VPN solutions for corporate networks
Virtual Private Network (VPN) is the generalized name of the technologies allowing to provide one or several network connections (logical network) over other network (for example, the Internet). The term of a virtual private network (VPN) became widespread with a release of the Microsoft Windows 95 operating system. The main idea consisted in providing to employees secure access to internal network of the organization, without opening network for the attacks of hackers. In this article we will consider the best options for the organization of the corporate VPN available today.
Content |
2020: Seven reasons for which VPN will be useful to your company
Remote access to data
You get rid of the unprotected critical points: your information is not placed separately in the general storage with the only point of entry. Time — money, and the speech not only about convenience, but also about efficiency. You not just save time, but also increase flexibility of your services, giving to clients an opportunity of remote interaction with you. Your employees and clients can unite to your network, without being afraid of the fact that their information will fall into foreign hands. At the same time it is not obligatory for employees to be directly in office of the company productively to work[1].
"Bring the personal device" (BYOD)
One more advantage directly connected with a possibility of remote access to data. Many employees prefer to use the personal gadgets for accomplishment of service duties. However the external equipment creates risk for security of information of your company, and you should not save on infrastructure expenses at the price something as important as security of your network.
Censorship
The governments of some countries prevent access to separate websites for political and other reasons. It creates certain difficulties and causes disappointment in all who got used to use the Internet without restrictions. Users of the organization which implemented VPN will be able to bypass similar restrictions which work in the different countries. Moreover, without corporate VPN can there can be unavailable even such popular online services as provided by Google company. Your clients and employees will be able to feel everywhere as houses, remaining in network whose servers are located in the United States. Let's note that the quantity of the IP addresses which are located by the company depends on number of her VPN providers, and the additional IP addresses increase reliability of your systems of protection and allow to increase the speed of work of the Internet thanks to reduction of volume of traffic.
Be protected from unpleasant randomnesses
During the translation of the website from the HTTP protocol on HTTPS the user can easily appear on the unprotected HTTP page. Access to such pages — potential risk factor as the passwords and other confidential data sent to the website are transferred in the unprotected type.
"Emergency switch"
If the VPN connection is disconnected or compromised, the device or the application which uses this connection is instantly automatically blocked.
Support of peer-to-peer connections
VPN allows to connect to p2p-networks in which each attached device can work at the same time at the same time both as the server, and in a client role.
Protection of mobile applications
VPN allows to protect connection of mobile devices with network: again the speech about convenience and flexibility. It will be simpler to distribute red line messages among users if their mobile phones and tablets are connected to corporate network via the VPN server too.
Whether VPN of any type will suit you?
Convince that the VPN server for the modern company — need, easily, but the choice of VPN suitable your organization will demand certain efforts. It is worth beginning with that being defined what opportunities are necessary to you from the VPN server and what — are not present. Your future provider VPN is as the operator of cable television: you can select what channels you want to watch, and you do not need to pay for big packets which are uninteresting to you. So, there are three types of VPN.
- The most popular of them — VPN for remote access with switched connection. The employees who are out of office can safely provide access to a private virtual network which is provided to them by the company. As a rule, clients employ for the organization and support of such VPN of the supplier of the corresponding services who configures the server and provides to users the necessary software. Those then just dial toll-free number and by means of software provided to them contact a virtual network. Using toll-free numbers, the company saves money, and provides convenience of work of mobile users.
- VPN of two other types are founded in touch between several fixed networks. Such virtual private networks are called "network network" VPN. Their organization requires the equipment providing enciphering of the tunnels between networks created on the public Internet. Strength of VPN of this kind — flexibility.
- VPN intranets allow to connect several remote offices a single private network. In such VPN the set of various services is provided, and at the same time they are rather inexpensive and perfectly are suitable for connection of remote branches of the company.
- In VPN экстрасетях, in turn, by means of internetwork connections several organizations are connected to the general environment. This VPN type is suitable for situations when it is necessary to provide to provide access to your network to users of other companies.
