Monday, July 6, 2009

Bookmark and Share

Remote Access and Virtual Private Networks

We scraped the surface of Remote Access and VPN's in Increasing Employee Productivity Blog. We'll get more indepth in the types of VPN's available and how to choose which one is right for you.

Types

IPSec VPN

1. Site to Site or L2L

Site to Site VPN are also called Lan to Lan tunnels because they establish a secure tunnel between two remote Local Area Networks via a VPN devices across the Internet or other unsecured network. L2L VPN's require a hardware or software device at the edge of each unsecured network. They typically deploy IPSec as the encryption method. 3DES has been replaced by AES128/192/256 Encryption.

These types of VPNs are useful when you have two or more remote sites that need to access resources on the remote LAN over an unsecured network such as the Internet.

2. Remote Access

Remote Access VPN's allow client devices (i.e. PC) to connect over an unsecured network to a central VPN device. This only requires a dedicated hardware or software VPN device at one location and not both the local and remote end. They typical deploy the same IPSec encryption as Site to Site VPNs.

These types of VPNs are useful for accessing your network resources while traveling or working from a remote location.

SSL VPN

SSL VPN's provide the same remote access needs for client devices while working remotely from the from the local network resources. The primary difference in the encryption methods they use and client software. IPSec remote access vpn's require a software be installed on the client device to establish the VPN tunnel. SSL VPN use a standard web browser and rely on HTTPS/SSL to encypt the traffic. Similar to browsing your secured banking web site.

1. Client

Client SSL VPN's do require a client be installed on the local device but are usually installed when accessing the VPN device and do not have to be preinstalled like the IPSec VPN. This is a huge advantage if you don't have staff to preinstall software or have a remote workforce. Client SSL VPN's provide a full VPN tunnel to the local area network identical to IPSec VPN's.

2. Clientless

Clientless SSL VPN's allow remote access to local network resources without allowing full access to the entire network. Clientless means no client, the VPN downloads components to the accessing device to provide the necessary access. Web pages, remote desktop, telnet, ssh and application tunneling access are all functions of clientless SSL VPN's.

These types of VPN's are perfect if you need to provide access to single applications to certain people. Why give a vendor or employees full access to your network if you only need to allow them to access your intranet web site or a specific application. They provide less administration because no software as to be installed on the client device.

Clientless SSL VPN's may not support tunneling all applications and should be tested prior to purchasing if it is not explicitly supported by the vendor.

Summary

IPSec VPN's are the oldest and most stable methods of remote access but also require the most client device administration. IPSec requires UDP 500 for IKE traffic and is not always allowed from some networks. (mostly corporate networks)

SSL VPN's are newer, run over standard https port 443, and allows for access from most networks. They client can be preinstalled or installed after accessing the VPN, leading to less administrative overhead. They also provide a great deal of flexibility to access specific applications on your network.


Aaron Magruder
(816) 566-0017
Kansas City Cisco Select Partner
Network, Security and Unified Communications Solutions

Labels: ,