Choosing the Right VPN Solution

You have several choices when it comes to implementing VPNs. There are software-based VPNs such as those offered by Windows Server 2003. Point to Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) are both integrated into Routing and Remote Access Services. There are VPN products built into firewalls such as Checkpoint or Sonicwall. There are even dedicated hardware VPNs that run a specialized operating system such as those from Ravlin. Although each of these choices is viable , there are pros and cons to each which must be considered .

Windows 2003 Routing and Remote Access Services

Windows Server 2003 offers several VPN choices through its Routing and Remote Access Services. These options include Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Point to Point Protocol over Ethernet (PPPoE). Like most Microsoft offerings, these VPN options are all tightly integrated with other Microsoft products. Microsoft has conveniently placed support for all of these VPN types into the client operating systems. This makes it very easy and economical for you to use Windows Server 2003 RRAS for VPN.

One of the drawbacks to using Windows Server 2003 RRAS for VPN is that although the Choose Your Role Wizard allows Windows Server 2003 to tailor itself for VPN use it is still an operating system that was built to fit many needs. Exposure to security vulnerabilities will be higher than with a device that is designed to do VPNs exclusively. It will be very important to administrators to ensure that a Windows Server 2003 RRAS system has been secured as much as possible. This chapter will cover such settings and recommendations.

Something of a hybrid solution is offered by companies such as Celestix. These hybrids are dedicated VPN systems that are based on a subset of Windows Server 2003. This gives them the advantages of the tight integration with Microsoft products without the exposure to security vulnerabilities that would be present in a full implementation of the operating system. Such devices leverage Active Directory for the storage of security account information and thus integrate well into Microsoft-oriented networks.

Examining Firewall-based VPNs

Most of the major firewalls on the market today offer VPN functionality. Many of these firewall manufacturers have gone out of their way to create proprietary VPN systems to differentiate themselves from Microsoft offerings. Although some of the smaller firewall manufacturers offer PPTP and L2TP w/IPSec, most of the larger companies such as Checkpoint or Cisco have created their own implementations .

These proprietary VPN systems often tout improved security in the areas of authentication and data encryption. Higher bandwidth saturation as well as larger numbers of concurrent connections is often offered by these solutions. Although there is a lot to be said for improved performance and security, it usually comes at a price. These firewall-based VPNs usually require that an additional VPN client be purchased and installed onto each system that will be accessing the network via the VPN. This results in additional costs not only in the purchase of licenses but in the added management of installation of this client onto workstations. For companies with high security requirements, this is usually not a big issue. As the philosophy goes, there are three components involved with security: the overall security of the system, the convenience of using the system, and the cost of the system. To increase security, either cost will increase or convenience of use will decrease. If you reduce cost in an implementation, either security or usability will suffer. Making an environment easier to use will either cost more money or security will suffer. There is no perfect balance of these components . It is up to you to determine the requirements and design accordingly .

Pay careful attention to performance numbers and don't be swayed by impressive numbers. If VPN box #1 can saturate 10MB and VPN box #2 can saturate 100MB, box #2 seems a lot more impressive. If the company only has a T-1 to the Internet, both boxes are more than sufficient and there would be no reason to spend extra money for the added capacity of box #2 over box #1.

Examining Hardware-based VPNs

The last class of VPN device is the dedicated hardware VPN. Manufacturers like Cisco or Ravlin offer devices that are designed to do nothing other than act as a consolidation point for VPNs. As the saying goes, let routers route, let firewalls firewall, and let the VPN system handle the VPN. Although in many cases it is advantageous to consolidate multiple functions into a single device, security usually takes the exact opposite approach. By separating tasks , not only are devices able to focus on what they are best at but a network gains multiple layers of security. Layered security is harder and more importantly, more time-consuming to defeat. Time is the bane of the hacker. The longer their attack takes, the more likely you are to see the attack and take appropriate measures. Never forget that computers don't know whether an access is legitimate . A VPN is a doorway into your network. Your job is to ensure that only appropriate users access it.

In the past, most dedicated VPN devices ran proprietary VPN protocols. Today most of these devices have moved toward standards-based VPNs with protocols like PPTP, IPSec, and IKE. This gives you greater flexibility in integrating multiple VPN devices. This is especially helpful when companies merge, acquire, or partner up.

Deciding When to Make the Move from Software to Hardware

Small networks that don't have specific security requirements and that want to take advantage of VPN technologies are prime candidates for software-based VPNs. Windows Server 2003 ”with PPTP or L2TP w/IPSec on the back-end and the client running native VPN stacks from a Windows operating system ”allows easy access to corporate resources.

Eventually companies outgrow this simple architecture. Because alternative operating systems need access to the resources, it is often helpful to abstract the VPN portion of the traffic. Site-to-site VPN technologies can be leveraged to allow normally unsupported operating systems to access a VPN as long as they are able to communicate via TCP/IP. An Apple computer or a Linux system can both ride a TCP/IP VPN tunnel into a network regardless of its ability to support PPTP if it is communicating through a PPTP capable site-to-site VPN device.

Site-to-site VPN devices are generally very secure, easy to install, and flexible in their protocol support. Rather than install client VPN software on all machines in a remote location and configure them all to connect to a single VPN device, local VPN gateways can be installed to allow traffic to route from site to site across the VPN. This enables a user to travel to any location with one of these VPN gateways and access the corporate network. In many companies, these types of VPNs have replaced traditional WAN connections. Because these VPNs leverage the Internet as their backbone, they are only as reliable as the Internet. The primary benefit of a site-to-site VPN over a traditional WAN connection is the cost. Local Internet connectivity is relatively inexpensive and this reduction in cost versus a long distance Frame Relay or ATM connection allows a site to purchase higher bandwidth than it would have normally been able to afford. The savings are often great enough to allow the site to also purchase a redundant Internet connection. This further improves the stability of the VPN and makes a compelling argument for replacing traditional WAN connections with site-to-site VPN connections.