What else factors can be considered when choosing VPN
- Existence of the protection implemented by means of cloud services.
- Existence of protection during the work out of office.
- Existence of protection against the data collection performed by Internet service providers.
- Existence of management tools accounts, protection against malware and the centralized drawing of accounts.
- Whether keeps VPN magazines of access?
- What part of control functions of VPN is under authority of customer organization and for what the provider is responsible.
- Existence of the management tools activity allowing to control access for employees to the harmful and foreign websites.
- Whether are necessary to you in VPN of a possibility of tracking?
- Convenience of access to technical support service of provider.
- Stability of work of your potential provider.
- Location of servers of provider in relation to your information storage and the place of a hosting of the main services.
- Whether the provider tries to implement the newest technologies connected with the services provided to them?
2019: Enciphering in accordance with GOST: to whom it is shown and how to apply
The situation with risks information security (CYBERSECURITY) around the world develops in such a way that special protection of corporate channels communications becomes an objective necessity — a question only in the choice of the most convenient and economic cybersecurity solutions. Additional incentives in this direction became the program "Digital economy" and strategy import substitution in the field of IT. As it is regulated VPN-enciphering in our country why in general the popularity of GOST grows -cryptography and in what cases it is reasonable to purchase it as service — we understand together with the head GOST VPN of the company "Rostelecom-Solar" Alexander Veselov. In more detail here.
2016
In 2016 there is a number of solutions for creation of virtual private networks. Sometimes these solutions are a part of an end-to-end system and are sometimes offered as independent products.
"Code of security"
The Russian company "Code of Security" provides different products for the organization of remote access including for the organization of VPN networks between branches of the enterprises. Remote access can be implemented using two products from a line Continent: a complex from access server "Continent" 3.7 and a CIPF of "Continent-AP 3.7", a CIPF HSS "The continent the TLS VPN server" for implementation of remote access to web resources with enciphering in accordance with GOST.
Capacity of access server "Continent" 3.7 and CIPF of "Continent-AP" 3.7
Model | Quantity of the supported CIPFs of "Continent-AP" | Performance (in the gateway VPN mode) |
---|---|---|
IPC-25 | 25 | 50 Mbps |
IPC-100 | 500 | 300 Mbps |
IPC-400 | 1000 | 500 Mbps |
IPC-1000/1000F/1000F2 | 3000 | 950 Mbps |
IPC-3000F/3034/3034F | 3000 | 2,500 Mbps |
"Continent" of IPC-25
"Continent" of IPC-3034
CIPF HSS performance "Continent TLS VPN server"
Model | Maximum number of simultaneous SSL connections | Performance in the HTTPS proxy mode |
---|---|---|
IPC-100 | 500 | 200 Mbps |
IPC-400 | 5,000 | 700 Mbps |
IPC-1000/1000F/1000F2 | 10,000 | 900 Mbps |
IPC-3000F/3034/3034F | 18,000 | 3,000 Mbps |
Cisco
Solutions of the American company Cisco are based on a number of products which offer more, than just terming of VPN. AnyConnect Secure Mobility Client is the main part of the software offered Cisco for VPN solutions. It can be started on all widespread desktop and mobile operating systems and offers not only support of virtual private networks, but also other safety features. AnyConnect provides support of TLS, DTLS and IPsec IKEv2. For support of the selected solution the model from the ASA 5500-X series or the Cisco device under control of IOS of version 15.1(2)T or above should be used. Platforms of the smaller size, such as Cisco of series 1941, 2900 and 3900 support hardware acceleration for DES, 3DES and AES as for IPsec, and SSL VPN. As for performance measures, the only thing that Cisco guarantees, is IPsec performance:
Model | Quantity of the supported tunnels | Performance |
---|---|---|
Cisco 1941 (using ISM-VPN the module) | 500 | 550 Mbps |
Cisco 2900 (using ISM-VPN the module) | 2000 | 900 Mbps |
