RSS
Translated by
2016/09/30 15:45:23

VPN solutions for corporate networks

Virtual Private Network (VPN) is the generalized name of the technologies allowing to provide one or several network connections (logical network) over other network (for example, the Internet). The term of a virtual private network (VPN) became widespread with a release of the Microsoft Windows 95 operating system. The main idea consisted in providing to employees secure access to internal network of the organization, without opening network for the attacks of hackers. In this article we will consider the best options for the organization of the corporate VPN available today.

Content

2020: Seven reasons for which VPN will be useful to your company

Remote access to data

You get rid of the unprotected critical points: your information is not placed separately in the general storage with the only point of entry. Time — money, and the speech not only about convenience, but also about efficiency. You not just save time, but also increase flexibility of your services, giving to clients an opportunity of remote interaction with you. Your employees and clients can unite to your network, without being afraid of the fact that their information will fall into foreign hands. At the same time it is not obligatory for employees to be directly in office of the company productively to work[1].

"Bring the personal device" (BYOD)

One more advantage directly connected with a possibility of remote access to data. Many employees prefer to use the personal gadgets for accomplishment of service duties. However the external equipment creates risk for security of information of your company, and you should not save on infrastructure expenses at the price something as important as security of your network.

Censorship

The governments of some countries prevent access to separate websites for political and other reasons. It creates certain difficulties and causes disappointment in all who got used to use the Internet without restrictions. Users of the organization which implemented VPN will be able to bypass similar restrictions which work in the different countries. Moreover, without corporate VPN can there can be unavailable even such popular online services as provided by Google company. Your clients and employees will be able to feel everywhere as houses, remaining in network whose servers are located in the United States. Let's note that the quantity of the IP addresses which are located by the company depends on number of her VPN providers, and the additional IP addresses increase reliability of your systems of protection and allow to increase the speed of work of the Internet thanks to reduction of volume of traffic.

Be protected from unpleasant randomnesses

During the translation of the website from the HTTP protocol on HTTPS the user can easily appear on the unprotected HTTP page. Access to such pages — potential risk factor as the passwords and other confidential data sent to the website are transferred in the unprotected type.

"Emergency switch"

If the VPN connection is disconnected or compromised, the device or the application which uses this connection is instantly automatically blocked.

Support of peer-to-peer connections

VPN allows to connect to p2p-networks in which each attached device can work at the same time at the same time both as the server, and in a client role.

Protection of mobile applications

VPN allows to protect connection of mobile devices with network: again the speech about convenience and flexibility. It will be simpler to distribute red line messages among users if their mobile phones and tablets are connected to corporate network via the VPN server too.

Whether VPN of any type will suit you?

Convince that the VPN server for the modern company — need, easily, but the choice of VPN suitable your organization will demand certain efforts. It is worth beginning with that being defined what opportunities are necessary to you from the VPN server and what — are not present. Your future provider VPN is as the operator of cable television: you can select what channels you want to watch, and you do not need to pay for big packets which are uninteresting to you. So, there are three types of VPN.

  • The most popular of them — VPN for remote access with switched connection. The employees who are out of office can safely provide access to a private virtual network which is provided to them by the company. As a rule, clients employ for the organization and support of such VPN of the supplier of the corresponding services who configures the server and provides to users the necessary software. Those then just dial toll-free number and by means of software provided to them contact a virtual network. Using toll-free numbers, the company saves money, and provides convenience of work of mobile users.
  • VPN of two other types are founded in touch between several fixed networks. Such virtual private networks are called "network network" VPN. Their organization requires the equipment providing enciphering of the tunnels between networks created on the public Internet. Strength of VPN of this kind — flexibility.
  • VPN intranets allow to connect several remote offices a single private network. In such VPN the set of various services is provided, and at the same time they are rather inexpensive and perfectly are suitable for connection of remote branches of the company.
  • In VPN экстрасетях, in turn, by means of internetwork connections several organizations are connected to the general environment. This VPN type is suitable for situations when it is necessary to provide to provide access to your network to users of other companies.


What else factors can be considered when choosing VPN

  • Existence of the protection implemented by means of cloud services.
  • Existence of protection during the work out of office.
  • Existence of protection against the data collection performed by Internet service providers.
  • Existence of management tools accounts, protection against malware and the centralized drawing of accounts.
  • Whether keeps VPN magazines of access?
  • What part of control functions of VPN is under authority of customer organization and for what the provider is responsible.
  • Existence of the management tools activity allowing to control access for employees to the harmful and foreign websites.
  • Whether are necessary to you in VPN of a possibility of tracking?
  • Convenience of access to technical support service of provider.
  • Stability of work of your potential provider.
  • Location of servers of provider in relation to your information storage and the place of a hosting of the main services.
  • Whether the provider tries to implement the newest technologies connected with the services provided to them?

