VPN Fundamentals for the IT Department
If you're running a serious corporate VPN, you already know that neither end-user VPN services nor software-based VPN services can do the job. Sure, you could throw a few dozen OpenVPN or Windows Server 2008 R2 boxes at the problem, but besides not being fast enough, they'd be a nightmare to manage. When your company needs anything from a few hundred to 10,000-plus active VPN tunnels at once, you must turn to either top-of-the-line VPN hardware or a national-level VPN service. Traditionally that has meant Cisco, F5 Networks, Juniper Networks, and a handful of other top networking companies.
At this point, too, you might be concerned about the second kind of VPN, circumstances in which you use VPNs to connect different offices and branches securely over the Internet. Here you use technologies such as MPLS (Multi-Protocol Label Switching), VPLS (Virtual Private LAN Services), and L2VPN (Layer 2 Virtual Private Networks) to bring together data centers and central and branch offices into one virtual whole.
If you need to start thinking about that kind of VPN, you shouldn’t be listening to me. You need to find top network engineers--or better still, a qualified network architect--to set up your virtual WAN (Wide Area Network) correctly. A mistake here can cost your company hundreds of thousands of dollars, or foul up your WAN when you least want it to go down. Do you want to explain to the CEO why the companywide videocast went to the great bit-bucket in the sky? I thought not.
Corporate remote-access VPNs, even on the larger stage, use the same technologies as their smaller siblings. The difference is entirely in scale.
If you want to manage your own enterprisewide VPN, you'll need to build it around expensive (start at five figures and work your way up from there) VPN appliances and servers from Cisco or Juniper. Or do you?
Conventional wisdom says that you have to use brand-name VPN concentrators with their high price tags, but other vendors--Vyatta, in particular--argue otherwise. Vyatta, starting with the Vyatta 3500 Series Router and Firewall (introduced in late 2009), is offering 10-gbps routing at a fraction of the price of similar Cisco offerings.
When it comes to VPNs, for example, the Vyatta 3500 can handle up to 8000 simultaneous IPSec VPN tunnels at up to 900 mbps for approximately $6000, while a comparable Cisco ASR 1006 setup would run more than $100,000. Is the Vyatta product as good? I haven't done any testing myself, but I know of companies that are using it and are happy with it. More to the point, at that price, why not at least try it out? Though the economy may be showing signs of improving, it's still not good enough that CFOs and CIOs will cheerfully sign off on six-figure hardware purchases.
Of course, you might want to consider outsourcing to meet your VPN needs. That used to be somewhat chancy, but in recent years a few major telecoms such as AT&T and Verizon have started offering national and international VPN services. The fees for such services aren't cheap, but neither is maintaining your own enterprise-level VPNs. Penny-wise and pound-wise network designers will carefully consider VPN outsourcing options.
A Guide to VPN Protocols
VPNs create a secure "tunnel" through the Internet using a variety of protocols.
PPTP (Point-to-Point Tunneling Protocol): This protocol was first used in Windows, but it comes without any built-in security. It’s usually teamed with the MPPE (Microsoft Point-to-Point Encryption) protocol to create a secure VPN. I say "secure," but PPTP, aka PP2P, has long had a bad security reputation. Fortunately, PPTP is slowly dying away and being replaced by more secure protocols.
L2TP (Layer 2 Tunneling Protocol): Microsoft, working in concert with Cisco, did better the second time around. L2TP, combined with IPSec security, is much more secure, and it’s used in all modern versions of Windows. L2TP is also supported on Mac OS X and on Linux with programs such as Openswan.
SSL VPN (Secure Socket Layer VPN): Over the past few years, in no small part due to the growing popularity of OpenVPN, SSL VPNs have become more common. You can find SSL VPN clients for all major operating systems.