Virtual private networks (VPNs) are a critical part of most companies' everyday network security, and business continuity highly depends on VPN availability and stability. When researching different VPN/firewall solutions
Two main VPN product categories to choose between are dedicated VPN hardware appliances and server-based VPNs -- otherwise referred to as hardware and software VPNs. Despite the information, product comparisons, reviews and benchmarks available, it still is difficult to directly compare these two categories and make a clear selection on which VPN is the best solution for your needs.
When comparing hardware and software VPNs be aware that each deployment model has its merits. Depending on what you're looking for, some features are more important than others. However, these five key points should not be overlooked when making your selection:
Compare hardware vs. software VPN costs
Dedicated hardware VPN appliances are generally more expensive to start off with, but don't take this as a rule of thumb. Software VPNs can prove to be equally expensive in the long run!
Carefully examine the current and future demands of your VPN to compare the long-term cost for each category. This method will help make it clear which category best suits your budget. Software VPN solutions are usually cheaper, especially if you're looking at an open source solution, which is something that is not available in the dedicated VPN appliance arena.
Compare the security of hardware vs. software VPNs
This is a key point, since VPNs are designed to secure your network. Hardware VPNs are considered more secure because the hardware device's sole function is to manage VPN connections.
Software-based VPNs often are forced to share a server with other applications and operating systems, which makes them more prone to attacks and less secure. For example, a server running other applications can become vulnerable due to bugs or exploits, especially if these applications 'listen in on' various TCP/UDP ports and accept connections from the Internet. In such cases, a hacker can use the application's weak points as an entry point and obtain direct access to the operating system, exposing the whole VPN infrastructure.
Securing software VPNs can be a daunting task if you happen to be dealing with operating systems that have a bad history in the security world. Popular operating systems such as Microsoft Windows Server or Linux-based distributions have both had their fair share of exploits and bugs. Most IT pros, however, would know that Microsoft usually ranks No.1 in the exploit/bug arena.
It is extremely important to ensure that Federal Information Processing Standard (FIPS) approved algorithms are supported on the platform of your choice. These will help you select a VPN solution with acceptable encryption and cryptography. Unfortunately, not many vendors obtain these certifications, so it would be wise to look for them when shopping.
How does each VPN solution scale?
Being able to expand your VPN to support more sites or users is important. Selecting a VPN solution that doesn't scale can easily double your costs if or when you outgrow your VPN capacity.
Software VPN solutions have the advantage when it comes to scalability simply because upgrading usually translates to replacing an onboard processor or adding memory to the system.
Hardware VPNs are limited depending on the selected model. You would need to spend more money and upgrade to a larger model from the beginning if there are concerns about exceeding VPN capacity. Sometimes hardware VPN scalability is only limited by its software license, but this is rarely the case.
Hardware vs. software VPN performance
Machines, much like humans, work faster when focusing on one task rather than fifty. Similarly, dedicated VPN appliances truly stand apart from software VPNs when it comes to performance. Server-based VPN solutions are often restricted because they co-exist with other applications, thus restricting their performance (and the performance of all other applications) to the server's available resources.
Furthermore, dedicated VPN appliances also offer load balancing features not easily found on software VPN solutions. Load balancing helps distribute the load between two or more devices, improving the performance and making the solution more robust. Load balancing can also help tackle the VPN scalability issues previously outlined.
Hardware vs. software VPN operation and maintenance
Managing day-to-day operations doesn't differ much in either category. Most vendors and VPN products offer an administrative interface allowing the staff to manage VPN services in a fairly easy manner.
Hardware VPNs sometimes offer more options when configuring the VPN service but require more advanced skills like knowing how to use the command line interface (CLI).
Some open source software VPNs, like OpenVPN, are freely available and do not carry hefty maintenance fees; however, these products are not usually approved by federal security standards, such as the FIPS 140-2.
Most vendors of either VPN type have maintenance support contracts entitling you to software updates and support. Generally, try to include support and maintenance contracts in your VPN purchase, no matter what vendor is selected. It's important to be up to date with bug fixes, deal quickly with support issues and obtain professional services when they are required.
Choosing your VPN
Choosing the right VPN solution is not an easy task. The five key points analyzed above are
designed to help you make the right choice. Remember, there is no one single solution that fits
everyone. Every company has its own needs and budget. Lay down the facts, place your budget on the
table and start researching based on what is most important to you. One thing is certain: The right
solution is out there; you just need to find it.
Continue reading other tips in this series:
- How to find a VPN firewall solution for your enterprise
- Hardware vs. software VPNs
- Calculating the cost of VPN links
This was first published in February 2012