Which VPN should your business network implement?

Discover which VPN would be the best to implement into your enterprise wide area network (WAN). See examples of different VPN scenarios.

Businesses can reap the benefits of an SSL VPN as well as an IPsec VPN with a well thought out VPN strategy. In...

this section of the VPN guide, many questions about business VPNs are answered. Is a Web-based SSL VPN a good fit for your organization, or should you go with the more traditional IPsec VPN? Should you consider alternatives to SSL and IPsec VPNs? Find out which VPN you should choose for your organization and how to implement the right security strategy or skip to other sections in the VPN tutorial using the table of contents below.

Table of contents

Introduction: Use both IPsec and SSL

The "Which virtual private network (VPN) do I choose?" question doesn’t have to be an either/or proposition. Both Web-based SSL and IPsec VPNs have their advantages and drawbacks. Businesses can reap the benefits of both with a well-thought out VPN strategy.

"These two technologies are complementary rather than exclusive: Both protocols provide a valid solution for securing remote access users, and each has its own merits," said Itay Yanovski, Zim Shipping's information security officer. "At our organization we use both IPsec and SSL VPNs, and as the company's security officer I wouldn't give up either."

Vivian Ganitsky, management director of Juniper Networks’ SSL VPN product line, said plenty of Juniper's customers feel the same way. As a result, she said the company's latest product overhaul is designed to make it easier for companies to use both IPsec and SSL.

"The great benefit with IPsec is that it's a fast mode of transport," she said. "It is optimized for quick access to VoIP and screaming media, and fast access to items at the network layer."

But while many companies still use IPsec and SSL, Forrester Research analyst Rob Whiteley believes most will eventually push IPsec to the sidelines and go full-on with SSL.

"We are in a transition phase," he said in an interview with Information Security magazine, a sister publication to SearchSecurity.com. "We are going to see more SSL deployments until IPSec becomes the niche technology, which is the reverse of today."

He recommended enterprises assess their applications and ensure internal compatibility with their VPN plans. Exhaustive SSL VPN evaluations should be conducted and IPsec should be maintained for specialized applications that are not Web enabled, he said.

This information was excerpted from Is IPsec on borrowed time? by Bill Brenner.

Questions to ask when deciding which VPN to use

Is a Web-based SSL VPN a good fit for your organization, or should you go with the more traditional IPsec VPN? Here are some questions you should ask when determining which VPN to deploy:

  • Are your company's applications all browser-based?
  • Do browser-based applications already use SSL? (If so, then there’s no need for additional VPN functionality to be added.)
  • Do you want to avoid installing IPsec software on all user client computers or mobile devices?
  • Are residential broadband providers blocking and/or charging more for IPsec traffic?
  • Are remote users coming in through NAT routers?

If you’ve decided that an IPsec VPN better meets your needs, but don’t have the budget for one, a free VPN client or even an alternative to a VPN might be in order. In that case, ask yourself:

  • Why are you looking for a VPN client?
  • Are you planning to tunnel to an enterprise network?
  • Are you hoping to provide secure remote access to your small business network?
  • Are you trying to protect traffic on a residential wireless LAN?

In each case, the best answer may be different.

  • Users tunneling to enterprise VPNs are typically required to use the client dictated by that network's operator. In some cases, a specific client is required to support vendor extensions. The company may also supply the necessary security policy in a client-specific format.
  • Users seeking secure access to a SOHO (small office/home office) LAN must weigh the value of the data and network being protected against the cost of the VPN, including hardware, software, and configuration/maintenance. Many small businesses use the Point-to-Point Tunneling Protocol (PPTP) VPN client freely available in every Windows PC to reach either a Windows NT/2000 server or a VPN/firewall appliance that supports PPTP. This is an easy solution for Windows-only shops that need lightweight protection.
  • Users that want something better than Wired Equivalent Privacy (WEP)between peers on a residential wireless LAN must first find a VPN server. Can your access point or gateway act as a VPN server for your wireless LAN? If not, can you connect one PC or an inexpensive security appliance to an Ethernet port on your access point to act as a VPN server? Or can you run peer-to-peer IPsec between wireless stations? (This requires security know-how, but is often possible.)

You should also consider the traffic you are hoping to protect with a VPN client. After all, why use a sledgehammer if a tack hammer will do?

  • If you’re looking to exchange secure email with business partners, consider an email encryption program like Pretty Good Privacy.
  • The wide area network (WAN) administrator looking for a secure way to manage corporate routers and servers from home may find secure shell does the trick.
  • The road warrior looking for roaming access to his always-on PC back at home may consider a commercial secure desktop access service like GoToMyPC.

These excerpts were adapted from Choosing between IPsec and SSL VPNs, by Crystal Ferraro and VPN client alternatives by Lisa Phifer.

Where mobile VPNs are useful

Mobile VPN products operate over many kinds of networks, from satellite links and GSM to Wi-Fi and 3G. Some mobile VPNs are network-agnostic, sending exactly the same messages over any data link. Others are network-aware, adjusting messages to optimize performance over high-latency or low-bandwidth links. Some mobile VPNs simply use the connection with the highest data rate. Others let you control link selection and/or automate network authentication with configurable policies.

Mobile VPN clients have been developed for many devices and operating systems -- from Windows XP/2000 laptops and tablets to smartphones and wireless point-of-sale terminals. Because of this, platform support varies widely and often depends on nitty-gritty details such as OS version, hardware model, and wireless adapter. Some mobile VPN clients can even be purchased with an SDK for porting to additional platforms.

For more information about mobile VPNs, see the Mobile VPN solutions and benefits section of our VPN tutorial.

Look before you decide which VPN to implement

Deciding which mobile VPN meets your network and device requirements is just the first step. Selecting the right mobile VPN for your workforce will involve evaluating many requirements -- including the VPN's ability to implement and enforce your company's security policy.

What often matters the most, is usability and reliability. Will adopting a mobile VPN really make your workforce more productive? More competitive? More responsive? To answer those questions, read this article on test-driving mobile VPNs.  

This information was excerpted from Mobile VPN: Closing the gap, by Lisa Phifer.

Alternatives to SSL and IPsec VPNs

A VPN, by definition, provides privacy by employing tunneling protocols that encrypt data at the sending end of the tunnel and decrypt it at the receiving end. This is not to be confused with protocols that provide tunneling but do not provide privacy -- but might still be referred to as a VPN!

Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

The IPsec Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

You might also come across L2TP and MPLS VPNs. Multi-Protocol Label Switching (MPLS) is a routing protocol: Packets are tagged with labels that allow routers to decide how to handle them. Different labels allow for different routing paths between endpoints, which can be used to implement different classes of service in the network. Layer 2 Tunneling Protocol (L2TP) is an encapsulation technique that allows packets to be transported between a pair of endpoints inside IP packets. Both MPLS and L2TP may be used to transport IP and non-IP protocols. MPLS may be used to implement a VPN, with network privacy ensured by controlling the routing of the packets, rather than by encryption. Because L2TP is intended for use in the public Internet, it is normally used with encryption (for example IPsec) to ensure privacy and authenticity.

This information was excerpted from L2TPv3 tunneling compared to MPLS by Jack Keane, and GRE tunnel vs. IPsec tunnel: What’s the difference? by Lisa Phifer.

→ To learn more about virtual private networks, view SearchEnterpriseWAN.com's VPN and WAN security landing page.

This was last published in December 2010

Dig Deeper on Network Security