There is widespread agreement that access to corporate networks should be secured with a virtual private network
(VPN), and chances are, your customers know they need one. But which VPN do they need? That's where you come in. This article looks at three popular types of VPNs (IPsec, OpenVPN, and SSL VPNs), and when each is appropriate, to help you recommend the right VPN to your customers. We don't consider PPTP, a popular but deprecated Microsoft solution, because PPTP has severe security problems that render it unsuitable for anything but the most casual security (see these two papers by Schneier, Mudge and Wagner for details).
IPsec VPNsIPsec is the IETF standard VPN. IPsec is an industrial strength VPN that is very flexible and configurable. It comprises three protocols: Authentication Header (AH), which provides message authentication; Encapsulating Security Payload (ESP), which provides message encryption and authentication; and Internet Key Exchange (IKE), which provides key management and protocol negotiation. Because almost all of the AH functionality is duplicated in ESP, AH is usually used only for special purposes, and we won't consider it further.
The most useful way to configure ESP is tunnel mode, in which the VPN connects two networks or a single computer and a network. This covers the familiar cases of connecting two corporate sites and of connecting a road warrior to the corporate network. Traffic carried through such a VPN is encrypted, making it safe from snooping, and authenticated, making it safe from undetected alteration.
Because IPsec operates at the network (IP) layer, it works with any protocol carried by IP. This makes it an ideal general purpose VPN for customers that require strong security and flexibility. IPsec implementations are available from all the major vendors, including Cisco, Juniper and Microsoft. On the other hand, IPsec can be difficult to configure and requires an experienced technician to keep it running. Although it is standardized, the specifications contain enough ambiguity that different implementations sometimes have difficulty interoperating. IPsec is the VPN of choice for your customers with serious security requirements and that are large enough to have an IT staff to support it -- or are willing to pay you to do so.
OpenVPNAnother general purpose network-to-network or computer-to- network VPN is OpenVPN. Although similar in functionality to tunnel mode ESP, OpenVPN is more lightweight and easier to configure than IPsec.
OpenVPN is a user mode program that runs on Unix/Linux, Windows and Mac systems. It uses TLS (SSL) for key and configuration negotiation and an ESP-like protocol to transport the IP datagrams. It can be configured to use shared keys -- simple but less secure -- or certificates for key management. When used with certificates, OpenVPN provides a very robust VPN solution.
OpenVPN is simple enough for use by your SMB customers that don't have a dedicated IT staff. Although this VPN is robust enough for most security requirements, the fact that it is a user mode program means that it may experience some performance problems under very heavy load and thus may not be appropriate for large businesses with heavy traffic. However, it is an ideal solution for securing enterprise WiFi systems.
SSL VPNsFinally, there are SSL VPNs, which link a single computer to an application gateway on the corporate network. Because SSL VPNs leverage the client's Web browser as an interface, additional software is often not needed on the client machine. This means that installation and support of client computers are simplified tremendously and that the client machines can run any operating system that supports a browser and SSL.
The disadvantage of this type of VPN is that to avoid extra software on the client machine and to realize OS independence, they are restricted to proxying Web pages and therefore are restricted to HTML/HTTP-aware applications. By adding a small amount of software on the client, SSL VPNs can perform application translation. This allows the VPN to handle specific non-Web applications for which the vendor has built support into the SSL VPN gateway -- mail, telnet and file services are examples. By adding more client software and further limiting platform independence, the range of supported applications can be increased, but it may make more sense to use a traditional VPN to meet these types of requirements.
If your customer requires secure remote access to Web-based applications such as online catalogues, price lists, directories or manuals; order entry; customer contact reporting; or similar applications, SSL VPNs are an ideal solution, regardless of the size of the business.
About the author
Jon Snader is a TCP/IP and VPN expert whose background includes work in networking, security, communications and radio network controllers. He is the author of VPNs Illustrated: Tunnels, VPNs and IPSec and Effective TCP/IP Programming: 44 Tips to Improve Your Network Programs, both published by Addison-Wesley. You can reach him via his Web site or via email. As an expert on SearchNetworkingChannel.com, he's also available to answer your VPN questions.