What UTM appliances need today: VPNs for remote access
Today, an increasingly mobile and diverse workforce is straining at network boundaries inside organizations of all scales. In particular, telecommuting and remote access away from home and office -- be it on the road, in the air, at a customer's or client's site, or all points in-between -- are forcing organizations to take special care in vetting and protecting remote access. IT must check and manage clients before users are allowed inside network boundaries. In addition, enterprises must deal with bring your own device (BYOD) where employees want to use their mobile handsets, tablets and PCs in the workplace, even if it's just to gain access to an Internet connection.
For the best protection in such situations, many organizations of all scales -- from small businesses to the largest of enterprises -- are deploying unified threat management, or UTM, solutions on their network boundaries, and in their branch and satellite offices. UTM not only provides powerful, centrally managed security coverage, but upgradable firmware and software that permits these devices to keep up with an ever-changing threat landscape, without requiring wholesale hardware upgrades or replacements.
In particular, UTM devices must support the following VPN technologies and features to offer the most comprehensive forms of network security coverage and protection:
- VPN support for the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is increasingly essential, not just because it provides strong encryption for all kinds of networked applications but because it also provides integrated security for Web browsers -- especially for mobile devices such as smartphones and tablets. In short, any device with a modern Web browser can support a reasonably-secure VPN link. As of mid-2012, all current browsers support SSL and the majority also support TLS up to 1.1, with some spotty 1.2 support.
- A VPN-capable UTM device must have the ability to inspect real-time HTTP and HTTPS traffic, so as to be able to distinguish among Web-based applications all sharing Port 80 (HTTP) and 443 (HTTPS) to filter usage and access on an application basis, as well as on a content basis.
- VPN UTMs must have the ability to inspect encrypted data streams using SSL, TLS, Secure Shell (SSH), and so forth. This also lets UTM devices find and block threats inside opaque data streams that might otherwise go through the firewall unhindered and unheeded. This kind of technology also provides important support for data leakage prevention, and lets organization block or allow file transfers on the basis of policy or content, irrespective of encryption. For regulatory compliance, protection of information assets and intellectual property, and protection of confidentiality, such functionality is absolutely essential in our ever-more-mobile networking world.
- In addition to supporting remote access via a VPN (through SSL-TLS, IPsec, and in some cases, PPTP, L2TP, and L2TP over IPsec), UTM devices must also establish tunnels for site-to-site access. Nearly all VPN UTM vendors support simple point-to-point (P2P) tunnels, but many also support hub-and-spoke (H&S) tunneling, and some even support partial-mesh (PM) or full-mesh (FM) tunneling topologies. Hub-and-spoke is important, for example, for organizations with numerous branch or satellite offices, all of which require access to a hub at headquarters or some central location. Mobile VPNs include remote access capabilities, along with SSL or TLS Web-based VPN support, while UTM products listing "remote access features" indicate no mobile VPN support is available.
A VPN UTM feature vendor comparison
In looking at leading UTM vendors, I observed an interesting product matrix for these and related features in various VPN UTM devices, as Table 1 shows.
Table 1: VPN UTM vendor offerings by protocols, gateways, and inspection
|Vendor||Supported VPN Protocols||Gateway Types||Inspection Capabilities|
|Astaro (Sophos)||SSL-TLS, IPsec, L2TP…||Mobile VPN, P2P, H&S||Application & file filtering|
|Check Point||SSL-TLS, IPsec, L2TP…||Mobile VPN, P2P, H&S, F/PM||Application & file filtering|
|Cisco ASA||SSL-TLS, IPsec||Mobile VPN, P2P, H&S, F/PM||Application & file filtering|
|Fortinet FortiGate||SSL-TLS, IPsec, L2TP||Mobile VPN, P2P, H&S, F/PM||Application & file filtering|
|Juniper SSG||SSL-TLS, IPsec, L2TP||Mobile VPN, P2P, H&S, F/PM||Application & file filtering|
|McAfee Sidewinder||SSL-TLS, IPsec||Mobile VPN, P2P, H&S, F/PM||Application & file filtering|
|Network Box||SSL-TLS, IPsec||Mobile VPN, P2P, H&S, F/PM||Application & file filtering|
|SecPoint||IPsec, PPTP||P2P, remote access||Application & file filtering|
|SonicWALL (Dell)||SSL-TLS, IPsec||P2P, H&S, mobile VPN||Application & file filtering|
|Watchguard||SSL, IPsec, PPTP||P2P, H&S, mobile VPN||Application & file filtering|
Table key: SSL-TLS: Secure Sockets Layer-Transport Layer Security; IPsec: IP Security; L2TP: Layer 2 Tunneling Protocol; P2P: Site-to-site tunneling support; H&S: Hub and spoke tunneling support; F/PM: full mesh and partial mesh support; … (Ellipsis): additional options also available
Selecting a VPN UTM vendor
Most of the UTM vendors are on par with one another, though there are a large number of options available for UTM devices that scale from 10 users and VPN connections per device at the low end (aimed primarily at small businesses) to 2,000 to 6,000 VPN connections per device (aimed primarily at data centers or at corporate hub/HQ operations). Consequently, pricing ranges from under $1,000 for low-end devices to over $100,000 for high-speed, high-capacity devices.
Most organizations will find that their existing platform and vendor allegiances will guide their choices for VPN UTM technology. But where vendor loyalty doesn't make choices obvious, interoperability with other infrastructure and security elements will be of paramount concern. I've had very good luck with the Fortinet, Astaro and SonicWALL deployments I've been involved in, but all the other vendors in Table 1 have excellent products and reputations to match.
As your organization prepares to deliver nonstop remote access to its users and gets ready to add mobile devices to the mix, don't forget the importance of SSL-TLS VPN support. Even vendors in Table 1 that don't support such capability at the moment will likely add it sometime in the near future. It's an important key to simple, straightforward VPN access for all users, no matter what kind of UTM appliance device they wish to use.
Ed Tittel is a regular blogger for and contributor to numerous TechTarget websites. His latest e-book in this area is called Unified Threat Management (UTM) For Dummies. He has also written numerous other security titles on malware and information security certifications. Visit his webpage at http://www.edtittel.com/.
Dig deeper on Remote access