Should I use a hardware or software VPN?

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network administration Why is access denied to my Active Directory (AD) users and computers? What network loss testing tools/methods calculate dropped packets from a PC? Do I have to disable DHCP on my router to create a DHCP server? What preventative maintenance procedures for network devices exist? Is there VLAN software recommend for Realtek NICs? How can I replicate the services of Active Directory (AD) in ADC? Top 10 reasons why computers do not have network access to each other Which configuration management tools map connected network devices? How important are network infrastructure maps for engineers or admins? How server virtualization improves efficiency in a client-server model Wireless networking APs drop connection in WLAN configured as a wireless mesh network How does Wi-Fi ad-hoc mode react when 802.11n and legacy peers are present? Can wireless adapters operate as client access points to make SoftAPs? Will using a VPN protect me against fake wireless hotspots? WLAN QoS and SLA monitoring with 7/24 Wireless Quality Assurance costs How can I hide my WLAN's SSID in an Aruba AP-61? How radio frequency (RF) of microwaves alter wireless signal strength Stolen laptop recovery using remote access and wireless network SSIDs How is wireless access point (AP) coverage affected by frequency? Wireless AP SSID and channel configuration for a distribution network Networking help desk What is network infrastructure and what is a hybrid network? What is the definition of ATM (Asynchronous Transfer Mode)? Which are the most valuable networking certifications? Wireless vs. Wi-Fi: What is the difference between Wi-Fi and WLAN? How can I sign up for SearchNetworking.com contest notifications? What is IP? Can I get monthly updates of IT networking content? Can I read SearchNetworking.com's information in other languages? Bridge vs. switch What is network latency?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Using an existing Windows NT/2000/2003 box as your VPN gateway is tempting to those who already have a spare PC and Windows software and some experience in administering Windows. All of these Windows OS's support the Point to Point Tunneling Protocol (PPTP); 2000 and 2003 also support the Layer Two Tunneling Protocol (L2TP) over IP Security (IPsec).

So why do so many businesses buy a hardware firewall/VPN appliance instead of using Windows as their VPN gateway? For one thing, you'd need to harden your Windows server, shutting down all unused services, blocking non-VPN traffic, etc. Firewall/VPN appliances are already hardened right out of the box, designed to face an untrusted network like the Internet.

Next, there's the issue of performance. Although you can buy LAN cards that add IPsec acceleration to your PC, your Windows gateway will probably encrypt packets in software on a general purpose CPU. Firewall/VPN appliances often include hardware acceleration, performing crypto in silicon for higher throughput and lower latency. (Sometimes this is an option, so look closely at appliance specs.)

Then there's dedication to the task at hand. A Windows server is running plenty of software and services that have nothing to do with your VPN, and you will spend time turning these off or getting rid of them to create a dedicated VPN gateway. A firewall/VPN appliance should not carry this extra baggage. (But beware that some low-end appliances run commercial-off-the-shelf *NIX operating systems).

That brings us to CVEs and attacks against known vulnerabilities. Firewall/VPN appliances that run custom operating systems are less likely to be vulnerable to common threats that plague COTS operating systems and related services. Some argue that custom operating systems are less thoroughly tested and so may have more undiscovered vulnerabilities, but COTS operating systems are simply a bigger, juicier target for attackers. With either solution, it is essential to apply the latest security patches and stay on top of new CVEs. However, you'll probably have more patches to apply if you use Windows as your VPN gateway.

Finally, there is the question of which VPN protocol you plan to use. Some small businesses use PPTP because it is easy to configure and their risk level (and security know-how) is modest. However, most businesses should try to use IPsec instead, since this approach offers much stronger security. Unfortunately, IPsec is much harder to configure correctly, and requires that you issue every VPN client a digital certificate or a (group) preshared secret. If you use Windows as your VPN gateway, then you will need to be running Windows on every client PC, or a third-party VPN client that supports L2TP-over-IPsec.

If you use a firewall/VPN appliance, you can probably use "vanilla" IPsec instead of L2TP-over-IPsec. Many appliances are supplied with VPN client software that has been fine-tuned to work with the appliance -- for example, supporting extended authentication, dynamic IP address delivery, network address translation traversal, and automated configuration. Depending upon the appliance and its management software, you may find these VPN clients are easier to administer than the native Windows client. For example, some appliances generate an install package that contains both the VPN software and configuration.

Microsoft fans will note that using the native Windows VPN client avoids installing software, but you still need to configure that client. Either way, IPsec client administration is no fun, so a growing number of appliances now support SSL tunneling as an alternative to PPTP, L2TP, or IPsec. SSL VPN appliances vary a good bit in features and application support, but if you're just starting your VPN now, consider this option now before you invest in IPsec clients.