2019: Enciphering in accordance with GOST: to whom it is shown and how to apply

The situation with risks information security (CYBERSECURITY) around the world develops in such a way that special protection of corporate channels communications becomes an objective necessity — a question only in the choice of the most convenient and economic cybersecurity solutions. Additional incentives in this direction became the program "Digital economy" and strategy import substitution in the field of IT. As it is regulated VPN-enciphering in our country why in general the popularity of GOST grows -cryptography and in what cases it is reasonable to purchase it as service — we understand together with the head GOST VPN of the company "Rostelecom-Solar" Alexander Veselov. In more detail here.

2016

In 2016 there is a number of solutions for creation of virtual private networks. Sometimes these solutions are a part of an end-to-end system and are sometimes offered as independent products.

"Code of security"

The Russian company "Code of Security" provides different products for the organization of remote access including for the organization of VPN networks between branches of the enterprises. Remote access can be implemented using two products from a line Continent: a complex from access server "Continent" 3.7 and a CIPF of "Continent-AP 3.7", a CIPF HSS "The continent the TLS VPN server" for implementation of remote access to web resources with enciphering in accordance with GOST.

Capacity of access server "Continent" 3.7 and CIPF of "Continent-AP" 3.7

Model Quantity of the supported CIPFs of "Continent-AP" Performance (in the gateway VPN mode)
IPC-252550 Mbps
IPC-100500300 Mbps
IPC-4001000500 Mbps
IPC-1000/1000F/1000F23000950 Mbps
IPC-3000F/3034/3034F30002,500 Mbps

"Continent" of IPC-25

"Continent" of IPC-3034

CIPF HSS performance "Continent TLS VPN server"

Model Maximum number of simultaneous SSL connections Performance in the HTTPS proxy mode
IPC-100500200 Mbps
IPC-4005,000700 Mbps
IPC-1000/1000F/1000F210,000900 Mbps
IPC-3000F/3034/3034F18,0003,000 Mbps

Cisco

Solutions of the American company Cisco are based on a number of products which offer more, than just terming of VPN. AnyConnect Secure Mobility Client is the main part of the software offered Cisco for VPN solutions. It can be started on all widespread desktop and mobile operating systems and offers not only support of virtual private networks, but also other safety features. AnyConnect provides support of TLS, DTLS and IPsec IKEv2. For support of the selected solution the model from the ASA 5500-X series or the Cisco device under control of IOS of version 15.1(2)T or above should be used. Platforms of the smaller size, such as Cisco of series 1941, 2900 and 3900 support hardware acceleration for DES, 3DES and AES as for IPsec, and SSL VPN. As for performance measures, the only thing that Cisco guarantees, is IPsec performance:

Model Quantity of the supported tunnels Performance
Cisco 1941 (using ISM-VPN the module)500550 Mbps
Cisco 2900 (using ISM-VPN the module)2000900 Mbps
Cisco 3900 (using ISM-VPN the module)30001200 Mbps

Cisco 1941

Cisco 2900

Cisco 3900

Further there is a number of different options, including many switches up to series 6500 based on IOS which offers special VPN modules with hardware acceleration. Termination of VPN is also available using the firewall of the next generation (NGFW) ASA of the 5500-X series:

Model Quantity of the supported tunnels Performance
Cisco ASA of 5512-X3000200 Mbit / c
Cisco ASA of 5555-X5000700 Mbit / c
Cisco ASA 5585-X w/SSP-60100005 Gbps

Сisco ASA 5512-X

Сisco ASA 5555-X

Сisco ASA 5585-X w/SSP-60

Citrix

VPN solutions of Citrix are built in the product NetScaler Gateway. The gateway NetScaler, as well as all equipment of Citrix company, is easily configured and integrated into many product lines of the company. NetScaler Gateway offers more functionality to SSL VPN, including secure access to Citrix Virtual Apps and Desktops (before XenApp and XenDesktop), XenApp and XenMobile sessions and also secure network access to any server, along with the analysis and determination of the device. Citrix Gateway supports as TLS and DTLS of a session, depending on requirements to traffic. Citrix Gateway in this or that form is included into all versions of NetScaler ADC and is completely integrated into the Citrix applications.

