Ensuring the continuity of business processes for a geographically dispersed enterprise goes hand in hand with securing the data being transferred. Today’s most cost-efficient way of linking remote offices relies on the use of public networks, that is, the Internet. Of course, this tactic has its drawbacks, such as the likelihood of bandwidth issues and critical lags that make QoS (Quality of Service) harder to achieve.

Furthermore, whereas only the ISP’s personnel can potentially access the data in a scenario of renting a communication channel, the use of the public Internet means anyone can obtain that access. Submitting valuable information without extra protection is comparable to carrying a large amount of money in a transparent bag across a high crime neighborhood.

Obviously, using cryptography is the most convenient way of securing data transferred via a channel we cannot fully control. The first way to protect your data is to use the best file encryption software.

Protection at the application and presentation layers presupposes that the application needs to query a specific service, which means it isn’t “transparent”.

Protection at the network layer doesn’t have that shortcoming. This method is particularly handy for maintaining the security of data as it is being transferred between two networks. The information is encrypted at the perimeter of one network and decrypted at the perimeter of another. If the encapsulation mode is in place, it additionally allows for obfuscating the inner structure of the networks.

Based on the peculiarities of implementing cryptographic functions, the following types of VPN – Virtual Private Networks can be singled out:

• VPN based on operating systems
• VPN based on routers
• VPN based on firewalls
• VPN based on a specific device

It’s unreasonable to implement VPN functions for every computer on a network due to the obvious difficulties of managing such a system.

There are numerous caveats to using a router or firewall for that purpose as well – they aren’t really intended for that, after all. Besides, they may lack certified implementations of cryptographic algorithms.

Therefore, using a specialized equipment to build VPN networks makes the most sense. In case you are living in China, you migh be interested in this list of Available VPNs in China.

VPN selection criteria

Standardization

Most of the time, the optimal choice is a standardized VPN. It will address the compatibility issue to a large extent. Furthermore, standards are well-thought-out, which reduces the risk of making a mistake. In some cases, though, it’s better to use custom solutions (for instance, to minimize overhead costs of VPN implementation or connect a mobile client over NAT or proxy server).

Performance

The product’s performance is an important component of the VPN selection process. Sometimes advertisements mention the productivity delivered by the most powerful hardware configuration while indicating the price for a lower-grade platform out of the available options. It’s also a good idea to pay attention to the performance evaluation conditions. The results returned by a specially crafted utility in “lab” conditions may considerably deviate from the speed of applied protocols processing in a real-world scenario.

Socket filter

While seeking to provide certified solutions, some VPN vendors have built firewall features into their services. This functionality is redundant for many customers who use standalone firewall tools (Check Point, CyberGuard, Cisco PIX, etc.). Being unable to turn off the socket filter, which follows a number of default rules even with the “allow any to any” set-up enabled, may cause issues as well.

Diagnostic system

Any complex system is error-prone. The bugs are mostly caused by faulty configuration, whereas developer’s error may be the case, too. It takes a user-friendly diagnostic system to find and eliminate these errors. This is one of the situations, though, where we face a trade-off between convenience and security. Of course, devices made in compliance with the “black box” principle and controlled remotely via a dedicated console are more secure than the “commonplace” operating system with a crypto module built in. However, being unable to access system logs in a regular way or launch a traffic analysis tool makes diagnostics more complicated or even impossible.

Handling cryptographic keys

The convenience and security of handling cryptographic keys is another important criterion for choosing the right solution. Ideally, the system should allow you to manage the keys in a manual, automatic, or semi-automatic mode. It should also be PKI-ready, that is, be integrated in the public key infrastructure, preferably an arbitrary one. It’s great if the VPN supports different cryptographic data security solutions over standard API, such as PKCS #11, as it ensures that the keys are stored and used securely.

It’s common knowledge that the average VPN product is, essentially, a computer (in conventional of industrial form factor) running a custom version of the network operating system (NOS) and storing keys inside its file system. In the meantime, there are hardware security modules (HSMs) that perform cryptographic functions (including key generation and storage) on their own. These modules are particularly handy for banks that install terminal VPN devices in points of sale accepting credit cards because it’s not always feasible to restrict physical access of the store’s staff to the device.

Speaking of credit cards, another feature (optional one) of VPN is worth mentioning. Up to this point, we have focused on a secure interaction between networks and computers, but there is a whole range of devices that don’t have network adapters but still need communication security. These ones include compact credit card terminals, among others.

These machines usually have RS-232 interface, and they are typically connected to a computer or specially crafted converter to maintain communication with the bank’s server. The auxiliary device transports the serial port flow via IP networks to a similar converter or virtual port driver. For a bank’s client, the obvious advantage of a VPN solution over others is the availability of a compact VPN terminator among the offered devices that allows for connecting one or several terminals to it.

The use of such converters isn’t restricted to banks: they can be applied to remotely connect various telemetry sensors, controllers, consoles, etc. There are plenty of solutions like that available on the market, including ones with embedded and certified NIST implementation of the AES cryptographic algorithm.

Now let’s have a look at the economic criteria.

Total cost

When comparing the prices for VPN solutions, all kinds of additional expenditures should be taken into account to get the big picture. Besides the cost of VPN devices proper, that of the control system should be part of the equation as well. In some solutions, one of the devices takes on the role of the system coordinator, while others go with a special network control center. Some tools may use third-party products for that purpose.

Tech support and warranty service are important, too. It’s not only their cost that matters (unless it’s already included in the product cost), but the response time (24/7, 8/5, etc.) and maintainability are also significant factors, especially if custom hardware solutions are used.