Do you want to be secure--I mean really secure--when you're on the Internet? If so, then you want a virtual private network.
Do you want to be secure--I mean really secure--when you're on the Internet? If so, then you want a virtual private network.
A VPN creates a secure "tunnel" across the Internet between you and your office, a VPN provider, or your home. Why would you want that? Easy-to-use programs such as Firesheep make it easy for snoops to see what you're writing in your e-mail messages, posting to your Facebook page, or buying online. But with a VPN, you can surf the Web through that virtual tunnel, away from prying eyes, and your Internet traffic is encrypted.
Whether you just want to access Wi-Fi networks on the road without potentially exposing your activities to nosy strangers, or whether you need to enable a team of remote employees to handle business securely on the Internet, you can find a VPN to fit your needs. This guide will walk you through VPN essentials for beginners, power users, and IT departments.
VPN for Beginners
The easiest and least costly way to get a VPN service is to obtain one from your company, school, or organization. Not on the road often? Check with your IT department to see if they offer a VPN to all users. If they do, life is good: Just install the corporate VPN software, set it up, and you're ready to go. The next time you turn on your PC, fire up the VPN application before you start surfing the Web.
What if your IT department doesn't have a VPN--or what if you don't have an IT department? You're not out of luck. Lately, numerous VPN providers, including Banana VPN, Black Logic, LogMeIn Hamachi, and StrongVPN, have started offering their services for a fee, generally from $15 to $20 a month. To learn more, take a look at a comparison of three personal VPN services.
How do you go about picking one? If a service has an online forum, check what their customers have posted. Call or e-mail to see if real people answer. Generally speaking, bigger is better. If they're a tiny company, that may be fine for you as an individual, but they probably can't give you the support a small company needs.
Is the privacy factor alone worth the effort? Yes, but VPNs offer other advantages as well. For example, if you're in Canada, ordinarily you can't watch a U.S. TV show on Hulu. But you can access the show if you use a VPN to obtain a U.S. IP (Internet Protocol) address.
Some VPN providers offer another benefit: anonymous Web browsing, which allows you to roam the Internet without being tracked. If your ISP blocks some applications, such as Skype or other VoIP (Voice over Internet Protocol) applications, you can use a VPN to get around the restrictions.
These VPN services may sound exactly like what you need. Beware, however: Not all services are created equal. If a service doesn't have enough VPN servers--technically, VPN concentrators--to support the number of customers, you may experience poor Internet speeds or be unable to make a connection at all.
So, before subscribing to a VPN service, look into what its customers say about it. Better still, if the company offers a free test period, take advantage of it before paying money for a service that may not meet your needs.
VPN Fundamentals for the Power User
Do you want to lock down your Internet connection when you’re on the road? If so, the best approach is, of course, to use a VPN. You’re set if you work for a company that can provide you with a VPN. But if you run your own small business or home office, you also have options.
You can find several, inexpensive ways to get a VPN of your own. Besides paying $15 to $20 a month to a VPN subscription service, you might be able to install a VPN server into your router using open-source, alternative router firmware such as DD-WRT and OpenWRT. This firmware will allow you to use many, but not all, Wi-Fi routers and access points as VPN endpoints.
VPN on Your Router
Before flashing your Wi-Fi hardware with any alternative firmware, make sure that it's supported. The last thing you want to do is to "brick" your wireless device--rendering it useless--just to set up a small VPN. Be sure to consult the DD-WRT supported-device list or the OpenWRT supported-device list. As these lists are all works in progress, check back often if you buy a brand-new router or access point.
If you'd rather not take your hardware's life into your own hands, some routers, such as Buffalo Technology's WZR-HP-G300NH AirStation Nfiniti Wireless-N High Power Router, come with DD-WRT already installed.
VPN Server Software
Some desktop operating systems, including Windows (from XP to Windows 7) and Mac OS X, include VPN server software. Granted, these are very simple VPNs, but they may be all you need. Of course, the Windows Server family comes with more-sophisticated VPN setups. If you're running all Windows 7 clients and Windows Server 2008 R2, you may also want to consider using DirectAccess, an advanced IPSec VPN that runs over IPv6 on ordinary IPv4-based LANs and the Internet.
If you don't choose to use DirectAccess but opt for Microsoft's older VPN technologies, Windows Server 2008 R2 has a helpful new feature: VPN Reconnect. Just as the name suggests, it will try to connect VPN sessions automatically if they're interrupted by a break in Internet connectivity. This function can be handy for users with spotty Wi-Fi connectivity, since they won't need to manually reconnect with the VPN after they reestablish a network connection.
Another way to add a VPN to your small network is to install VPN server software yourself. The best known of these is OpenVPN, which is open-source. It's available in versions for almost all popular desktop operating systems, including Linux, Mac OS X, and Windows.
If setting up native OpenVPN sounds a little too technical for you or your staff, you can run it as a VMware or Windows Virtual Hard Disk OpenVPN virtual appliance. With this arrangement, you'll have a basic VPN up and running in minutes.
But OpenVPN is far from the only VPN software out there. Other programs worth considering are NeoRouter and Tinc. If you want more than just VPN services and do-it-all network-services software packages, I highly recommend the open-source Vyatta, Core 6.1. Vyatta includes OpenVPN.
