Balancing remote access with security is tough. You want employees to have full access to corporate e-mail and applications from anywhere they're working, but openness invites invasion. Traditional remote-access solutions are mostly secure, but long distance fees can add up, and users with cable modems and DSL connections to the Internet don't get to use their high-speed connections to get into the corporate network. A virtual private network (VPN) is the answer to providing secure and flexible access for traveling and work-at-home employees. It also works for secure office-to-office connectivity.
The phrase virtual private network seems imposing, but a VPN boils down to special software in client PCs connecting across a corporate intranet or the Internet to special software in a dedicated box or a server in your server room. Encryption at both ends keeps data safe, and you can choose from several options for user authentication. Installing a VPN often requires a substantial up-front effort for configuration and software deployment. But once everything is running, a VPN offers much lower connection costs than traditional remote-access servers, since long distance users can usually connect to a local ISP POP, and provides excellent management control and information.
You can elect to create your own VPN system or outsource it from one of many ISPs, VARs, and connectivity vendors. We looked at both options. Your choice will depend primarily on the talents and capabilities of your own IS staff.
We focused on the VPN as a way to provide remote access for employees. The alternative is a conglomeration of modems, telephone lines, and a central processor known as a remote-access server (RAS). RAS devices were the brick and mortar of the industry for a decade, but VPNs seriously challenge their importance. The downside of a RAS system is high circuit costs from long-distance calls¡ªand daily management chores. A savvy network administrator will probably keep a small RAS systems operational in case the Internet VPN has a bad day.
We investigated the latest in VPNs for small to medium-size businesses by inviting six vendors to send products to PC Magazine Labs: Altiga Networks, Check Point, Intel, Lucent Technologies, Time Step, and VPNet. Cisco, Nokia, Nortel Networks, and 3Com also play in this market, but they all either chose not to participate or didn't get products to us in time for testing.
Our products consisted of five VPN gateways (hardware and software packaged in dedicated appliances) and one software-based VPN (Check Point's VPN-1 Gateway, which came installed on a Pentium III PC server running Windows NT). Cisco and other networking vendors also offer routers that can be upgraded with VPN capabilities.
Windows NT Server 4.0 comes with some basic VPN capabilities using Microsoft's own Point-To-Point Tunneling protocol, which works fine for small RAS installations. Microsoft plans to add advanced authentication and encryption features, including IPSec, to Windows 2000. Novell offers Border Manager ($1,995 list for a server and five users), a combined firewall/VPN/caching product that integrates very nicely with Novell's NetWare Directory Services (NDS), making it an attractive alternative for NetWare-based organizations.
We delved into VPN outsourced service options by sending a one-page RFP, based on our needs at PC Magazine, to AT&T, Cable & Wireless, MCI WorldCom, and PSINet. We got good responses from a single-page RFP that could be created by most network administrators. The sidebar "When in Doubt, Outsource" tells more of the story.
How much security do you need? What's the threat? How many people need remote access? What are their computer skills? How much traffic do they generate? Are they all employees? Are they geographically dispersed? What kinds of client computers do they have? You need to answer these fundamental questions before you begin the process of buying a VPN.
We evaluated all of the products except the VPNet VPNware VSU-1010 using IPSec encryption between the clients and the host system. IPSec is an encryption and authentication architecture that provides security for IP packets and allows interoperability among different VPN products. VPNet, however, offers IPSec only on LAN-to-LAN configurations. Note that IPSec won't work if your PC gets a nonroutable IP address from a network address translator at your router or ISP.
There has been some speculation that processing strongly encrypted IPSec can potentially overload client computers, but our informal tests with P166 laptops didn't turn up any unexpected or unusual problems. When you start a 1.5-Mbps IPSec-encrypted FTP file transfer with a P166, you'll notice a difference in the performance of other applications, but they still work. At slower connection speeds and with less intensive tasks, operation is normal.
IS managers know that remote users consume more support time than local users. Deployment of VPN client software is a problem largely ignored by all of the equipment vendors. Intel provided us with a beta release of an impressive looking Client Deployment Tool, but we were unable to give it a full evaluation. VPNet has the unique ability to customize a previously installed configuration as part of the authentication process.
On the server side, most of the devices are closed cabinets that mount in a rack and don't take up much space in the server room. The TimeStep Permit/Gate 4620 is a separate box the size of a large modem, and Check Point's VPN-1 Gateway is software that can be loaded on a PC in any physical configuration.
The products differ in cost and ease of setup. The costs for the hardware systems we examined ran from $4,995 for the VPNet VPNware VSU-1010 to $9,995 for the Lucent VPN Gateway. Check Point's VPN-1 software starts at $3,495, and you might already have a PC to run it. Time Step and VPNet added a fee for client software. Windows 2000, however, includes an IPSec client.
When comparing costs, keep in mind that the products from Check Point, Intel, and Lucent combine VPN and firewall capabilities. This can eliminate the cost of a separate firewall, but it also puts all of your security eggs in one basket.
The setup process for each product ranges from the extreme ease of the Intel Shiva LanRover VPN Gateway Plus to the more complex Check Point and Lucent products. We believe that any competent network administrator could set up the LanRover, but it would be best to have some experience and training before tackling the Check Point and Lucent products.
Our performance tests focused on the VPN servers with Windows NT clients using a mix of dial -up and broadband connections. As cable modem and DSL connections proliferate, your employees will have high-speed access to the VPN, but they might find a constriction at your corporate net work connection. You'll need enough VPN server horsepower to match your corporate access speed. The LanRover and Check Point's VPN-1 Gateway topped our tests with real payload throughput in excess of 700 Kbps. The slowest device on our tests, the TimeStep Permit/Gate 4620, hit 577 Kbps. Considering the large encryption over head and the intermittent nature of the traffic, any of these products should carry the load of a T1 (1.5-Mbps) connection.
In our tests we did not establish a certificate architecture. Certificates provide a way for specific computers to trust one another and set up an ISP connection. Most companies outsource certificate authority to a service such as Verisign.
The reviews that follow provide more information on the details of product setup and management.
Our Contributors: Les Freed is a contributing editor of PC Magazine. Robert Schenk is a contributor to PC Magazine, and Andrew R. Garcia is a technical analyst. Frank J. Derfler, Jr., is a senior networking editor of PC Magazine. Executive editor Leon Erlanger and PC Magazine Labs project leader Russ Iwanchuk were in charge of this story.