Small Business VPN Primer: Set Up Your Office Network for Telecommuting
There comes a time in most businesses when circumstances dictate that one or more users work from home either full- or part-time. In other cases, it may simply be convenient for business owners and employees to be able to use company resources from home or (unfortunately) while on vacation.
The best way to provide such remote access is with a VPN (Virtual Private Network). A VPN enables a computer that is located outside the corporate network to connect to that network as if it were inside the building, allowing access to internal resources such as file shares, applications, and printers. Some types of VPN require the outside PC to use a client to access the network, while other VPNs use SSL (Secure Sockets Layer) and can function without the need for a client to be installed. And some VPN setups can provide both of these connection methods.
In very small operations, such as an office where only a single person needs to connect to a single company computer from home, a full VPN may not be necessary. Instead, a remote desktop access app like GoToMyPC or LogMeIn can connect the off-site user to one company computer. If business needs require multiple remote connections, however, using a full VPN may be a better idea.
An IPSec VPN provides secure remote access through a client application on the remote system and a VPN terminator that resides on the company network. In many cases, the VPN termination device is also the firewall that protects the corporate network from the Internet, but it can also be a stand-alone device. This device is configured to allow VPN connections that meet certain security criteria, such as a group name and password (also known as a "Shared Secret"). If the client is not configured to exactly match the VPN device settings, it won't connect.
If a client does match the settings specified by the VPN device, then the client can successfully make the initial connection, but it still must authenticate itself to the network before it can access anything. This is generally a username and password that is configured on the VPN device itself, or on the network with Microsoft Active Directory. In either case, IPSec VPNs require two forms of authentication before a remote system is permitted to access the corporate network. And in most cases, the remote client VPN settings can be distributed through a specific file that can be imported into the client. Following that, the user can connect to the VPN and type their username and password to gain access.
Some operating systems come with IPSec VPN clients already installed. Mac OS X has the ability to connect to Cisco and other IPSec VPN devices already present, for instance. Windows systems generally rely on third-party VPN software to provide this service. Many mobile devices also have support for generic IPSec connectivity.
PPTP (Point-to-point tunneling protocol) VPNs have been around since Microsoft first implemented the protocol in Windows 95. However, it has fallen out of favor in recent times because of security issues with the protocol itself. Some VPN devices still support PPTP connections, as do all Windows versions since Windows 95. Mac OS X and some smartphones also support PPTP connectivity.
While PPTP may still be around and your VPN termination device may support the protocol, it’s better to look to either IPSec or SSL VPNs (see below), since they're more secure.
SSL (Secure Sockets Layer) VPNs came into fashion because they're generally known as "clientless" VPNs. This means that the remote computer doesn't need to have a client preinstalled to connect to the corporate network. In most cases, an SSL VPN tunnel is created when a remote user opens a Web browser and connects to a predefined URL, such as https://vpn.mycompany.com. Note that if you do not have DNS service from your provider, this URL may simply be an IP address.
The remote user is then prompted for a username and password. Once authenticated, the user may be taken to a Web page that has an icon to connect to the VPN. Clicking on the icon will download a small applet from the SSL VPN device that runs on the user's computer and acts as the VPN client. This means that users don't need to preinstall the client as they do with IPSec VPNs, and they won't need to redownload the applet when they access the SSL VPN in the future.
In some cases, this client is persistent, and can be run without connecting to the SSL VPN URL, but other implementations may require the browser to function.
This form of VPN permits full network connectivity, as IPSec does, but it may be easier to deploy to remote users since you don't need a "fat" IPSec client or IPSec connection information. On the other hand, it also lacks the secondary authentication present in IPSec, which may be a concern.
Comparing VPN Options
When shopping for a VPN, you may find that some products offer several types of VPN connectivity options in a single device. You may also find that some vendors have their own VPN type, such as QuickVPN, that is incompatible with other VPN standards. While these solutions may work, they can be difficult to maintain later on, and they're often not as compatible with as many different client devices, such as different versions of PC and mobile OSs. If you're interested in using one of these proprietary VPN solutions, make sure that it supports all the operating systems you plan on using.
Some devices offer both IPSec and SSL VPN options, while others are strictly SSL or strictly IPSec. If your business's budget permits, you're better off purchasing a device that provides both, as this will allow a larger variety of remote device types to connect to the network. If all you're worried about is PCs and Mac computers, then going with just SSL or just IPSec is fine, provided that the vendor supports all the operating system versions you run.
In some cases, this VPN device may be had for under $200, but spending a little more on a more capable solution will likely benefit you in the long run, and potentially reduce the potential for future equipment failure that can take out your network.
One of the most important details in setting up a VPN is to ensure that your Internet connection has a static IP address. Many business-class cable and DSL connections use dynamic addressing, which means that the IP address of your Internet connection changes occasionally. When that IP address changes, your remote users won’t know what the new address is, and thus won't be able to connect. Most business-class cable and DSL providers have options for a static IP address; this will ensure that your remote users will always be able to connect to your network. Be sure to request this option from your provider before you go any further with your VPN plans. At the same time, make sure that you have sufficient upstream bandwidth to support remote users. If you have a slow upload speed, it will significantly impact the network speed seen by remote users.
You may find that your chosen device also functions as a firewall. If you already have a firewall, you can still use this device, but you may have a few extra issues to deal with. For instance, if you have a single static IP address on a business-class Internet connection, the VPN device will have to be connected behind the existing firewall and the setup becomes far more complex. However, if your chosen VPN device's firewall is sufficiently capable, you may find it better to use that firewall instead--this would save you the hassle of connecting your VPN behind your existing firewall.
Setting up the VPN itself is quite vendor-specific, but most devices have a Web-based user interface that allows for setup of both the firewall and VPN functions, and may even have a wizard-type easy setup method.
Once your VPN is operational, your remote users should be able to securely connect to your internal network and use all the resources that are available as if they were sitting in your offices, even though they may be thousands of miles away.