If you plan on having more than a dozen or so users on the VPN at one time, though, you'll want to use an inexpensive VPN hardware appliance such as the Juniper Networks SA700 SSL VPN Appliance, the SonicWall Secure Remote Access Series, or the Vyatta 514.
No matter which VPN you use, you'll need to set your firewall to allow VPN traffic. On many routers and firewalls, this task can be as simple as setting VPN passthrough to allow VPN traffic. Typically, your choices will be PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer Two Tunneling Protocol), or SSL (Secure Sockets Layer). Allow only those VPN protocols that you'll be using--after all, when in doubt with firewalls, it's safer to forbid than to permit.
Check your VPN’s documentation to see which ports you’ll need to open. As for SSL VPNs, they typically use port 443, the usual port for SSL-protected Web servers, so that port should already be open.
Naturally, no matter what VPN you're running and regardless of your network setup, a VPN in a small business is likely to limit its users’ speeds. For example, in my own home office, my Charter cable Internet connection gives me a 25-megabits-per-second downlink and a 3-mbps uplink. This means that no matter how fast my remote network connection is when I connect to my OpenVPN server, my maximum throughput will be limited to 3 mbps.
I've often seen small businesses flummoxed by slow VPN connections. That usually happens because neither the users nor the in-house IT staffers (often one and the same) realize that the math of Internet connections means that the slowest link along the VPN route will determine the VPN's top speed. If you want a really fast VPN, you'll need to bite the bullet and get a high-end Internet connection from your ISP.
VPN Fundamentals for the IT Department
If you're running a serious corporate VPN, you already know that neither end-user VPN services nor software-based VPN services can do the job. Sure, you could throw a few dozen OpenVPN or Windows Server 2008 R2 boxes at the problem, but besides not being fast enough, they'd be a nightmare to manage. When your company needs anything from a few hundred to 10,000-plus active VPN tunnels at once, you must turn to either top-of-the-line VPN hardware or a national-level VPN service. Traditionally that has meant Cisco, F5 Networks, Juniper Networks, and a handful of other top networking companies.
At this point, too, you might be concerned about the second kind of VPN, circumstances in which you use VPNs to connect different offices and branches securely over the Internet. Here you use technologies such as MPLS (Multi-Protocol Label Switching), VPLS (Virtual Private LAN Services), and L2VPN (Layer 2 Virtual Private Networks) to bring together data centers and central and branch offices into one virtual whole.
If you need to start thinking about that kind of VPN, you shouldn’t be listening to me. You need to find top network engineers--or better still, a qualified network architect--to set up your virtual WAN (Wide Area Network) correctly. A mistake here can cost your company hundreds of thousands of dollars, or foul up your WAN when you least want it to go down. Do you want to explain to the CEO why the companywide videocast went to the great bit-bucket in the sky? I thought not.
Corporate remote-access VPNs, even on the larger stage, use the same technologies as their smaller siblings. The difference is entirely in scale.
If you want to manage your own enterprisewide VPN, you'll need to build it around expensive (start at five figures and work your way up from there) VPN appliances and servers from Cisco or Juniper. Or do you?
Conventional wisdom says that you have to use brand-name VPN concentrators with their high price tags, but other vendors--Vyatta, in particular--argue otherwise. Vyatta, starting with the Vyatta 3500 Series Router and Firewall (introduced in late 2009), is offering 10-gbps routing at a fraction of the price of similar Cisco offerings.
When it comes to VPNs, for example, the Vyatta 3500 can handle up to 8000 simultaneous IPSec VPN tunnels at up to 900 mbps for approximately $6000, while a comparable Cisco ASR 1006 setup would run more than $100,000. Is the Vyatta product as good? I haven't done any testing myself, but I know of companies that are using it and are happy with it. More to the point, at that price, why not at least try it out? Though the economy may be showing signs of improving, it's still not good enough that CFOs and CIOs will cheerfully sign off on six-figure hardware purchases.
Of course, you might want to consider outsourcing to meet your VPN needs. That used to be somewhat chancy, but in recent years a few major telecoms such as AT&T and Verizon have started offering national and international VPN services. The fees for such services aren't cheap, but neither is maintaining your own enterprise-level VPNs. Penny-wise and pound-wise network designers will carefully consider VPN outsourcing options.
A Guide to VPN Protocols
VPNs create a secure "tunnel" through the Internet using a variety of protocols.
PPTP (Point-to-Point Tunneling Protocol): This protocol was first used in Windows, but it comes without any built-in security. It’s usually teamed with the MPPE (Microsoft Point-to-Point Encryption) protocol to create a secure VPN. I say "secure," but PPTP, aka PP2P, has long had a bad security reputation. Fortunately, PPTP is slowly dying away and being replaced by more secure protocols.
L2TP (Layer 2 Tunneling Protocol): Microsoft, working in concert with Cisco, did better the second time around. L2TP, combined with IPSec security, is much more secure, and it’s used in all modern versions of Windows. L2TP is also supported on Mac OS X and on Linux with programs such as Openswan.
SSL VPN (Secure Socket Layer VPN): Over the past few years, in no small part due to the growing popularity of OpenVPN, SSL VPNs have become more common. You can find SSL VPN clients for all major operating systems.
Copyright 2009 IDG Magazines Norge AS. All rights reserved
Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000
Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen