VPNs can connect offices together at a fraction of the cost of a leased line, and can allow workers to connect anywhere, any time.
A Virtual Private Network (VPN) is a private tunnel that connects two networks through a public network (usually the Internet). Using a virtual private network involves encrypting data before sending it across a public network and decrypting it at the receiving end.
Security features differ from product to product, but VPNs generally include encryption, authentication of remote users or sites, and mechanisms for disguising information about the private network from the public network. VPN functionality is often part of a firewall, so many of the appliances tested include varying amounts of firewall functionality.
A virtual private network is now often being used to replace a system of expensive owned or leased lines that a company uses. The idea of the VPN is to give the company the same capabilities at lower cost by using the shared public network (Internet) rather than a private one.
How is the data secured?
The IPSec protocol suite provides a complete secure communications suite; with authentication, integrity and confidentiality, and makes key exchange practical even in larger networks. The end result is that with IPSec-compliant products you can build a secure VPN in any existing IP-based network.
The basic building blocks of IPSec, the encapsulating security payload (ESP) and the authentication header (AH), use cryptographic techniques for ensuring data confidentiality and digital signatures for authenticating the data's source.
The IP packet, is the fundamental unit of communications in IP networks. IPSec handles the encryption at the packet level. The protocol it uses is called ESP. ESP supports pretty much any kind of symmetric encryption.
The default standard built into ESP that assures basic interoperability is 56-bit DES. Most of the appliances tested are capable (and were tested at) triple DES.
How do I set one up?
Setting up a VPN is not easy. Even once you have some experience, some of these units can take days to configure. There is a variety of experience needed, from networking (TCP/IP) to general security, firewalls, and the VPN specifics. The best way forward is often to have your reseller configure everything for you, and teach you along the way, then get some further training.
Connecting to a VPN from a remote site is much simpler, at least. All versions of Windows since Windows 2000 have a VPN client built in and a patch is available for Windows 98.
Make sure you upgrade your encryption to 128-bit, though. Configuring and using the Windows clientis no more complicated than a regular dial-up connection, and can be handled exactly the same way by the OS. VPN clients for Linux and Mac OS are also available.
An unmonitored VPN/firewall is little better than no VPN/firewall at all. You need to be watching the logs and keep an eye on what is happening inside and outside your network.
Configuration software
All the units we reviewed, except the Watchguard, used a browser-based client to configure and monitor the appliance. The Watchguard used a proprietary Windows application.
The Nortel Contivity made heavy use of Java, which in addition to its slower Celeron processor and many layered interface, made the box rather frustrating to use. We were often forced to wait for configuration changes to happen and the next screen to appear.
Are we there yet?
Of the appliances tested, only the SonicWALL and Watchguard units gave a clear visual indication that a VPN link was up and active. The other units required you to look though what could be pages of (often undecipherable) log entries to find out if the connection was live, or to play around with ping commands that were often frustratingly filtered out by the firewalls built into the units.
