From Tony Bradley, CISSP-ISSAP, former About.com Guide
In years gone by if a remote office needed to connect with a central computer or network at company headquarters it meant installing dedicated leased lines between the locations. These dedicated leased lines provided relatively fast and secure communications between the sites, but they were very costly. To accommodate mobile users companies would have to set up dedicated dial-in remote access servers (RAS). The RAS would have a modem, or many modems, and the company would have to have a phone line running to each modem. The mobile users could connect to the network this way, but the speed was painstakingly slow and made it difficult to do much productive work.With the advent of the Internet much of that has changed. If a web of servers and network connections already exists, interconnecting computers around the globe, then why should a company spend money and create administrative headaches by implementing dedicated leased lines and dial-in modem banks. Why not just use the Internet?
Well, the first challenge is that you need to be able to choose who gets to see what information. If you simply open up the whole network to the Internet it would be virtually impossible to implement an effective means of keeping unauthorized users from gaining access to the corporate network. Companies spend tons of money to build firewalls and other network security measures aimed specifically at ensuring that nobody from the public Internet can get into the internal network.
How do you reconcile wanting to block the public Internet from accessing the internal network with wanting your remote users to utilize the public Internet as a means of connecting to the internal network? You implement a Virtual Private Network (VPN). A VPN creates a virtual “tunnel” connecting the two endpoints. The traffic within the VPN tunnel is encrypted so that other users of the public Internet can not readily view intercepted communications.
By implementing a VPN, a company can provide access to the internal private network to clients around the world at any location with access to the public Internet. It erases the administrative and financial headaches associated with a traditional leased line wide-area network (WAN) and allows remote and mobile users to be more productive. Best of all, if properly implemented, it does so without impacting the security and integrity of the computer systems and data on the private company network.
Traditional VPN’s rely on IPSec (Internet Protocol Security) to tunnel between the two endpoints. IPSec works on the Network Layer of the OSI Model- securing all data that travels between the two endpoints without an association to any specific application. When connected on an IPSec VPN the client computer is “virtually” a full member of the corporate network- able to see and potentially access the entire network.
The majority of IPSec VPN solutions require third-party hardware and / or software. In order to access an IPSec VPN, the workstation or device in question must have an IPSec client software application installed. This is both a pro and a con.
The pro is that it provides an extra layer of security if the client machine is required not only to be running the right VPN client software to connect to your IPSec VPN, but also must have it properly configured. These are additional hurdles that an unauthorized user would have to get over before gaining access to your network.
The con is that it can be a financial burden to maintain the licenses for the client software and a nightmare for tech support to install and configure the client software on all remote machines- especially if they can’t be on site physically to configure the software themselves.
It is this con which is generally touted as one of the largest pros for the rival SSL (Secure Sockets Layer) VPN solutions. SSL is a common protocol and most web browsers have SSL capabilities built in. Therefore almost every computer in the world is already equipped with the necessary “client software” to connect to an SSL VPN.
Another pro of SSL VPN’s is that they allow more precise access control. First of all they provide tunnels to specific applications rather than to the entire corporate LAN. So, users on SSL VPN connections can only access the applications that they are configured to access rather than the whole network. Second, it is easier to provide different access rights to different users and have more granular control over user access.
A con of SSL VPN’s though is that you are accessing the application(s) through a web browser which means that they really only work for web-based applications. It is possible to web-enable other applications so that they can be accessed through SSL VPN’s, however doing so adds to the complexity of the solution and eliminates some of the pros.
Having direct access only to the web-enabled SSL applications also means that users don’t have access to network resources such as printers or centralized storage and are unable to use the VPN for file sharing or file backups.
SSL VPN’s have been gaining in prevalence and popularity; however they are not the right solution for every instance. Likewise, IPSec VPN’s are not suited for every instance either. Vendors are continuing to develop ways to expand the functionality of the SSL VPN and it is a technology that you should watch closely if you are in the market for a secure remote networking solution. For now, it is important to carefully consider the needs of your remote users and weigh the pros and cons of each solution to determine what works best for you.
No comments:
Post a Comment