Tunnel your way to secure communication
If you're a network or systems administrator, you've probably implemented some form of a VPN. As its name suggests, a VPN is a virtual private network connection over a public-access network, such as the Internet. VPNs were once exotic forms of dial-up connections that laptop users employed to connect to the corporate LAN. Today, VPNs take many forms—from a Windows NT RAS server's built-in PPTP connections to a full policy-based IP Security (IPSec) and Internet Key Exchange (IKE) scenario—and are attaining a significance that has Windows 2000 and NT server administrators and network managers devoting unprecedented amounts of time and money to VPN planning, implementation, and management.
A VPN has three primary goals. First, a VPN strives for privacy. Communicating parties want to make sure that no one else can read or see their communication. VPN products typically use encryption to address privacy. Second, a VPN offers integrity—a guarantee that the data arrives exactly as the sender intended (i.e., no one tampered with the message in transit). VPN products typically use an agreed-upon public-key private-key pair to address integrity. The third VPN goal is authenticity—a confirmation that the sender and receiver are who they say they are. VPN products typically employ digital certificates to address authenticity.
Because a VPN connection occurs over a nonsecure network medium, you must implement security measures. A VPN connection usually takes the form of a standard TCP/IP connection with an IP packet wrapped around the original packet. An encrypted payload inside this encapsulated packet is difficult to tamper with. This secure encapsulation is often called a tunnel. A server, called a gateway, on the corporate LAN acts as the tunnel coordinator and endpoint. Remote laptops or machines, called clients, typically run some form of VPN client software that monitors the tunneling with the gateway.
For this comparative review, I examine six Win2K- and NT-based gateway-and-client products: Citrix Extranet 2.0, Computer Associates' (CA's) eTrust VPN 2.1, F-Secure VPN+ 5.0, Network Associates' Gauntlet Firewall/Gauntlet VPN 5.5, Symantec's PowerVPN 6.5, and Check Point Software's VPN-1 Gateway 4.1. You'll see that some of these products are also bundled with—or are additions to—firewall software. Apparently, security-software manufacturers understand that many companies are looking for a one-stop VPN-and-firewall solution. However, my review doesn't cover firewall functionality. With each product, I attempted simply to implement a small VPN solution. If that implementation required me to install a firewall component, then I did so.
The Test Environment
My test environment represented a corporate dial-up VPN scenario, as Figure 1, page 102, shows. I used a Compaq ProLiant 6400 rack-mount server for the test gateway. This server ran NT Server 4.0 Service Pack 6a (SP6a) and had four 550MHz Pentium III Xeon processors with 1.8GB of RAM and a 50GB RAID-array volume. Under a typical VPN load, all the products in this review could safely run on a server equipped with one Pentium III processor with at least 256MB of RAM. However, a multiprocessor server is preferable. (Encryption algorithms, for example, take CPU cycles for each connection.)
My test client was a Hewlett-Packard HP OmniBook Xe2 with a 500MHz Pentium III processor and 128MB of RAM, running Windows 98. The gateway used two NICs. To simulate a mail server or application server, I used an AMD K6-233 PC on the network behind the gateway. Although I based my testing on simple connections between a gateway and a client, most of these VPN solutions also let you use multiple gateways to securely connect multiple private networks.
Before I describe my test results, I should note that VPNs are becoming inherently complex and require significant planning and foresight to implement correctly. Long gone are the days of PPTP or simple Point-to-Point Protocol (PPP) connections to NT RAS servers. Rolling out a good corporate VPN solution requires fundamental knowledge of TCP/IP, routing, data security, and encryption. If the product you choose contains firewall functionality, you have even more to consider. I caution less experienced administrators to research these technologies—as well as these products—before installing a VPN solution on their corporate network. If your company has migrated to a Win2K Active Directory (AD) server-domain structure, you should first consider the OS's decent built-in VPN capabilities. For more information, see the sidebar "What About Win2K?"
The Final Analysis
A VPN solution for your enterprise must be secure, scalable, and easy to use. All the products in this comparative review are secure—at least secure enough so that intruders using standard tactics will experience extreme difficulty hacking them. All the products can use the latest Triple Data Encryption Standard (3DES) encryption algorithms, along with MD5 or Secure Hash Algorithm-1 (SHA-1) hashing, and all but one use IPSec and IKE for their VPN architecture.
A few of the products require a fair amount of preparation to ensure proper installation and successful rules generation. Other products are easier to install and are ready for implementation in minutes versus hours. In general, however, ease of installation and time to production isn't necessarily a fair measure of any data security product. VPN and firewall software are by nature fairly complex.
When I recommend a product, I try to keep the readers' networks in mind. Large companies that have large NT networks typically have a high level of core knowledge and a big budget to work with. Their IT talent pool is substantial, and therefore their VPN choices are broader. For large companies, I recommend F-Secure VPN+ and VPN-1 Gateway. Both are extremely complex yet competent security packages that are based on many years of data-security experience. F-Secure VPN+'s advanced client-rollout features, along with an extremely granular policy builder, are powerful tools in a large installation. VPN-1 Gateway's flexible client-security levels and its excellent policy editor make this product a good alternative for the enterprise VPN. The product's architecture also includes an impressive firewall package that has long been an industry favorite. F-Secure VPN+ isn't a VPN-and-firewall solution, so if you're running a UNIX-based or hardware-based firewall and you're shopping for an enterprise-class VPN, you should take a hard look at the F-Secure product.
In contrast, a small company might not be able to afford the IT staff or consulting necessary to roll out a VPN solution as complex as VPN-1 Gateway or F-Secure VPN+. Small companies might want to consider a one-platform VPN-firewall combination product. Some of these products, such as Gauntlet and PowerVPN, are available bundled with extremely functional firewalls. You might also find this combination of functionality appealing if you're shopping for a VPN-and-firewall solution or are considering a second firewall.
The eTrust VPN package offers the easiest setup process, making it a strong alternative for smaller or less experienced offices. Unfortunately, the product's lack of support for IPSec might preclude it from larger offices that have already standardized their network security on IPSec. Gauntlet is also easy to use; its PGPNet client is extremely functional. If your company employs mobile users or local users who need additional desktop-hardening and local-encryption capabilities, I highly recommend Gauntlet. Because it uses IPSec and IKE, the product's configuration is more involved than that of eTrust. However, Gauntlet gives you a full-fledged firewall and VPN solution.
PowerVPN is a solid pick for a small to midsized office and is a great bargain if you need firewall functionality—the firewall add-on costs only $500. PowerVPN is easy to set up, and its mobile client is impressive. The product's use of Microsoft Management Console (MMC) makes administering PowerVPN a snap.
All six of these VPN solutions are solid security products that provide high levels of VPN functionality. However, I give a slight edge to VPN-1 Gateway as a product that can fit comfortably in any environment. Check Point's solution is reasonably priced (particularly if you need a firewall on top of your VPN functionality), offers outstanding documentation and support, and is scalable to environments of just about any size. The price leader is F-Secure VPN+, which is a great standalone VPN solution, provided your IT group can handle its high complexity level.