Many years ago, the organization I worked for required a Virtual Private Network (VPN) in order to log in to the server that held extremely sensitive information. And then I discovered, once I was in that area, that I could access just about anything I wanted whether I needed to be there or not. (I hope the organization's security has improved since then!)
Today, moving to a VPN appears to be a move more companies are making as computing becomes more mobile and access to sensitive data is a growing concern. I recently interviewed Patrick Graf, director of sales and support at HOB, Inc., about VPN and security. Below is our conversation:
Poremba: Can you explain a bit what VPN is and does?
Graf: A VPN (Virtual Private Network) is a method that uses the open, distributed infrastructure of the Internet to transmit data between sites. A VPN supports at least three different modes of use: remote access client connections, controlled access within an intranet and LAN-to-LAN Internet working.
It is important to understand that there are two different VPN technologies: IPSec VPN and SSL VPN. The main differences between these two technologies are the different encryption technologies (IPSec vs. SSL) and the way of deployment. An IPSec VPN client requires at least one VPN gateway in the corporate network and an additional software installation on each single user PC, whereas an SSL VPN solution is a security gateway hosted in the corporate DMZ and doesn't require any pre-installation of a software client on each user PC. There is only a Web browser required, which comes with every computer operating system today.
Poremba: How does VPN access fit into a company's security plan?
Graf: Both IPSec VPN as well as SSL VPN are part of a company's security plan, especially when it comes down to secure remote access. The only question that needs to be answered is: What fits better into corporate's network architecture? Today, most corporations are already using IPSec VPN technology since it has been available in the market longer and the IPSec VPN clients were shipped for free with firewalls. Modern security plans, which address disaster recovery and pandemic cases, are focusing more on an SSL VPN solution since it is much easier to deploy and more flexible in how it can be used.
Poremba: What should a company think about when making the move to a VPN connection?
Graf: They should ask: How many concurrent users would this VPN connection be available to, who is the client base (road warriors with laptops, users at home offices with PCs) and which devices are being used (PCs, Macs, smartphones, etc.)? The more heterogeneous the client environment is, the more an SSL VPN solution would be the appropriate technology.