Previous Page
Next Page

VPNs: Choosing a Solution

As you saw in the section, "VPN Implementations," there are actually quite a few VPN solutions to choose from. You should use several criteria in selecting the correct VPN solution for your company's network. It might involve more than one solution, like IPsec and SSL, or IPsec and L2TP/IPsec.

To simplify this process, I evaluate the following criteria when choosing a VPN solution:

  • Security

  • Implementation, management, and support

  • High availability

  • Scalability and flexibility

  • Cost

The following sections will cover these criteria in more depth.

Security

One of the first things I consider with a VPN solution is security. Toward that end, I ask the following questions:

  • What do I need to protect?

  • What kind of protection is required?

  • How much protection is needed?

As shown in the preceding list, I first need to determine what is to be protected. Do I need to protect traffic for specific applications, such as e-mail, database access, file transfers, and others? Do I need to protect traffic for specific hosts? Do I need to protect traffic for specific network segments? If I only need to protect traffic for specific applications, I would probably first examine SSL VPNs to see if there is a solution available for the particular application or applications that need to be protected. Otherwise, I would look at other VPN solutions.

Second, what kind of protection is necessary? Does the traffic need to be encrypted? Do I need to perform packet integrity checking? How important is it to verify a device's identity? Once I've answered these questions, I can narrow in on a more specific VPN solution. For instance, if I need encryption, I can immediately rule out GRE.

And third, how much protection is needed? For example, if I require encryption to provide data confidentiality, how strong does the encryption process need to be? Can I use DES or must I use a much stronger encryption algorithm, like 3DES? For device authentication, can I use pre-shared keys or should I use digital certificates? Again, I use these questions to narrow my pick to the most appropriate VPN solution.

Implementation, Management, and Support

Most often network administrators forget to factor in implementation, management, and support when choosing a VPN solution. For example, if I compared SSL VPNs to IPsec, I would find that setting up, managing, and troubleshooting SSL VPNs is much easier when compared to IPsec.

As an example, you might only need to protect HTTP traffic. Both SSL and IPsec VPNs can do this; however, you'll have to perform a lot more work to implement, manage, and support an IPsec solution than you would an SSL solution, making the SSL a lower-cost, more scalable solution. This difference will become more apparent as you go through the IPsec and SSL components of this book on concentrators, routers, and PIX and ASA security appliances.

High Availability

As I mentioned earlier in the "Redundancy" section of this chapter, redundancy might be a component you desire or need in a VPN implementation. Some VPN implementations support redundancy well and some don't. And when evaluating a redundancy solution, you need to determine the type of redundancy you need (chassis redundancy and/or connection redundancy) and how well your VPN implementation can deal with your type of redundancy. On top of this, a networking vendor might have a special proprietary redundancy feature, like the Cisco Virtual Cluster Agent (VCA), that is not tied to a particular VPN implementation, so you might want to examine redundancy advantages that network vendors offer with their VPN solutions.

Overall, you'll need to be familiar with the advantages and limitations of redundancy solutions. For example, the Cisco VCA feature, discussed in Chapter 10, "Concentrator Management," and Chapter 22, "PIX and ASA Remote Access Connections," is supported only on Cisco 3000 concentrators and ASA security appliances. VCA can be used to load-balance remote access VPN connections; it can't load-balance site-to-site connections.

Scalability and Flexibility

When choosing a VPN implementation, you also need to ensure that the solution you choose is scalable and flexible. The solution needs to be scalable to accommodate the future growth of your network, and flexible to deal with changes that occur within your network.

In other words, if you need to add three more sites to your VPN design, how much work will you have to perform to accommodate this change? How many devices will you have to configure or reconfigure? How much configuration must you perform on these devices? What additional overhead will this place on existing devices? A well-designed solution should resolve these questions. I discuss one Cisco solution for site-to-site connections, called dynamic multipoint VPN (DMVPN), in Chapter 17, "Router Site-to-Site Connections."

Cost

And of course, you can't forget about what a VPN solution will cost your company. Some costs you'll need to evaluate are:

  • Hardware devices

  • Software products, including remote access clients and management (some vendors charge for remote access client software and some don'tCisco doesn't charge for their remote access VPN Client for IPsec)

  • Network vendor maintenance and support costs

  • Personnel and training costs for personnel

  • Bandwidth for the VPN traffic and overhead and for normal traffic

In many situations, you'll be using a VPN to replace an existing private WAN, such as Frame Relay, ATM, or dedicated leased circuits. So compare the overall ownership of the private WAN solution to each VPN implementation you might be considering.


Previous Page
Next Page