This article suggests four questions that you should ask yourself or your customer when deciding what type of VPN to implement. See the article Choosing the right VPN for your customer: VPN options
for background on the types of VPNs that we discuss here.
What type of network do you want to protect?
If your customer is running an all-Microsoft network with Microsoft gateways at the edge, then your best choice is almost certainly L2TP/IPsec. This is the standard Microsoft VPN and will probably already be installed on the client and gateway machines. The major gateway vendors, such as Cisco and Juniper, as well as many open source operating systems, such as Linux and FreeBSD, also support L2TP/IPsec, so this solution is still available if your customer is using these third-party devices at the edge of their network.
In the case of a mixed network, the decision is more complicated. Because of the extensive third-party support for L2TP/IPsec, it may make sense to use (or at least support) it in mixed networks too. In most cases, road warriors will be using a version of Windows on their laptops, so supporting it on your customer's network will make configuration and support of those laptops much easier.
If you want to secure a corporate WiFi or need a few low/moderately loaded VPNs (such as those for use by road warriors), OpenVPN offers an attractive solution. This is especially true if your customer doesn't have IPsec- experienced IT staff available.
For a customer that needs a VPN with strong security that links two or more company sites, IPsec is a good choice. Properly configured, IPsec can make all the sites appear to be one large network with seamless connectivity.
If your concern is to allow secure remote access to corporate Web-based applications (and perhaps a few other specific resources), then an SSL VPN is an effective choice. These VPNs are generally easy to configure, but usually require a separate SSL VPN gateway.
What applications does your customer want to have available remotely?
More than anything else, the type of applications that remote users will access drives the choice of VPN. If these applications are all Web-based, an SSL VPN is probably the best choice. If your customer wants to secure an 802.11b WiFi, OpenVPN is a simple solution that is easier and cheaper than upgrading to WPA-enabled equipment.
If your customer's remote users need access to the entire or large portions of the corporate network, you should consider IPsec or L2TP/IPsec. Note, however, that OpenVPN can be an attractive alternative for an SMB with light or moderate traffic. In some situations, such as an engineering shop, something as simple as SSH can provide the needed connectivity with virtually no effort on the part of system administrators.
Does your customer have an experienced IT staff to provide support?
Although there is nothing intrinsically hard or deep about configuring and running an IPsec VPN, there are numerous parameters -- many mysterious -- that a system administrator must specify. The average user will have a difficult time making informed decisions about these parameters and may make choices that render the VPN less secure than it could be. For this reason, companies considering IPsec should either have an experienced IT staff or be willing to hire you to make sure the VPN is configured correctly and to help troubleshoot problems. Because OpenVPN and SSL VPNs are easier to configure and administer, they may be a better choice for an SMB without an IT staff.
How much budget is your customer willing to devote to implementing the VPN?
If your customer is a large enterprise with the need for a heavy duty VPN, you should consider dedicated hardware from one of the major vendors such as Cisco or Juniper. Smaller companies with modest IT budgets can still have access to all these VPN technologies by using commodity hardware and free or open source software. OpenVPN is available without charge as are the Linux and *BSD operating systems, which have support for IPsec and L2TP/IPsec. Although most SSL VPN implementations require special hardware and are fairly expensive, SSL-Explorer is a software only SSL VPN available under the GPL.
About the author
Jon Snader is a TCP/IP and VPN expert whose background includes work in networking, security, communications and radio network controllers. He is the author of VPNs Illustrated: Tunnels, VPNs and IPSec and Effective TCP/IP Programming: 44 Tips to Improve Your Network Programs, both published by Addison-Wesley. You can reach him via his Web site or via email. As an expert on SearchNetworkingChannel.com, he's also available to answer your VPN questions.
This was first published in November 2006