To map your requirements to individual product capabilities and features, a VPN features guide can help. For example, see SP 800-113 Guide to SSL VPNs, published by the National Institute of Standards and Technology (NIST). Those seeking VPN appliances that also speak IPsec should also consult the older SP 800-77 Guide to IPsec VPNs. Below is a summary of the VPN features you’ll find covered in these guides.
- Authentication: VPN security is based upon authentication — preferably mutual. SSL VPNs usually support many user authentication methods, including password, smart card, two-factor token, and certificate. Many IPsec VPNs use IKEv2 to support any method conveyed by the Extensible Authentication Protocol (EAP). Choose an appliance that supports your required authentication method(s) and integrates with your user database (e.g., Active Directory). Less common features to look for include single sign-on and roaming without re-authentication.
- Encryption and integrity protection: Secure tunneling protocols like SSL, TLS, DTLS, and IPsec all use cryptography for message encryption, integrity, replay protection, and (sometimes) source authentication. The IPsec Encapsulating Security Protocol (ESP) is applied at Layer 3 to protect the entire IP packet; the others may be applied at Layer 3 or 4. Choose an appliance that satisfies your in-transit data protection policies, including cipher, certification, and interoperability requirements.
- Access controls: Early VPN appliances tunneled all traffic from user to gateway or only traffic destined for private subnets (i.e., split tunneling). With SSL VPNs came increased granularity, including access to specified applications, URLs, or even actions (e.g., file read but not write). This continues to be an area of innovation; look for new features such as policies that transparently adapt for each user, based upon endpoint risk, compliance, or location, and group/role-based access controls.
- Endpoint security controls: Varying access based on risk requires recognizing the endpoint, assessing its health, evaluating its compliance, or a combination thereof. For example, if access is attempted from a managed notebook, a “checker” may verify the endpoint has required OS patches and anti-malware. If access is attempted from a smartphone, these may not be possible — but the VPN can still look for an IT-installed “watermark.” This is another area of rapid innovation, both in OS breadth and depth of controls. For notebooks, consider advanced features such as data vaults. For mobile devices, look for server-side aids like fingerprinting.
- Intrusion prevention: Pre-connect checks are helpful, but may not be enough. To reduce risk, VPNs can grant narrow access to riskier endpoints — or apply ongoing intrusion prevention to stop malware from riding secure tunnels. This is another area of differentiation between VPN products, as vendors scramble to integrate security offerings and drill deeper — especially into port 80 traffic to enforce per-application policies and block malicious activity. Features here run the gamut from mobile security agents to reputation-based web defenses, but beware of a la carte feature licenses that inflate TCO.
- Manageability: This is an important characteristic for any product, but especially for remote access VPNs. Factors like purchase price, maintenance fees, installation effort, policy tuning, and routine maintenance all impact total cost of ownership (TCO), but enterprises with large workforces often cite managing users as their single-highest VPN cost.
- High availability and scalability: Enterprise-class remote access VPN products offer high-availability and scalability options, such as hot-synced active/active load balanced gateways. Look not only at scalability and survivability, but also at licensing. For example, those deploying remote access VPN for disaster planning may want “burstable” or pay-as-you-go licenses.
- Customization: Remote access VPNs often benefit from customization. This can range from organizing resource links on per-user/group portal pages to adding proxy VPN translations for proprietary applications. Especially for small mobile devices, look for aids like auto-display-adaptation and bookmarks to improve usability.
Product roll call
These are just some of the many features and capabilities found in contemporary remote access VPN appliances. Vendors in this market include Cisco Systems, Citrix Systems, Check Point, F5 Networks, Juniper Networks, and SonicWall (to name just a few).
To more fully illustrate this category, EnterpriseNetworkingPlanet will profile several remote access VPN lines, including SonicWall’s Aventail E-Class SRA appliances, Cisco’s ASA 5500 Series appliances, and Juniper’s MAG Series JunOS Pulse Gateways. Stay tuned …
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed and tested network security products for nearly a decade.