If you are connecting to your small or medium-sized business's internal network from a remote location, you should be using a virtual private network (VPN) -- period.
During the past few years, there has been a migration from IP Security VPNs to Secure Sockets Layer (SSL) VPNs because SSL VPNs don't require a specific client on the end device. That makes deployment a bit easier, but the user experience (once configured) is roughly the same. More organizations are using VPN technology to connect their remote sites and using inexpensive Internet bandwidth. This allows small and medium-sized businesses (SMBs) to adopt the technology more readily.
But remote access and site-to-site connections are not all that VPN technology has to offer. VPNs can be used for other reasons in an organization:
- Visitor and/or guest access
When consultants, auditors and other foreign bodies show up and want to connect to your network, all of the network jacks in conference rooms should be put on a closed network and directed into a VPN concentrator. This allows you to require strong authentication to get onto the network, ensuring that only authorized users can access internal network resources.
Another benefit of encrypting the connection for guests is if your physical network is compromised, a hacker cannot detect any authentication information by sniffing the network.
- Wireless networks within your building
I've seen a trend toward turning off the wired ports in most conference rooms and requiring use of the wireless. This ensures that misconfigured network ports don't allow a free pass onto the internal network.
The deployment model is similar to guest access in that all traffic on the wireless network is run through the VPN concentrator. Many UTM vendors are starting to provide integrated Wi-Fi access points in their platform. This makes a lot of sense because by definition all traffic would be routed through a VPN, providing encryption and authentication.
Points of caution
So what's the catch? Aside from the cost of installing a few more boxes depending on traffic volumes, there isn't one. And with the price of access points and VPN concentrators continuing to come down, this is becoming less of an issue.
There is one area of caution that bears mention. I don't recommend organizations encrypt traffic on their internal networks. Not even between sensitive applications. Why? Encrypted data cannot be scanned and monitored for private data leakage or virus/worm proliferation.
Given the increasing scrutiny of regulations, even for SMBs, an organization must be able to inspect data as it travels through the network -- before it is ultimately sent out into the harsh world -- to ensure compliance.
But for providing access to your internal networks from outside your facility, conference rooms or over public wireless networks, you can't beat the security and convenience of VPN technology.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.
This was first published in April 2007