or services needed to perform their jobs.
The concept of "top VPNs" might be subjective, but here is a roundup of six of some of the highest-reviewed VPN solutions as recommended to Gartner. I have personally used some and had good experiences with them.
SEE: How to manage passwords: Best practices and security tips (TechRepublic free download)
Cisco AnyConnect is my current VPN client for my job. It uses multi-factor authentication and establishes a 24-hour usage window after which my connection drops and I am required to log in again. Fortunately, the client notifies me when the time window is nearly up as well as when it has expired so I'm not confused, wondering why I suddenly can't access company systems.
AnyConnect has many security options. It performs a system check on authentication to determine whether the workstation meets certain requirements like anti-malware software or corporate domain membership before it permits access to the company network. This ensures only company-managed systems are allowed on the VPN. AnyConnect can block access to untrusted servers, display security products installed, and run diagnostics to gather information for analysis and troubleshooting. It disables split tunneling, meaning when you're connected to the VPN you can only access corporate resources and nothing on your local home network or the internet.
Pricing: Per CDW there are an array of options such as a base-user license cost from 72 cents to $3.99 per user for one year, $2.99 per user for three years, and many bulk-volume license cost options, depending on user count and need. Check the vendor directly for the latest details.
SEE: Tips for choosing the best VPN for your needs (TechRepublic free download)
Checkpoint Secure Remote Access
The Checkpoint Secure Remote Access VPN was my previous VPN option (utilizing IPsec) and we did not terminate usage of it due to any dissatisfaction or problems with it; a merger required shifting to a whole new set of software.
Checkpoint was for several years a reliable and robust solution that was easy to install and maintain. We could create custom install packages pre-configured with the target IP address(es) for clients to authenticate to. Like AnyConnect, it was secured by multi-factor authentication (in this case either hard tokens or soft tokens, which operated as an app on mobile devices).
Like AnyConnect, split tunneling was disabled, and for hackers to get to the internet clients they would have to configure the company proxy server settings, which only permitted access to pubic-facing internet sites for business usage (social media sites were blocked, for instance). Group memberships determined who could connect where, and as we also used Checkpoint firewalls as the management interface for both the VPN and the firewall settings was a "single pane of glass" offering.
We also used Checkpoint Site-to-Site VPNs to link two remote areas together so traffic could reach networks on either side.
SEE: Cybersecurity: Let's get tactical (TechRepublic free download)
SonicWall Global VPN Client
I have fond memories of the SonicWall Global VPN Client since back in the mid 2000s. It was the first "real" VPN solution that enabled me to access my office from my home, a 40-minute drive away. I had previously used a different product, better left undiscussed.
SonicWall offers a fast and efficient product that provides RADIUS/certificate/Smart Card/USB authentication, VPN session reliability to redirect clients to other VPN gateways if problems occur, 168-bit key 3DES (Data Encryption Standard) and AES (Advanced Encryption Standard) security, specific subnet access and command-line options for installation, making it easy to deploy through automated software mechanisms.
Pricing: Per CDW, base individual user license costs are about $215 before appliance costs and bulk-volume licenses are also involved. Check the vendor directly for the latest details.
Fortinet Forticlient relies on certificates for integration and deployment and offers web filtering and firewall rule access. Endpoint protection security, which uses automated behavior analysis, is included, a solution so sophisticated it was found to have blocked 100% of malware in a 2019 report while also yielding zero false positives.
A "single pane of glass" approach similar to Checkpoint provides one-stop-shopping to manage configuration, deployment and management as well as check client status and engage in vulnerability scanning and patching.
Pricing: Per CDW the lowest available single-user license for one year is $163.99, and costs and options get more complex. Check the vendor directly for the latest details.
Palo Alto GlobalProtect
Palo Alto GlobalProtect offers similar features to prior products listed, such as multi-factor authentication, high security (cookie or certificate-based authentication are two strong features), web filtering and threat protection. It relies on Zero Trust principles.
GlobalProtect displays significant capability in identifying what devices are connecting to the VPN and whether they are managed (company-owned or operated) or unmanaged (employee-owned), and providing access accordingly (devices deemed suspicious or unauthorized can be blocked entirely). It can determine certificates present on devices, operating system and patch levels, anti-malware versions and status, running software and whether disks are encrypted and data is being backed up by a product.
Pricing: Palo Alto was the most coy vendor listed here in terms of pricing (CDW does not display the figures). Check the vendor directly for the latest details.
ZScaler Private Access
ZScaler Private Access is a different product from the previous offerings in this article. Rather than being a traditional end-user VPN client, it's a cloud service that provides access to applications in cloud environments or on-premises systems via a distributed architecture. The twist here is that the applications connect to authorized users via secure encryption rather than vice versa, so users never actually access the remote networks involved.
It uses standard policy-based access depending on users and applications. ZScaler touts the ease with which mergers and acquisitions can be facilitated due to the reduced infrastructure setup times and lack of need for additional networking equipment.
As with Palo Alto, ZScaler doesn't provide a whole lot of pricing information without being contacted directly, but a pricing spreadsheet of its products lists a 50-user professional suite license for $79.17 per user ($3,958.50 total), a 50-user business suite license for $162.50 per user ($8,125.00 total) and a 50-user enterprise suite license for $329.17 per user ($16,458.50 total).
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)