4. Should I Use IPSec or Secure Sockets Layer (SSL) for Remote Access VPNs?
SSL VPNs offer application-layer secure access over the Internet using capabilities common to most browsers, which means not having to distribute and maintain client software on remote machines. The limitation is that browsers access only Web-based or Webbified applications.
By pushing Java or Active X SSL VPN plug-ins to the remote machines on the fly, SSL VPNs can create network-layer connections comparable to IPSec, without having to distribute dedicated VPN client software.
SSL can also give more-detailed control of the resources remote users have access to. Whereas IPSec gives full network access, SSL can restrict access based on applications more readily.
If access to Web applications or Webbified applications is all users need, then the only client software required is a compatible browser. This means users can connect from home machines, borrowed machines or those found in business-center kiosks.
"SSL VPNs have superseded IPSec as the easiest choice for casual and ad hoc employee VPN access requests and for business partners, external maintenance providers and retired associates," says Gartner analyst John Girard. While the sales of SSL VPN gear grew 43% between mid-2006 and mid-2007 to hit $340 million, the annual growth rate is expected to slow down, resulting in a projected average annual growth rate of 13.8% through 2011.
A separate study by IDC finds that IPSec VPNs accounted for more than half the $1.27 billion taken in with VPN appliance sales in 2007, but IPSec's share of that revenue actually dropped as a percentage by 9.8%, IDC says. Sales of SSL VPNs went up 18.2% in the same time period.
Still, customers are finding use for IPSec remote access in conjunction with SSL. Sales of Hybrid SSL/IPSec gear are lower , but growing faster, than SSL or IPSec gear alone, IDC says.
5. Are VPNs Good for VoIP?
MPLS VPNs can provide quality of service that guarantees deliver of VoIP packets on time for better voice quality.
MPLS also scales to accommodate very large numbers of sites fully meshed, so phoning among corporate sites via VoIP shouldn't be a problem.
Using an SSL VPN to carry VoIP over TCP actually improves voice quality, testing by Network World has found. Because TCP reorders packets and rebroadcasts packets that get lost, it can actually boost quality of the received call. If bandwidth is sufficient to accommodate the VoIP channel plus the rebroadcasts, it can improve quality.
VPNs can also provide security for VoIP calls running over Wi-Fi networks or wired networks, blocking eavesdropping.
VPNs are also used to protect data from smartphones and other handheld devices, including iPhones, although management for that is still rudimentary.
6. Can I Use VPNs in Virtual Environments?
Yes, and doing so may enhance VPN security.
Many vendors are coming out with versions of their VPN software that run on virtual server platforms. This is desirable for businesses in the midst of virtualization of servers as a way to reduce the number of devices and the electrical power expended in data centers.
The trade-off is that means not using VPN appliances, which are a popular means of deploying VPN gateways because they are separate devices managed separately.
On the client side of the VPN, a remote machine can help improve VPN security, according to VMware.
Users can configure remote virtual desktops so that they must access corporate sites via a VPN gateway. At the same time, the physical host that the virtual desktop runs on can be barred from the VPN.
So the virtual machine becomes the entity that joins the VPN, meaning that any compromises of the host machine itself are isolated on the physical machine and cannot spread through the VPN into the corporate network.
Virtual machine policies can restrict virtual desktops so they can access nothing but the VPN, making them insulated from attacks originating outside the VPN. "You isolate the virtual machine from everything except the corporate VPN server," VMware says.
Further virtual machine policies can encrypt all data in the virtual machine and block the data from being transferred out of the virtual machine, making it even less likely that data accessed via VPN can be compromised.
Virtual machine expiration policies can further secure VPNs. If a contractor, for example, is granted corporate VPN access via a virtual desktop on the contractor's own machine, the virtual machine can be configured to expire at a certain time, say, the date the contract runs out, VMware says.
This story, "VPNs: Answers to Six Burning Questions" was originally published by Network World.