NG Firewall
Micro Edge
ETM Dashboard
Partner Program
Current Arista Partners
Find a Partner
VPN Usage has been critical during the coronavirus pandemic. Virtual Private Networks have allowed employees to safely connect to corporate networks regardless of location. This technology was foundational for businesses to safely transition their workforce to a fully remote workforce without compromising network security or creating vulnerabilities that could lead to data breaches. Now, as the dust has settled, many businesses and organizations are able to reassess their VPN solutions and adjust based on feedback or issues that may have come to light during this time. We thought it would be helpful to highlight three VPN solutions that are at the forefront of the industry in adoption and deployment.
WireGuard VPN – WireGuard is a modern, open source VPN connectivity solution that makes it easier than ever to connect remote employees, offices, or other devices safely to the network. WireGuard provides advanced cryptography and a code-base making its digital attack surface smaller and less vulnerable than other VPN options. Additionally, the streamlined code-base of WireGuard provides extremely fast connections with very little overhead making it a great choice for site-to-site connections as well as for client-to-site.
On the move? WireGuard VPN maintains its secure connection on any device, even as it changes networks, for example from WiFi to LTE, ideal for a workforce that travels or will be remaining remote for the foreseeable future. Installation of WireGuard is simple, and requires an application to be installed on each client for client-to-site connections.
Pros: Easy to set up, fast connections between client connections, broad availability for both mobile and desktop platforms, roaming capability for extended device security regardless of available connectivity.
Cons: Less known and trusted VPN option, requires client application to be installed.
OpenVPN – OpenVPN enables administrators to provide secure remote access to the internal network for remote users and sites. OpenVPN is a client-server model, securely connecting VPN clients to VPN servers which ensures complete privacy. OpenVPN provides additional security with the use of 256-bit encryption keys and high-end cyphers. Installation of OpenVPN is simple, and requires an VPN client application to be installed on each client for client-to-site connections.
Pros: Well known and commonly used, easy to set up, can provide connectivity between different firewall brands to create a connected network.
Cons: Requires client application to be installed, can create slower connections.
IPsec VPN – IPsec VPN provides network administrators with two options – transport and tunnel modes. Transport mode allows administrators to encrypt traffic between two hosts, while tunnel mode creates tunnels between two devices. IPsec VPN operates in Layer 3, the network layer. This allows IPsec to provide security and complete privacy to all applications that travel across the network. IPsec VPN support is built into many client side operating systems streamlining the installation of client-to-site connections.
Pros: Fast connections, client applications are typically already built in to devices, well known and default selection for many businesses.
Cons: Traditionally more expensive, more complex to set up, and more complex to troubleshoot if issues arise.
While there are pros and cons for each of these leading VPN technologies with certain points being more important to each individual deployment than others, it is also feasible to combine VPN technologies based on the use case. For example, with site to site connections using security gateways from different vendors, it may make sense to choose IPsec if it is the technology supported at both sites. For site to site tunnels between the same vendor, using the best performing VPN technology, such as WireGuard, will bring a better user experience. Furthermore for end user devices the VPN protocol / application that provides the best compatibility and is easiest to manage such as OpenVPN may be the best choice.
As businesses decide how to move forward, VPN connectivity will remain a foundational piece of any network security solution. With so many options available, and as SMBs now have the flexibility to explore VPN options available to them, choosing a solution that meets current business needs, future business needs, and the unforeseen business need will be all-important.
Each business or organization will need their VPN solution to perform in unique ways depending on their business or deployment structure.
Firewall Compatibility – This is an important consideration in terms of end user devices and remote networks. Some business networks are independently managed, meaning that the security gateway devices may differ at each location. This presents a challenge when you need to connect the offices securely over a Wide Area Network because the gateway devices may not support the same tunneling protocols.
Capacity – As many businesses discovered in March, VPN services can have capacity limitations and become slower with increased usage. Choosing a VPN client that can handle 10, 100, or 1,000 users without compromising speed and security is key. Businesses will continue to have employees who work remotely long after offices reopen, ensuring that they can access all bandwidth-intensive applications with minimal latency, regardless of the number of users connected to the VPN client is foundational for any business.
Logging and Reports – Depending on the industry, reporting and logs are critical to maintain compliance and regulatory standards by employees and business leaders. Understanding if your business needs to properly maintain reports and activity logs and finding a service that provides that is foundational depending on industry needs.
As IT teams assess their current VPN solutions and look at alternatives to solve pain points identified during this pandemic, there are several important considerations to be made when comparing VPN solutions:
Does it support Full Tunnel Mode? Network Administrators want to force all Internet traffic from remote devices through their security gateway. If a VPN solution supports Full Tunnel Mode, an administrator can enforce the same layer of security and reporting on each device, regardless of location.
Can it run as a Service? By running as a service, administrators can enforce remote access to ensure that remote users cannot disable the VPN connection.
Does it Support Two-Factor Authentication? Some VPN solutions support 2FA. This additional feature is ideal for businesses or content-sensitive organizations looking for additional safeguards for employees connecting to the network.
Does it support user-based authentication with a directory service? This allows administrators to have better control over how users identify and connect remotely. For example, the administrator can disable login for a user in the directory service which in turn restricts the user’s ability to connect over VPN.
Does it support dynamic configuration? Clients such as OpenVPN are able to obtain configuration and routing information which each reconnect. This is useful for administrators because it means they can make network changes and those changes can propagate to VPN clients without the need to manually reconfigure each client device.
Does it support DNS configuration? Remote access usually involves connectivity to internal resources based on names, as opposed to IP Addresses. VPN tunneling provides IP based connectivity but it is not involved with name resolution. To ensure that hostnames resolve properly for remote clients, some clients can update their DNS settings when connected.
Below is a helpful chart to compare how VPN solutions address the questions listed above:
WireGuard VPN | OpenVPN | IPsec VPN | |
---|---|---|---|
Does it support Full Tunnel Mode? | Yes | Yes | Yes |
Can it Run as a Service? | No | Yes | No |
Does it Support 2FA? | No | Yes | No, however it can be layered when combined with a directory service but it’s not natively supported by the protocol |
Does it support user-based authentication with a directory service? | No | Yes | Yes |
Does it support dynamic configuration? | No | Yes | No |
Does it support DNS configuration? | Yes | Yes | No |
As businesses discuss the future of how their employees work and connect, VPN will no doubt be an important piece of the puzzle. Many businesses are welcoming employees back into the office, creating a hybrid working structure with more flexibility around remote work, and some are permanently transitioning to a fully remote workforce. In all of these cases, adopting a VPN solution that provides reliable connectivity for one or 1,000 employees without causing bandwidth or connectivity issues will continue to go a long way to keep the corporate network secure. Each of these leading VPN solutions provide businesses with essential security and connectivity, making them ideal for any network.
© 2024 Arista Networks, Inc. All rights reserved.