Problem solve Get help with specific problems with your technologies, process and projects.

Should I use a hardware or software VPN?

I have read up on the software (Windows 2000) and also the hardware (Symantec Firewall/VPN) and I am scheduled to set one up in January. I think I am going with the hardware VPN. If you have any info, tips, suggestions they'd be welcome.

I have read up on the software (Windows 2000) and also the hardware (Symantec Firewall/VPN) and I am scheduled to set one up in January. I think I am going with the hardware VPN. If you have any info, tips, suggestions they'd be welcome.  

Using an existing Windows NT/2000/2003 box as your VPN gateway is tempting to those who already have a spare PC and Windows software and some experience in administering Windows. All of these Windows OS's support the Point to Point Tunneling Protocol (PPTP); 2000 and 2003 also support the Layer Two Tunneling Protocol (L2TP) over IP Security (IPsec).

So why do so many businesses buy a hardware firewall/VPN appliance instead of using Windows as their VPN gateway? For one thing, you'd need to harden your Windows server, shutting down all unused services, blocking non-VPN traffic, etc. Firewall/VPN appliances are already hardened right out of the box, designed to face an untrusted network like the Internet.

Next, there's the issue of performance. Although you can buy LAN cards that add IPsec acceleration to your PC, your Windows gateway will probably encrypt packets in software on a general purpose CPU. Firewall/VPN appliances often include hardware acceleration, performing crypto in silicon for higher throughput and lower latency. (Sometimes this is an option, so look closely at appliance specs.)

Then there's dedication to the task at hand. A Windows server is running plenty of software and services that have nothing to do with your VPN, and you will spend time turning these off or getting rid of them to create a dedicated VPN gateway. A firewall/VPN appliance should not carry this extra baggage. (But beware that some low-end appliances run commercial-off-the-shelf *NIX operating systems).

That brings us to CVEs and attacks against known vulnerabilities. Firewall/VPN appliances that run custom operating systems are less likely to be vulnerable to common threats that plague COTS operating systems and related services. Some argue that custom operating systems are less thoroughly tested and so may have more undiscovered vulnerabilities, but COTS operating systems are simply a bigger, juicier target for attackers. With either solution, it is essential to apply the latest security patches and stay on top of new CVEs. However, you'll probably have more patches to apply if you use Windows as your VPN gateway.

Finally, there is the question of which VPN protocol you plan to use. Some small businesses use PPTP because it is easy to configure and their risk level (and security know-how) is modest. However, most businesses should try to use IPsec instead, since this approach offers much stronger security. Unfortunately, IPsec is much harder to configure correctly, and requires that you issue every VPN client a digital certificate or a (group) preshared secret. If you use Windows as your VPN gateway, then you will need to be running Windows on every client PC, or a third-party VPN client that supports L2TP-over-IPsec.

If you use a VPN/firewall appliance, you can probably use "vanilla" IPsec instead of L2TP-over-IPsec. Many appliances are supplied with VPN client software that has been fine-tuned to work with the appliance -- for example, supporting extended authentication, dynamic IP address delivery, network address translation traversal, and automated configuration. Depending upon the appliance and its management software, you may find these VPN clients are easier to administer than the native Windows client. For example, some appliances generate an install package that contains both the VPN software and configuration.

Microsoft fans will note that using the native Windows VPN client avoids installing software, but you still need to configure that client. Either way, IPsec client administration is no fun, so a growing number of appliances now support SSL tunneling as an alternative to PPTP, L2TP, or IPsec. SSL VPN appliances vary a good bit in features and application support, but if you're just starting your VPN now, consider this option now before you invest in IPsec clients.

For more information: 

This was last published in March 2004

Dig Deeper on Wireless LAN Implementation