Licensing is a little tangled depending on specific platforms. Our recommendation - to discuss available options with the representative of Citrix before making the final decision at the choice of a specific product, especially if other applications of Citrix are used or will be used in network. As a rule, there are two different license types: Platform license and Universal license. The most part of functionality of SSL Citrix requires Universal license.

Further technical characteristics of some of available NetScaler devices which can be used for solution deployment on the basis of the gateway NetScaler (the youngest MPX platform - 5550 and the last - 22120) are given:

Model Maximum number of SSL of transactions
Citrix NetScaler MPX 5550 1500
Citrix NetScaler MPX 22120 56000

Citrix NetScaler MPX-8005

Citrix Netscaler MPX-221201

Dell SonicWALL

With acquisition of SonicWALL, Dell offers now a line of devices which are intended for ensuring mobile and remote access, including the E class SRA and SRA device. SRA devices are focused on small business and the companies about less than 500 employees. They are more limited on functionality, than their elder brothers of the E class. Devices of the E class of SRA are not only VPN hubs, but include management of remote access and also protection against the malicious software and protection of access to the device, management of politicians of BYOD and registration. SRA devices are separated into three main groups: SRA 1600, SRA 4600 and SRA are virtual devices. Further are submitted their meeting specifications:

Model Maximum number of users
Dell SonicWALL SRA 1600 50
Dell SonicWALL SRA 4600 500
Dell SonicWALL SRA Virtual Appliance 500
Dell SonicWALL EX6000 250
Dell SonicWALL EX7000 5000
Dell SonicWALL EX9000 20000
Dell SonicWALL EX Virtual Appliance 5000

SRA 1600

SRA 4600

SRA-e9000

SRA-ex6000

SRA-ex7000

Infotecs

Infotecs takes steady positions of the leader of the Russian information security market and is one of the leading suppliers of program and hardware-software VPN solutions, means of cryptographic information protection at workstations, servers and mobile computers. ViPNet Coordinator is the program server of the protected ViPNet network functioning running the operating system, will allow to perform functions of prioritization, filtering, enciphering and authentication, reliably protecting information transferred on communication channels from unauthorized access and substitution. Below the most popular solutions are considered:

Model Quantity of the supported tunnels
ViPNet Coordinator HW 100 С 10
ViPNet Coordinator HW1000 500
ViPNet Coordinator HW2000 6000

ViPNet Coordinator HW1000

ViPNet Coordinator HW2000 v2

F5 Networks

F5 Networks proposes complete solutions and independent VPN devices. Since 2016 the company placed emphasis on complete solutions, and the isolated VPN hubs gradually cease to be issued.

Access Policy Manager (APM) is a special module of the software which includes functionality of VPN and also a set of different functions, including BIG-IP - complete of a proksa 
 between 
 users i servers of prilozheniye, ensuring 
 safety, 
 optimization 
 traffic of applications i a balansirovka y 
 loadings. Earlier mentioned the Russian Leto Bank use of this solution (Post Bank now).

The client of BIG-IP VPN uses TLS (security of the transport layer) and DTLS (Datagram TLS) that allows applications, sensitive to a delay, to work without problems. This client is available on all widespread desktop and mobile platforms.

For 2016 BIG-IP of the offer of F5 company begin with BIG-IP 1600 and come to an end with BIG-IP 11050 which is their largest independent VPN device. The biggest solution on the basis of the bleyd-server is Viprion 4800, characteristics are given below:

Model Maximum number of SSL of transactions
F5 BIG-IP 1600 1000
F5 BIG-IP 11050 20000
F5 Viprion 4800 of Shasi (4340N Blade)30000

F5 BIG-IP 1600

F5 BIG-IP 11050

F5 Viprion 4800

Pulse Secure (before Juniper)

The solution Pulse Secure for VPN represents the set of applications which includes Pulse Secure MAG Gateway, Pulse Connect Secure and Plus Policy Secure. Pulse Connect Secure offers the remote user an opportunity of safe connection through SSL VPN with use or access through the browser, or through Pulse Secure Client. Pulse Secure MAG the gateway includes four different versions of physical devices and the virtual device; their specifications are listed in the following table:

Model Maximum number of SSL of sessions Maximum number of users
MAG 2600 100 250
MAG 4610 1 5
MAG 6610 20 30
MAG 6611 40 60

Mag-600

Mag4610

Mag6610

Mag6611

S-Terra

The Russian company S-Terra CSP LLC - one of the leading domestic developers and producers of products of network security (VPN products). Products C-Terra use a set of protocols IPsec and the Russian cryptographic algorithms GOST, FSB of Russia and FSTEC of Russia are certified and included in the Unified register of the Russian programs for electronic computers and databases (The register of the Russian software).