Cisco 3900 (using ISM-VPN the module) | 3000 | 1200 Mbps |
Cisco 1941
Cisco 2900
Cisco 3900
Further there is a number of different options, including many switches up to series 6500 based on IOS which offers special VPN modules with hardware acceleration. Termination of VPN is also available using the firewall of the next generation (NGFW) ASA of the 5500-X series:
Model | Quantity of the supported tunnels | Performance |
---|---|---|
Cisco ASA of 5512-X | 3000 | 200 Mbit / c |
Cisco ASA of 5555-X | 5000 | 700 Mbit / c |
Cisco ASA 5585-X w/SSP-60 | 10000 | 5 Gbps |
Сisco ASA 5512-X
Сisco ASA 5555-X
Сisco ASA 5585-X w/SSP-60
Citrix
VPN solutions of Citrix are built in the product NetScaler Gateway. The gateway NetScaler, as well as all equipment of Citrix company, is easily configured and integrated into many product lines of the company. NetScaler Gateway offers more functionality to SSL VPN, including secure access to Citrix Virtual Apps and Desktops (before XenApp and XenDesktop), XenApp and XenMobile sessions and also secure network access to any server, along with the analysis and determination of the device. Citrix Gateway supports as TLS and DTLS of a session, depending on requirements to traffic. Citrix Gateway in this or that form is included into all versions of NetScaler ADC and is completely integrated into the Citrix applications.
Licensing is a little tangled depending on specific platforms. Our recommendation - to discuss available options with the representative of Citrix before making the final decision at the choice of a specific product, especially if other applications of Citrix are used or will be used in network. As a rule, there are two different license types: Platform license and Universal license. The most part of functionality of SSL Citrix requires Universal license.
Further technical characteristics of some of available NetScaler devices which can be used for solution deployment on the basis of the gateway NetScaler (the youngest MPX platform - 5550 and the last - 22120) are given:
Model | Maximum number of SSL of transactions |
---|---|
Citrix NetScaler MPX 5550 | 1500 |
Citrix NetScaler MPX 22120 | 56000 |
Citrix NetScaler MPX-8005
Citrix Netscaler MPX-221201
Dell SonicWALL
With acquisition of SonicWALL, Dell offers now a line of devices which are intended for ensuring mobile and remote access, including the E class SRA and SRA device. SRA devices are focused on small business and the companies about less than 500 employees. They are more limited on functionality, than their elder brothers of the E class. Devices of the E class of SRA are not only VPN hubs, but include management of remote access and also protection against the malicious software and protection of access to the device, management of politicians of BYOD and registration. SRA devices are separated into three main groups: SRA 1600, SRA 4600 and SRA are virtual devices. Further are submitted their meeting specifications:
Model | Maximum number of users |
---|---|
Dell SonicWALL SRA 1600 | 50 |
Dell SonicWALL SRA 4600 | 500 |
Dell SonicWALL SRA Virtual Appliance | 500 |
Dell SonicWALL EX6000 | 250 |
Dell SonicWALL EX7000 | 5000 |
Dell SonicWALL EX9000 | 20000 |
Dell SonicWALL EX Virtual Appliance | 5000 |
SRA 1600
SRA 4600
SRA-e9000
SRA-ex6000
SRA-ex7000
Infotecs
Infotecs takes steady positions of the leader of the Russian information security market and is one of the leading suppliers of program and hardware-software VPN solutions, means of cryptographic information protection at workstations, servers and mobile computers. ViPNet Coordinator is the program server of the protected ViPNet network functioning running the operating system, will allow to perform functions of prioritization, filtering, enciphering and authentication, reliably protecting information transferred on communication channels from unauthorized access and substitution. Below the most popular solutions are considered:
Model | Quantity of the supported tunnels |
---|---|
ViPNet Coordinator HW 100 С | 10 |
ViPNet Coordinator HW1000 | 500 |
ViPNet Coordinator HW2000 | 6000 |
ViPNet Coordinator HW1000
ViPNet Coordinator HW2000 v2
F5 Networks
F5 Networks proposes complete solutions and independent VPN devices. Since 2016 the company placed emphasis on complete solutions, and the isolated VPN hubs gradually cease to be issued.
