|Read about Lisa|
by Lisa Phifer, Core Competence
One question I see frequently goes something like this: "I'm running XYZ operating system on my desktop/laptop/PDA. Is there a free VPN client that I can use?"
Although the answer is nearly always "yes," this question does not include enough information to make a solid recommendation. Here are other relevant factors that must be considered.
Purpose of the VPN
Why are you looking for a VPN client? Are you planning to tunnel to an enterprise network? Are you hoping to provide secure remote access to your small business network? Are you trying to protect traffic on a residential wireless LAN? In each case, the "best" answer may be different.
- Users tunneling to enterprise VPNs are typically required to use the client dictated by that network's operator. In some cases, a specific client is required to support vendor extensions. The company may also supply the necessary security policy in a client-specific format.
- Users seeking secure access to a SOHO (small office/home office) LAN must weigh the value of the data and network being protected against the cost of the VPN, including hardware, software, and configuration/maintenance. Many small businesses use the Point-to-Point Tunneling Protocol (PPTP) VPN client freely available in every Windows PC to reach either a Windows NT/2000 server or a VPN/firewall appliance that supports PPTP. This is an easy solution for Windows-only shops that need lightweight protection.
- Users that want something better than Wired Equivalent Privacy (WEP) between peers on a residential wireless LAN must first find a VPN server. Can your access point or gateway act as a VPN server for your wireless LAN? If not, can you connect one PC or an inexpensive security appliance to an Ethernet port on your access point to act as a VPN server? Or can you run peer-to-peer Internet Protocol Security (IPsec) between wireless stations? (This requires security know-how, but is often possible.)
Applications being protected
What kind of traffic are you hoping to protect with a VPN client? In other words: Why use a sledgehammer when a tack hammer will do?
- To exchange secure e-mail with business partners, I often use Pretty Good Privacy (PGP) to encrypt and authenticate mail messages.
- The LAN administrator looking for a secure way to manage corporate routers and servers from home may find Secure Shell does the trick.
- The road warrior looking for roaming access to his always-on PC back at home may consider a commercial secure desktop access service like GoToMyPC.
There are many, many alternatives to protect specific applications without skimping on security; each has its own pros and cons. A VPN client is really needed when you must protect all traffic heading to an entire network or many destinations/applications in that network.
Security gateway and policy
Although it is possible to mix-and-match VPN clients and security gateways, the shortest path from A to Z is usually the VPN client recommended by your gateway vendor. For example:
- There is a free PPTP VPN client for Linux that works well with the PoPToP open source PPTP server, but reports indicate it works less smoothly when paired with gateway appliances tested only against Windows PPTP clients.
- Microsoft ships IPsec in Windows 2000 and XP operating systems, but the corresponding Microsoft VPN client can only initiate tunnels using Layer 2 Tunneling Protocol (L2TP) over IPsec. "Vanilla" IPsec tunnels can be nailed up between XP/2000 PCs acting as security gateways, but this does not provide quite the same functionality as a VPN client.
- Nortel's VPN Client requires almost no configuration when pair with Nortel Contivity VPN gateways. However, there is no direct way to use a Nortel VPN Client with another vendor's gateway -- security parameters are not configurable on the client side. On the other hand, you can pair another vendor's VPN client with a Contivity VPN gateway, if explicitly permitted by the Contivity administrator. To do so, you'll need to know the security parameters expected by the gateway and you will lose some Nortel-specific features.
In fact, it can be easier to bring up a basic site-to-site tunnel between two different VPN gateways than to mix and match vendor-specific VPN clients. There are just too many approaches out there for user authentication, dynamic IP address assignment, Network Address Translation (NAT) traversal, and in-band policy updates. SafeNet SoftRemote is a noteworthy exception. This generic VPN client is OEM'ed by many gateway vendors and is highly configurable. For example, I have used a single SoftRemote VPN client to simultaneously tunnel into NetScreen, Nortel, RapidStream, SonicWALL, and WatchGuard VPN gateways at different locations.
This brings us back to the original question. At the client, one must consider not only the operating system, but also capabilities of the device and network connection. For example:
- Teleworkers often connect to the Internet through a residential broadband gateway that performs network address and port translation (NAT/PAT). A growing number of VPN clients support emerging standards for User Datagram Protocol (UDP) encapsulation to successfully push IPsec through NAT/PAT. PPTP often passes through NAT/PAT without trouble, but L2TP over IPsec also requires encapsulation. If this is your scenario, you'll need a VPN client-gateway pair that supports compatible NAT traversal and UDP-encapsulation Internet drafts -- for example, the Microsoft L2TP/IPsec VPN client for Windows 98/ME/NT (developed for Microsoft by SafeNet, released in early July) supports draft 2.
- Wireless WAN links (for example, CDPD, GSM) and satellite links (for example, DirecPC) have lower bandwidth, longer latency, or more intermittent coverage than the typical VPN client experiences. In some cases, transport layer adjustments may be required for satisfactory VPN client operation. "Wireless VPN" products like Columbitech and NetMotion are specifically designed to adapt to these very challenging network environments.
- PDAs and other handheld devices have less horsepower to spend on encryption and public key authentication than the average desktop or laptop. To learn more about VPN client options for wireless PDAs, read my earlier series on this topic.
Now that we have expanded upon the original question to consider other relevant factors, touching upon both commercial and open source alternatives, it is time to take a concrete look at "free" VPN client software. Unfortunately, our time is up for this month! Next month, I'll tackle the rest of this question by introducing a few "free" VPN clients in some detail.
Do you have comments about this article, or suggestions for Lisa to write about in future
columns? Let us know!
This was first published in July 2002