Editor's note: Many enterprise-grade VPN products contain firewall capabilities to protect network data from attacks. Through much of this article, we refer to these appliances as "VPN firewalls." Learn in this article how to find a VPN firewall that's right for your enterprise.
Are you seeking a software-based virtual private network (
With all the products available in the market, many IT managers and engineers are wondering which VPN is best. I'll be honest -- it's tough to choose, but there's a way to seriously narrow down your options and choose from a handful of VPN firewalls that live up to your expectations and do what they say they will.
Avoid mixing and matching VPN firewall solutions
Most, if not all, VPN firewall products make use of VPN protocols (usually IPsec) that are defined by a large number of standards outlined by the Internet Engineering Task Force (IETF). Because of this, a lot of products are compatible with each other, which means that you can purchase two products from two different vendors and configure them to work with each other to create a site-to-site VPN.
Along with the VPN protocols most products support, vendors tend to introduce new features that enhance existing VPN protocols. Such enhancements include automatic VPN or firewall load balancing and dynamic VPN tunnels. Although these enhancements are useful, they usually require you to use the same VPN firewall vendor throughout your enterprise WAN in order to take advantage of them. In some cases, these features are permanently enabled and can cause periodic failures if the other side of the VPN tunnel doesn't support them.
Mixing and matching VPN products and VPN/firewall technologies is generally not a good idea. If you don't test differing products together, there is no way to know if your VPNs will be as stable as they should be or how simple changes will affect your network.
Single VPN firewall vendor = Less problems
The above rule has one condition: It requires that you've selected the right VPN firewall vendor for your company.
Usually when you deal with a single vendor, you'll have fewer problems to deal with -- especially if your underlying VPN design is complex. When dealing with a single vendor, you tend to understand the strong and weak points of your systems and learn to adapt to them much faster, which allows you to find solutions to your VPN problems.
Managing a complex VPN architecture across a multi-vendor platform is every IT engineer's nightmare. It almost guarantees problems will take longer to resolve as engineers must debug them and gain enough information to come to the correct conclusions. Each vendor has its own troubleshooting logic, and it's hard enough understanding one vendor's logic -- let alone two or more!
Avoid cheap VPN products
Cheap VPN firewall products are always popular, but popular is not always best. You can purchase a VPN firewall router for less than $200 and it will promise to perform functions found in large vendor VPN firewall devices that cost ten times as much. So, what's the catch?
Most cheaper products originate from some original equipment manufacturer (OEM) factory (usually in mainland China or Taiwan) that mass-produces products and essentially rebrands them under different names. I can easily recall at least three different -- even popular -- routers with firewall and extensive VPN support that were the same exact device but rebranded. You'd be amazed by the amount of security bugs found in these cheap products and how easy they are to hack. When it comes to enterprise security, this is not acceptable, nor should it be tolerated.
Incumbent vendors -- Cisco Systems, Check Point Technologies, IBM, Symantec and others -- do not participate in the cheap VPN/firewall market and with good reason. These companies spend millions of dollars each year in research, development and support to produce fine products that are able to withstand the harsh environment and reality of the Internet.
Consider how much your company's security is worth to you. If it's worth your job, then don't take the risk. You can surely find the ideal security appliance within your budget from one of these vendors.
Is your VPN firewall certified?
All serious players in the VPN/firewall arena ensure their products are fully certified, and this should probably be the starting point when researching the market.
VPN firewall products are certified to ensure they meet various validations such as the popular Federal Information Processing Standard (FIPS) 140-2 cryptographic module validation program. The vendor determines which security level their cryptographic module achieves at various independent labs, such as the ICSALabs. The FIPS program is a real eye-opener and will help you confirm how important it is to purchase a certified VPN product.
How to ultimately find a VPN firewall
Thousands of articles explain how important network security is, but you'll only truly understand it when your organization is hit by a hacker. Prevention is your best friend in the fight to keep hackers away from your data. This involves understanding the market trends, available products, and making a careful selection in finding the right VPN product or trusted vendor. Ask any vendor about their VPN firewall products and they'll persuade you they are the best. If you do your research, you'll quickly conclude which product really is the best for your enterprise.
Continue reading other tips in this series:
- How to find a VPN firewall solution for your enterprise
- Hardware vs. software VPNs
- Calculating the cost of VPN links
This was first published in January 2012