Questions from the security zone: Are all VPNs created equal?

Given today’s ever tighter IT budgets and emphasis on cost savings, many organizations are planning to replace their wide area network (WAN) connections, looking for a reliable and more cost effective alternative that doesn’t compromise security.

The most common and logical means to do this is to leverage the ubiquitous public Internet by using virtual private network (VPN) solutions, which can securely facilitate vital and sensitive business communications between employees, customers, and enterprise partners across widely dispersed geographic areas.

However, all users of these private networks, no matter how remote, expect to be able to access data and resources as if they were located at the same physical site in the enterprise, typically an organization's headquarters. Thus VPNs, while protecting private data and resources from unauthorized access, must be able to provide reliable, "always on" connectivity for all users.

There are many different approaches - including rule-based, route-based and dynamic route-based - to setting up a site-to-site VPN. In evaluating each approach to find the right one for their needs, an organization must consider the manageability, scalability and overall cost (not just the capital costs, but the amount of time needed to administer and maintain the solution) of each VPN approach. The returns diminish with a solution that requires a lot of manual intervention to keep the private network running, so it is important that the chosen VPN:

  • Is easy to manage for all types of network configurations and can scale within the prevailing administration environment;
  • Automatically learns and incorporates network topology changes;
  • Minimizes the need for human resources; and
  • Leverages the dynamic nature of the network to increase connectivity between various sites.

Rule-based VPN - Not Ideal For Large Scale Networks

The rule-based approach has its limitations when applied to large-scale networks, generating a lot of work for organizations during the deployment and ongoing management of the network. Rule-based VPNs work by defining the network topology (IP addresses) and then dictating, based on that topology, who can talk to whom in a secure format. This ties specific traffic and services, or source and destination groups, to one particular IPSec tunnel, essentially binding the VPN connection to a static route.

While this approach can simplify some VPN deployments, it has serious resiliency and scalability consequences because the network topology is defined within the policy, tying the VPN connection to a static route. If something happens to that particular route connection, the entire VPN goes down and the enterprise suffers lost connectivity and productivity.

For example, in a global network topology employing a rule-based VPN with sites in Tokyo, London and New York, traffic from a Tokyo network to a London network gets "routed" to the London VPN, as dictated in a rule. If something happens and that route is not available, the VPN goes down. Even if other routes are available the VPN cannot automatically use those alternatives. For instance, if Tokyo could potentially reach London by going through a New York VPN, it will not be able to do so until the administrator redefines the VPN peer (static route) in the rule-base to reroute the traffic through New York.

As a result, site-to-site connectivity is lost until either the problem fixes itself and/or an administrator figures out what is wrong and makes a change to the rule-base. This approach might be adequate for small deployments, but for large, distributed or mission-critical organizations where VPN availability is of the essence, this cannot deliver the "always on" connectivity required, cannot easily accommodate changes or the complex needs of a widely distributed network structure and can result in unnecessary administration and management, increasing total cost of ownership.

Static route-based VPNs - Some Flexibility but Tedious Administration Adds Up

With static route-based VPNs, organizations define the VPN overlay links and then define the static routes that will be used for transport, allowing the route, rather than a policy, to determine which traffic goes through the VPN.

Static route-based VPNs separate the physical network from an "abstract" VPN network, which can provide some flexibility over a rule-based approach, but still requires resources to make changes to the route tables any time networks are added, deleted or changed. It requires manual route statements to be entered into a route table for each gateway, which can be time consuming and tedious for an administrator to create and maintain as well as subject to human error. Plus, if a route fails and no alternative route is defined VPN connectivity goes down. Therefore, an administrator needs to manually ensure that there is always an available route defined in the route table to maintain the connectivity of the VPN, which allows the solution to scale, but can be tedious and increase overhead/administrative costs.

Dynamic VPNs - Free Up Valuable IT Resources and Ease Management Process

The concept of dynamic route-based VPNs is relatively new to the market and was introduced to meet the widespread requirement for a truly scalable solution. Dynamic route-based VPNs separate the physical network from the logical VPN network and allow dynamic routing, versus a policy or static route table, to automate the transport decisions. As a result, dynamic route-based VPNs are able to automatically "learn" network topology and available routes, saving organizations the time and resources required to define each and every network and iterating through the policy every time something is added or changed, minimizing the need for human intervention.

More importantly, dynamic VPNs are able to automatically survive failures within the network to keep the connection available. If a tunnel or a route goes down, dynamic routing will identify that failure automatically and look for an alternate path, and a new route will be learned. As long as there is a way to get from point A to point B, dynamic VPNs will find it to ensure the secure communication persists.

Dynamic VPNs ease the ongoing management and maintenance of a VPN, saving time and resources. Additionally, dynamic VPNs are scalable solutions that achieve the connectivity requirements of most large and distributed organizations.

Each organization will have its own specific VPN requirements, but most agree that providing that "always on" connectivity while minimizing management overhead is essential to any communications infrastructure solution. Without a dynamic VPN approach, such as that provided by NetScreen Technologies' solutions, a large, widely distributed complex enterprise network simply can't achieve the ideal cost and connectivity objectives within a reliably secure data transport environment. Be sure to consider this when selecting a VPN solution that will truly be an effective connectivity mechanism without adding unnecessary burden to your IT department.

Robert Ma, Senior Director of Product Management and Marketing, NetScreen Technologies, Inc.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.