The VPN Advisor tackles interoperability, access questions

As VPN expert Salvatore Salamone explains, determining interoperability isn't an easy task. CIO Republic's VPN Advisor also helps a member who is curious about VPNs and legacy application access.

Columnist Salvatore Salamone welcomes TechRepublic members' questions, and he invites you to send in questions. The column will also look intermittently at VPN trends.

How can I determine interoperability?
Q: How well do VPN products interoperate? Is there a way to tell if products are interoperable before buying them?

Member e-mail, anonymity requested

Salamone: VPN products that support common standards such as the Point-to-Point Tunneling Protocol (PPTP) or IP Security (IPSec) typically interoperate at a basic level. For years, some companies used the PPTP VPN client within Microsoft Word to connect to VPN servers from a variety of vendors.

Interoperability gets trickier when higher-level functions, such as encryption key exchange and digital certificate validation checks, are required. To get an understanding of higher-level interoperability issues, there are two very good sources of information: TruSecure Corp. and the VPN Consortium.

TruSecure, formerly the International Computer Security Association, helps enterprise clients secure information assets. For years, TruSecure’s ICSA Labs IPSec certification testing was the only game in town. In the past, some industry groups, such as the Automotive Industry Exchange Network, required all VPN products used in its network to be IPSec certified by ICSA Labs. And for years, most major vendors have felt compelled to run their products through the ICSA Labs certification process.

Currently, more than two dozen VPN products from more than 20 vendors are certified through TruSecure’s IPSec certification program. Products that go through the certification process must pass a set of requirements for the Internet Key Exchange and IPSec protocols, as well as some specific cryptographic certification criteria set down by ICSA Labs.

The second source of information on VPN product interoperability is the VPN Consortium. The consortium is an industry trade association that tackles VPN interoperability issues. Members routinely participate in interoperability "bake-offs" to see how specific features of their VPN equipment work with equipment from other vendors.

The consortium tests VPN products for interoperability and compliance; in fact, the group’s logos for both are commonly seen on VPN equipment. A interoperability logo on a piece of VPN equipment means the vendor has demonstrated that that product interoperates with other products in the group’s testing program. A compliance logo means that the product conforms to specific parts of the IPSec standard.

The VPN Consortium has an extensive list of IPSec and cryptographic features supported by each vendor member. You can view this information in a chart on the organization’s site.

Good news on SSL access front
Q: Can SSL-based VPNs be used to provide access to legacy applications?

Andrew Rialdi, director of information systems at an East Coast manufacturing company

Salamone: No, not directly. SSL-based VPNs give access to Web-based applications. Traditional client-server and host-based legacy applications that typically require some type of client software or command line interface to access usually aren’t accessible using an SSL-based VPN.

However, some companies are finding a way around this limitation. Typically, these companies are pleased with the benefits an SSL-based VPN offers, like the fact that no special VPN client software is required.

Companies are turning to Web services to make their legacy applications accessible from a browser. After that, it’s a simple step to include access to such applications via an SSL-based VPN.

Editor's Picks

Free Newsletters, In your Inbox