Solutions C-Terra provide protection of communication channels in corporate network, between two DPCs, in virtual infrastructure, at remote access, including from mobile platforms, at access to VDI and using technology of creation of the entrusted session.

The hardware and software system "C-Terra Gateway" provides enciphering and control of integrity of transmitted data, authentication, firewalling, executes prioritization and marking of traffic, implements integration with Radius the server and event recording. "C-Terra the Gateway" is provided by a wide line of models of different performance and is available on hardware platforms of both the Russian, and foreign producers and also performed by to work in virtual environment.

Performance and appointment C-Terra Gateway:

Model Maximum capacity of enciphering of IMIX, Mbps Maximum capacity of enciphering of TCP, Mbps Maximum quantity of tunnels
C-Terra Gateway 100
30
50
200
C-Terra Gateway 1000
160
300
500
C-Terra Gateway 3000
700
900
1000
C-Terra Gateway 7000
2000
3200 (up to 7 Gbps on Jumbo Frame)
it is not limited

C-Terra Gateway 100

C-Terra Gateway 1000

C-Terra Gateway 7000

Results and the table on number of the supported sessions

We considered solutions for the organization of corporate VPN most relevant at the moment.

"When choosing a system of remote access it is necessary to be guided by compliance to requirements of regulators first of all, - considers Pavel Korostelev, the marketing manager of products of the company "Code of security". - If the operator of a personal data system (ISPDN) made the decision on use of means cryptographic data protection (CIPF) for security of the traffic transferred on open communication links, then such product should be without fail certified FSB as a CIPF. Necessary class CIPF is selected proceeding from the level of security ISPDN and relevant threats. Compliance of levels of security, relevant threats, organizational and technical measures are stated in FSB Russia order No. 378.
The second important parameter is the ability to integrate a system of the protected remote access with the available network infrastructure or infrastructure of network security at the level of management or (at least) monitoring. For the system of corporate remote access Active Directory integration or other LDAP directory is extremely desirable.
The third parameter of the choice is support by the system of remote access necessary stationary and mobile operating systems. Owing to wide circulation of mobile devices at non-management employees it is necessary to have technical capability to organize remote access not only from stationary OS (Windows, Linux, Mac OS), but also from mobile – iOS, Android".

Important criterion also is the number of the supported sessions (the comparative table for all considered vendors is given below), but once you consider also other factors, such, the architecture of network, support of necessary authentication protocols and enciphering, cost and others therefore each case is individual and requires special approach.

|Dell SonicWALL SRA 1600 || 50|Cisco 1941 || 500
Model The number of the supported sessions
ViPNet Coordinator HW 100 С 10
"Continent" of IPC-2525
C-Terra Gateway 100200
Dell SonicWALL EX6000 250
Dell SonicWALL SRA 4600 500
Dell SonicWALL SRA Virtual Appliance 500
Cisco 1941 500
"Continent" of IPC-100500
ViPNet Coordinator HW 1000 v3 500
C-Terra Gateway 1000500
C-Terra Gateway 30001000
"Continent" of IPC-4001000
MAG 4610 1000
F5 BIG-IP 1600 1000
Citrix NetScaler MPX 5550 1500
Cisco 2900 2000
"Continent" of IPC-1000/1000F/1000F2/3000F/3034/3034F3000
Cisco 3900 3000
Cisco ASA 5512-X 3000
Cisco ASA 5555-X 5000
Dell SonicWALL EX7000 5000
Dell SonicWALL EX Virtual Appliance 5000
ViPNet Coordinator HW 2000 v3 6000
Cisco ASA 5585-X w/SSP-60 10000
MAG 6610 20000
F5 BIG-IP 11050 20000
F5 Viprion 4800 Chassis (4340N Blade) 30000
MAG 6611 40000
Citrix NetScaler MPX 221201 560000

For September, 2016, separate independent hubs consign to the past as they are integrated into controllers of delivery of applications (ADC), fayervola of the next generation (NGFW) and gateways of security (UTM). Even SonicWALL and Pulse Secure - two rather autonomous options discussed in this article are complete of the integrated and additional functions.

In most modern networks there are already solutions for remote access, but new threats arise every day, especially it is relevant with wide circulation of BYOD. The considered solutions are proposed flexibility and additional security which meets the requirements of modern networks.

VPN articles

VPN protocols which developed within the last decades:

See Also





Notes