Access Policy Manager (APM) is a special module of the software which includes functionality of VPN and also a set of different functions, including BIG-IP - complete of a proksa between users i servers of prilozheniye, ensuring safety, optimization traffic of applications i a balansirovka y loadings. Earlier mentioned the Russian Leto Bank use of this solution (Post Bank now).
The client of BIG-IP VPN uses TLS (security of the transport layer) and DTLS (Datagram TLS) that allows applications, sensitive to a delay, to work without problems. This client is available on all widespread desktop and mobile platforms.
For 2016 BIG-IP of the offer of F5 company begin with BIG-IP 1600 and come to an end with BIG-IP 11050 which is their largest independent VPN device. The biggest solution on the basis of the bleyd-server is Viprion 4800, characteristics are given below:
Model | Maximum number of SSL of transactions |
---|---|
F5 BIG-IP 1600 | 1000 |
F5 BIG-IP 11050 | 20000 |
F5 Viprion 4800 of Shasi (4340N Blade) | 30000 |
F5 BIG-IP 1600
F5 BIG-IP 11050
F5 Viprion 4800
Pulse Secure (before Juniper)
The solution Pulse Secure for VPN represents the set of applications which includes Pulse Secure MAG Gateway, Pulse Connect Secure and Plus Policy Secure. Pulse Connect Secure offers the remote user an opportunity of safe connection through SSL VPN with use or access through the browser, or through Pulse Secure Client. Pulse Secure MAG the gateway includes four different versions of physical devices and the virtual device; their specifications are listed in the following table:
Model | Maximum number of SSL of sessions | Maximum number of users |
---|---|---|
MAG 2600 | 100 | 250 |
MAG 4610 | 1 | 5 |
MAG 6610 | 20 | 30 |
MAG 6611 | 40 | 60 |
Mag-600
Mag4610
Mag6610
Mag6611
S-Terra
The Russian company S-Terra CSP LLC - one of the leading domestic developers and producers of products of network security (VPN products). Products C-Terra use a set of protocols IPsec and the Russian cryptographic algorithms GOST, FSB of Russia and FSTEC of Russia are certified and included in the Unified register of the Russian programs for electronic computers and databases (The register of the Russian software).
Solutions C-Terra provide protection of communication channels in corporate network, between two DPCs, in virtual infrastructure, at remote access, including from mobile platforms, at access to VDI and using technology of creation of the entrusted session.
The hardware and software system "C-Terra Gateway" provides enciphering and control of integrity of transmitted data, authentication, firewalling, executes prioritization and marking of traffic, implements integration with Radius the server and event recording. "C-Terra the Gateway" is provided by a wide line of models of different performance and is available on hardware platforms of both the Russian, and foreign producers and also performed by to work in virtual environment.
Performance and appointment C-Terra Gateway:
Model | Maximum capacity of enciphering of IMIX, Mbps | Maximum capacity of enciphering of TCP, Mbps | Maximum quantity of tunnels |
---|---|---|---|
C-Terra Gateway 100 | |||
C-Terra Gateway 1000 | |||
C-Terra Gateway 3000 | |||
C-Terra Gateway 7000 |
C-Terra Gateway 100
C-Terra Gateway 1000
C-Terra Gateway 7000
Results and the table on number of the supported sessions
We considered solutions for the organization of corporate VPN most relevant at the moment.
"When choosing a system of remote access it is necessary to be guided by compliance to requirements of regulators first of all, - considers Pavel Korostelev, the marketing manager of products of the company "Code of security". - If the operator of a personal data system (ISPDN) made the decision on use of means cryptographic data protection (CIPF) for security of the traffic transferred on open communication links, then such product should be without fail certified FSB as a CIPF. Necessary class CIPF is selected proceeding from the level of security ISPDN and relevant threats. Compliance of levels of security, relevant threats, organizational and technical measures are stated in FSB Russia order No. 378.
