What to look for when buying a VPN

By David Aylesworth
JANUARY 16, 2003

Content Type: Advice
Source: Computerworld

Virtual private networking is becoming an integral part of today's data networks. Virtual private network (VPN) drivers range from securing corporate communications to reducing costs by replacing leased lines. But for those who have not yet deployed a VPN, the options can be daunting. There are several approaches and dozens of products and services from which to choose, each with its own pros and cons.

Let's take a look at the various solutions and how they apply to different environments.

There are two types of VPN technologies used on the Internet today: the trusted VPN and the secure VPN. Trusted VPNs are provisioned and managed by Internet service providers by defining paths through their networks to ensure that customers' traffic is routed over a trusted path. A customer might choose a trusted VPN because there is no equipment to buy, it's completely managed by the service provider and thus requires no maintenance, and they often include service-level agreements. Typically, trusted VPNs are less expensive upfront but more expensive over time.

Secure VPNs, on the other hand, protect traffic and provide privacy, authentication and data integrity through cryptographic algorithms. Secure VPNs can be managed by the user or the service provider. Trusted and secure VPNs can also be used together in a hybrid VPN. Because trusted VPNs are always purchased from service providers and the customer has few options on the configuration and deployment of the VPN, the remainder of this article will focus on secure VPNs.

Implementing a secure VPN

There are several different ways to implement a secure VPN, and the best choice depends on the environment in which it will be deployed. The two most common environments involve connecting remote-office networks to one another (site to site) and connecting remote users to one or more office networks (remote access).

When the users and offices are all part of the same company, the VPN is called an intranet VPN. When the users and offices include nonemployees, such as customers or business partners, the VPN is called an extranet VPN. The same technologies can be used to create intranet and extranet VPNs, but the configuration is typically different because nonemployees are usually restricted to accessing only certain network services.

Before implementing a VPN, you should do an assessment of your requirements. Many products can support any combination of these environments, but some cannot. Here are some questions to raise:
  • Are you connecting multiple offices with the VPN (site to site)?
  • Are they company offices (intranet) or business partners (extranet)?
  • Are you connecting remote users to the VPN (remote access)?
  • If yes, are they company employees (intranet) or customers (extranet)?
Different VPN solutions will provide different features and functions. Having an understanding of the many options and how they apply to your requirements is important before selecting a solution. While all secure VPN products will provide encryption and authentication, there are still varying degrees of security strength available.

The industry-standard protocol for secure VPNs is known as IPsec (short for IP Security) and is supported by most vendors today. IPsec supports a variety of encryption algorithms, but triple Data Encryption Standard (3DES) is the most common. It provides 156-bit encryption, which is considered secure enough for military use. The new Advanced Encryption Standard has recently been adopted as the replacement for single DES in government use because it's as strong as 3DES but can provide better throughput performance. Also popular is Microsoft's Point-to-Point Tunneling Protocol (PPTP), which uses 64- or 128-bit RC4 encryption. 64-bit encryption is considered weak by today's standards, so 128-bit is preferred.

Just like with encryption, there are multiple options for authenticating VPN members. Network VPN gateways typically authenticate each other through certificates or pass phrases, while remote-access users are authenticated through user names and passwords. You should decide how you want to authenticate remote-access users and make sure the products you're considering support your environment.

For example, you may use a Windows NT domain controller, Windows 2000 Active Directory or a RADIUS server. As a fallback, most VPN products also support their own proprietary authentication database. Another option for authenticating VPN members is through digital certificates. Digital certificates can provide the strongest form of authentication, but certificate distribution and management can be another challenge. Public-key infrastructure (PKI) products provide a solution for certificate management but can also be an additional expense to a VPN deployment.

How will the VPN be managed?

Another important consideration when evaluating VPN solutions is management. You should decide whether you have the resources to manage the VPN yourself or whether you need to contract with a VPN service provider.

There are VPN products designed to be easily managed by users, and many Internet service providers also offer managed VPN services. Some products provide global management tools so the entire VPN can be managed from a single console, whereas other products require each VPN member to be configured independently. Larger VPN deployments can be greatly simplified through global management tools.

Other management issues include interfacing with authentication or PKI servers, and logging and reporting. If the VPN includes remote-access users, then VPN client distribution and management must also be considered. Microsoft includes PPTP and IPsec support in its operating systems but does not provide global management tools. If global management is required, then look for products that provide easy distribution and management of their client software. Another option to consider is so-called clientless VPN products, which use a secure Web browser for access. Because Web browsers are ubiquitous, client management may not be an issue, but these products typically support a limited set of Web applications.

What to expect to pay

Pricing varies based on features and performance, but generally, small businesses (fewer than 100 employees) should expect to pay from $500 to $2,000 per VPN gateway. Midsize businesses (up to 500 users) should expect to pay $2,000 to $10,000 per gateway. Customers should also expect to pay between $50 and $100 per user for VPN client software. Managed services generally don't require equipment purchases but instead charge monthly or annually (based on the number of offices and users) for the duration of the service. Managed services also can be less expensive upfront but more expensive over time.

As you can see, there are a variety of options to consider when purchasing a VPN solution. Make sure you understand your environment and requirements before starting your search. Evaluate only the products that appear to meet your requirements and then test them to see which one is the best fit for your network and budget.