Benefits and security risks of VPNs

A VPN can erase geographical barriers for a company, enable employees to work efficiently from home and allow a business to connect securely with its vendors and partners. A VPN is usually much cheaper to own and operate than private lines.

On the other hand, the use of a VPN can expose a company to potential security risks. While most VPNs in use are now fairly secure in and of themselves, a VPN can make it more difficult to secure the perimeter of a network properly. It is incumbent upon network administrators to apply the same security standards to computers connecting to the network via VPN as computers directly connected to the LAN.

Combining the use of two VPNs simultaneously can potentially expose one company's network to another's. In addition, using remote control software such as PC Anywhere, GoToMyPC or VNC in combination with a VPN can expose the company's network to the malware present on a remote computer that is not itself connection to the VPN.

Reliability, scalability and performance of VPNs

Because secure VPNs rely on encryption and some of the cryptographic functions used are computationally expensive, a heavily used VPN can load down its server. Administrators typically manage the server load by limiting the number of simultaneous connections to what the server can handle.

When the number of people attempting to connect to the VPN suddenly peaks, for example, during a storm that disrupts transportation, employees may find themselves unable to connect because all VPN ports are busy. That gives administrators motivation to make key applications work without requiring the VPN, for instance, by setting up proxy servers or Internet Message Access Protocol servers to enable employees to access e-mail from home or from the road.

Deciding between IPsec and SSL/TLS for a given scenario can be complicated. One consideration is that SSL/TLS can work through a NAT-based firewall; IPsec cannot, but both protocols work through firewalls that do not translate addresses.

IPsec encrypts all IP traffic that flows between two computers. SSL/TLS is specific to an application. SSL/TLS uses expensive asymmetric encryption functions to establish a connection, and more efficient symmetric encryption functions to secure a running session.

In a real-world remote application, administrators may decide to mix and match protocols for the optimum balance of performance and security. For example, clients might connect to a Web-based front end through a firewall using a browser secured by SSL/TLS; the Web server might connect to an application server using IPsec; and the application server might connect to a database server across another firewall using SSL.

The scalability of VPNs can sometimes be improved by the use of dedicated server hardware. To cover that, however, we'd have to wade through the competing claims of VPN vendors: perhaps a subject for another day.

VPN resources

The Virtual Private Network Consortium maintains a list of its members, a table of IPsec VPN features supported by each vendor, and a table of SSL VPN features supported by each vendor. VPNC also supplies SimpleCA, a free, open-source certificate authority package for VPN administrators.

The Interop show runs in Las Vegas in the spring and New York in the fall, and usually attracts a wide range of VPN vendors and experts.

Martin Heller is a Web and Windows software development consultant. Contact Martin at cw@mheller.com.