The second important parameter is the ability to integrate a system of the protected remote access with the available network infrastructure or infrastructure of network security at the level of management or (at least) monitoring. For the system of corporate remote access Active Directory integration or other LDAP directory is extremely desirable.
The third parameter of the choice is support by the system of remote access necessary stationary and mobile operating systems. Owing to wide circulation of mobile devices at non-management employees it is necessary to have technical capability to organize remote access not only from stationary OS (Windows, Linux, Mac OS), but also from mobile – iOS, Android".
Important criterion also is the number of the supported sessions (the comparative table for all considered vendors is given below), but once you consider also other factors, such, the architecture of network, support of necessary authentication protocols and enciphering, cost and others therefore each case is individual and requires special approach.
Model | The number of the supported sessions |
---|---|
ViPNet Coordinator HW 100 С | 10 |
"Continent" of IPC-25 | 25 |
C-Terra Gateway 100 | 200 |
Dell SonicWALL EX6000 | 250 |
Dell SonicWALL SRA 4600 | 500 |
Dell SonicWALL SRA Virtual Appliance | 500 |
Cisco 1941 | 500 |
"Continent" of IPC-100 | 500 |
ViPNet Coordinator HW 1000 v3 | 500 |
C-Terra Gateway 1000 | 500 |
C-Terra Gateway 3000 | 1000 |
"Continent" of IPC-400 | 1000 |
MAG 4610 | 1000 |
F5 BIG-IP 1600 | 1000 |
Citrix NetScaler MPX 5550 | 1500 |
Cisco 2900 | 2000 |
"Continent" of IPC-1000/1000F/1000F2/3000F/3034/3034F | 3000 |
Cisco 3900 | 3000 |
Cisco ASA 5512-X | 3000 |
Cisco ASA 5555-X | 5000 |
Dell SonicWALL EX7000 | 5000 |
Dell SonicWALL EX Virtual Appliance | 5000 |
ViPNet Coordinator HW 2000 v3 | 6000 |
Cisco ASA 5585-X w/SSP-60 | 10000 |
MAG 6610 | 20000 |
F5 BIG-IP 11050 | 20000 |
F5 Viprion 4800 Chassis (4340N Blade) | 30000 |
MAG 6611 | 40000 |
Citrix NetScaler MPX 221201 | 560000 |
For September, 2016, separate independent hubs consign to the past as they are integrated into controllers of delivery of applications (ADC), fayervola of the next generation (NGFW) and gateways of security (UTM). Even SonicWALL and Pulse Secure - two rather autonomous options discussed in this article are complete of the integrated and additional functions.
In most modern networks there are already solutions for remote access, but new threats arise every day, especially it is relevant with wide circulation of BYOD. The considered solutions are proposed flexibility and additional security which meets the requirements of modern networks.
