As an IT professional, even if you work at the corporate office every day, you may sometimes have to address an after hours emergency or work remotely during a travel-prohibiting event like a snowstorm. Being able to connect securely to your corporate network from a remote location using a Virtual Private Network (VPN) is important, and it may be required by your job if you are a telecommuter. There are some remote access technologies that are widely used, but some new methods have recently emerged that have the ability to change how we work. Let’s look at a few of the common options for secure remote access:
A common remote access technology in use today is the IPsec VPN. A piece of software called a VPN client is installed on the end user’s computer and is configured with details about the target network, such as the gateway IP address and a pre-shared security key. Each time the user wants to connect to the corporate network, they start the VPN client, which creates a secure connection to the corporate firewall.
- When a firewall is purchased, it typically includes plenty of licenses for IPsec VPN connections.
- There is low processing overhead for the firewall, and many IPsec VPN connections can be active at the same time.
- It is an established technology that many people are familiar with.
- A software client needs to be installed and configured on a user’s computer before the connection can be established. This can create difficulties for the user and IT personnel if a worker needs the client installed and configured when they are not in the office.
My outlook for the future:
- While the installation and configuration process can be clunky, I don’t see this technology going anywhere anytime soon. It is an established and cost-effective technology.
A newer technology that is making inroads in the remote access market is the SSL VPN. SSL, which stands for Secure Sockets Layer, is a common encryption technology that is widely used to provide secure communication on the Internet. When setting up an SSL VPN, the network administrator publishes the VPN client to the firewall, providing it for download via the firewall's public connection. To access the corporate network, end users visit a public web page, from which they can install the SSL VPN client and download the configuration details.
- End users can install the VPN client from a public portal.
- The IT department does not need to touch each machine that needs remote access.
- Network administrators can set up granular security policies for specific resources on the corporate network, even down to a single web-based application.
- Software clients are available for mobile devices such as iPhones and iPads. This allows workers to view items like a corporate intranet without powering up their laptop.
- There is more configuration required on the firewall when setting up the client to be published.
- SSL VPN requires more processing overhead for the firewall compared to IPsec VPN. Some firewalls may not be able to handle as many SSL VPN client connections as IPsec VPN connections.
- Licensing is more expensive. While firewall manufacturers typically include many IPsec VPN licenses, SSL VPN licenses are usually sold as an add-on to the hardware.
My outlook for the future:
- Many organizations will find that SSL VPN provides advantages over IPsec VPN. Firewall manufacturers could speed up the adoption of SSL VPN by bundling more licenses with the firewall instead of selling them as add-ons.
A relatively new player to the remote access arena was not developed by a firewall manufacturer, but rather by Microsoft. DirectAccess creates an “always on” secure connection at the Operating System level. Users do not need to install any software or launch any programs. Whenever the user’s computer is connected to the Internet, the Windows OS connects in the background to the corporate network. The impact of DirectAccess could be game changing for both IT and end users. Microsoft, however, has taken this potentially amazing product and hamstrung it with arbitrary licensing rules and unnecessary networking requirements.
- It is a seamless technology that could change the way users work remotely.
- Clients are required to use either the Ultimate or Enterprise versions of Microsoft’s Operating Systems.
- Elaborate changes are required on the corporate network. DirectAccess was designed with IPv6 as the primary addressing scheme and IPv4 secondarily. Additional pieces of software are required on the LAN so that remote users can access IPv4 addresses.
My outlook for the future:
- DirectAccess is not going to gain widespread adoption until the OS licensing requirements are revised and the networking is reworked to be more straightforward. While IPv6 is the future of networking, we currently live and work in an IPv4 world, especially on the LAN (as of May 2014, IPv4 still carried more than 96% of Internet traffic worldwide, according to Google). Setting up a new remote access technology should not require one or more potentially expensive projects before it can be deployed.
Client remote access technologies have changed the way we work in today’s society. Telecommuters would not be able to work for their current employers, and I know that I wouldn’t be able to do my job as effectively. It’s exciting to see new technologies develop that allow us to increase our productivity, but making sure these methods are set up and configured correctly can be tricky. Do you have any questions about how to set up remote access for your own network? Please contact us to speak with an IT professional, or feel free to leave a comment below.
Image Credit: Digital World Tokyo