As remote access to business networks increases and as threats against these networks grow, IT executives need to support technology that is flexible and that can effectively combat ever-evolving attacks.
That means surrounding their remote access VPNs with support technology that reduces the likelihood that unauthorized users will be able to use the VPN as an entry to the company net to damage network performance or steal valuable data, experts say.
To ensure this security, businesses should look for features such as strong authentication and strict policy enforcement tools to prevent VPNs from becoming vulnerabilities, experts say.
While older remote access methods such as dialup are still in use, the vast majority of businesses have embraced IP and are now either building their own VPNs or buying managed VPN services, says Lisa Pierce, a vice president with Forrester Research.
"The most common form of VPN right now is IPSec," says Pierce, "but we believe SSL is catching on because it is lighter weight and more flexible." SSL is based on browser technology and finds support from customers looking to deploy remote access without having to deploy dedicated VPN clients such as those required in IPSec.
According to Forrester numbers, 62 percent of businesses in North America use IPSec for remote access and another 20 percent say they are evaluating or deploying it. SSL on the other hand is deployed by 28 percent of businesses with another 23 percent evaluating or deploying, she says. Some are using both technologies. In a separate study, Infonetics ranks use of SSL higher at 39 percent among small to midsize businesses.
While the attraction of simplified administration initially draws many customers to SSL, other features convince them to expand its use. For example, Loews, a conglomerate in New York, started using SSL remote access VPN gear from Whale Communications more than three years ago to supplement Cisco IPSec VPNs, says Al Alexander, manager of Loews' information technology center. "We still use both, but we do more with SSL than before because it requires less administration," Alexander says.
Key to the SSL implementation is use of endpoint checking software that makes sure the remote machine complies with corporate security policies, he says. "It inventories the computer when it connects to the SSL VPN," he says, rejecting it if it doesn't comply. This is important as use of the VPN expands to more and more users, all of whose computers cannot be monitored all the time. The IPSec VPN will stay in use for the IT staff that is capable of maintaining its own VPN client and needs actual network connections to the Loews network, Alexander says.
A significant trend among remote access VPN vendors is adding security functions to their existing gear - particularly firewall/VPN appliances - or producing new hardware to support these expanded functions, according to a recent study by Current Analysis. "There is an overwhelming trend toward unified threat management (UTM) and multi-layer inspection," the study says. These devices inspect packets and can perform, for instance, virus, spyware and spam filtering at the same time they admit remote traffic to the VPN. This backs up software that checks whether remote machines also have software to protect against these types of attacks.
IDC projects these devices will become more popular. It compared sales of UTM devices to sales of firewall/VPN boxes and projects that this year the combined sales of SSL and IPSec firewall/VPN gear will peak and start a slow decline. Sales of UTMs, on the other hand, will increase steadily through 2008. That year, sales of UTMs will reach US$1.98 billion worldwide, which is $180 million more than the study projects for peak sales of firewall/VPN appliances.
Vendors with offerings in this area include ServGate, Fortinet, SonicWall and Crossbeam, as well as network equipment makers Cisco, Juniper and 3Com. Their attraction is that they reduce the number of devices needed to perform a battery of security screening, uncluttering equipment closets and streamlining device management.
The expected jump in popularity can be credited to better performance as these products mature, says Zeus Kerravala, an analyst with the Yankee Group. Initially the hardware slowed down under the burden of additional security applications, but that problem is being solved. "Now they have a lot of processing power to handle all functions," he says.
While the devices that stand between the Internet and corporate VPNs enhance security features, the types of machines trying to access VPNs are also expanding. According to a recent IDC study, most businesses surveyed allow remote access from laptops and desktops. But nearly half allow wireless e-mail devices to connect and more than one in five allow PDAs and even cell phones to access internal network resources, the study says.
To support such access securely, IPSec VPN software can be installed on handheld devices and connect to standard VPN gateways. For instance Certicom sells tool kits for embedding VPN clients in cell phones and other handheld devices. Motorola and Sierra Wireless and other phone vendors use the technology. Wireless phones with Web browsers can gain access to SSL VPNs without additional software.
While not as popular as remote access VPNs that customers build themselves, managed remote access VPN services offer an alternative that can keep costs predictable, says Pierce. According to an Infonetics study, only 14 percent of those polled said they use managed VPN services, and there is no clear leader among the service providers. Large local carriers and long-distance carriers tend to be preferred, though, over competitive local exchange carriers (CLEC).
Business may be drawn to VPN services because they can be less expensive than the alternatives of setting up a privately run VPN, managing, maintaining and updating it.
They will also gain in popularity because of the proliferation of multiple mobile technologies such as EV-DO, EDGE and WiMAX, says Pierce. Because of the convenience of wireless access and the broadband capacity of these technologies, businesses will adopt them more and more, she says.
To push this along, laptop vendors embedding support for these wireless transport services in their gear. For instance, HP says it is developing a laptop with pre-installed chips for EV-DO, the cellular CDMA technology used by Verizon and Sprint Nextel to support data rates up to 700Kbps. HP says it also has plans in the works to support high-speed downlink packet access (HDSPA) services as well.
This will be an increasingly popular option, according to Infonetics, which projects that in 2009, businesses worldwide will spend $29.8 billion on VPN services, which is about 10 times what they will spend on buying their own VPN gear.
The next major new remote access service to look for is SSL access to the entire corporate VPN, Pierce says. So if all the sites of a business are linked by an MPLS VPN service, a remote user could access the entire VPN via SSL. "You want SSL access to the MPLS cloud," Pierce says. "It's not happening yet, but it's the next big wave."