VPN articles
- VPN (world market)
- VPN solutions for corporate networks
- VPN routers for small and medium business (SMB)
- VPN and privacy (anonymity)
- Censorship (control) on the Internet. Experience of Russia
- Censorship (control and anonymity) on the Internet. World experience
- Censorship (control) on the Internet. Experience of China
VPN protocols which developed within the last decades:
- Point-to-Point Tunneling Protocol (PPTP)
- Internet Protocol Security (IPsec)
- Layer 2 Tunneling Protocol (L2TP)
- Secure Socket Tunneling Protocol (SSTP)
See Also
- Censorship on the Internet. World experience
- Censorship (control) on the Internet. Experience of China
- Censorship (control) on the Internet. Experience of Russia, Roskomnadzor
- Law on regulation of Runet
- VPN and privacy (anonymity, anonymizers)
- Protection of critical information infrastructure of Russia
- Law On security of critical information infrastructure of the Russian Federation
- National Biometric Platform (NBP)
- Single Biometric System (SBS) of these clients of banks
- Biometric identification (market of Russia)
- Directory of solutions and projects of biometrics
- Digital economy of Russia
- Information security of digital economy of Russia
- SORM (System for Operative Investigative Activities)
- State detection system, warnings and mitigations of consequences of the computer attacks (State system of detection, prevention and elimination of consequences of computer attacks)
- National filtering system of Internet traffic (NASFIT)
- Yastreb-M Statistics of telephone conversations
- How to bypass Internet censorship of the house and at office: 5 easy ways
- The auditor - a control system of blocking of the websites in Russia
- The Single Network of Data Transmission (SNDT) for state agencies (Russian State Network, RSNet)
- Data network of public authorities (SPDOV)
- Single network of telecommunication of the Russian Federation
- Electronic Government of the Russian Federation
- Digital economy of Russia
- Cyber crime in the world
- Requirements of a NIST
- Global index of cyber security
- Cyber wars, Cyber war of Russia and USA
- Cyber crime and cyber conflicts: Russia, FSB, National coordination center for computer incidents (NKTsKI), Information Security Center (ISC) of FSB, Management of K BSTM of the Ministry of Internal Affairs of the Russian Federation, Ministry of Internal Affairs of the Russian Federation, Ministry of Defence of the Russian Federation, National Guard of the Russian Federation
- Cyber crime and cyber conflicts: Ukraine
- Cyber crime and cyber conflicts: USA, CIA, NSA, FBI, US Cybercom, U.S. Department of Defense, NATO, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA)
- Cyber crime and cyber conflicts: Europe, ENISA
- Cyber crime and cyber conflicts: Israel
- Cyber crime and cyber conflicts: Iran
- Cyber crime and cyber conflicts: China
- As the USA spied on production of chips in the USSR
- Security risks of communication in a mobile network
- Information security in banks
- Digital transformation of the Russian banks
- Overview: IT in banks 2016
- The policy of the Central Bank in the field of data protection (cyber security)
- Losses of the organizations from cyber crime
- Losses of banks from cyber crime
- Trends of development of IT in insurance (cyberinsurance)
- Cyber attacks
- Overview: Security of information systems
- Information security
- Information security (world market)
- Information security (market of Russia)
- The main trends in data protection
- Software for data protection (world market)
- Software for data protection (the market of Russia)
- Pentesting (pentesting)
- Cybersecurity - Means of enciphering
- Cryptography
- VPN - Virtual private networks
- Security incident management: problems and their solutions
- Authentication systems
- Law on personal data No. 152-FZ
- Personal data protection in the European Union and the USA
- Quotations of user data in the market of cybercriminals
- Jackpotting
- Virus racketeer (encoder)
- WannaCry (virus racketeer)
- Petya/ExPetr/GoldenEye (virus racketeer)
- Malware (malware)
- APT - Targeted or target attacks
- DDoS and DeOS
- Attacks on DNS servers
- DoS-attacks on content delivery networks, CDN Content Delivery Network
- How to be protected from DDoS attack. TADetails
- Rootkit
- Fraud Detection System (fraud, fraud, fraud detection system)
- Solutions Antifraud directory and projects
- How to select an antifraud system for bank? TADetails
- Security Information and Event Management (SIEM)
- Directory of SIEM solutions and projects
- Than a SIEM system is useful and how to implement it?
- For what the SIEM system is necessary and as it to implement TADetails
- Intrusion detection and prevention systems
- Reflections of local threats (HIPS)
- Confidential information protection from internal threats (IPC)
- Phishing, DMARC, SMTP
- Trojan
- Botha's botnet
- Backdoor
- Worms Stuxnet Regin
- Flood
- Information loss preventions (DLP)
- Skimming (shimming)
- Spam
- Sound attacks
- Antispam software solutions
- Classical file infectors
- Antiviruses
- Cybersecurity: means of protecting
- Backup system
- Backup system (technologies)
- Backup system (security)
- Firewalls