Software vs hardware VPN (Virtual Private Network)
IT managers often have to make decisions between hardware and software to do a job. VPNs can be supported by a variety of devices. Should you consider relying on your routers or other dedicated hardware? Or, would it be cheaper or easier to configure some general-purpose file server with the correct protocols and applications? Unfortunately, there is no single golden rule that can answer these questions. Each network will present its own unique demands. However, there are some general guidelines that can be used to help in the decision.
First, you should evaluate any VPN product in relation to your entire IT infrastructure. The best predictor of IT project success is relevant experience with the technology and processes involved. For example, if you have a significant knowledge of Windows-based server networking, then a strong argument should be made for considering a software solution that shares the same platform as your network operating system (NOS). Being able to directly utilize existing user and group assignments and privileges make administration easier. You needn't worry about the problems with importing or translating access control lists to a VPN appliance. Lower cost is another plus of a software system, especially when the basic software is already included in the cost of the NOS.
In some cases, router manufacturers charge more for VPN capability in their products. Windows workstations have the necessary software to use Windows server VPNs, another factor in their favor. However, there are certainly several strong arguments against network server-based VPNs. Security is perhaps the greatest concern. Worms and countless other cyber attacks are much more common on software-based systems. Exposing a server to the public network demands great diligence to stay ahead of patches, locking of common port vulnerabilities, and guarding against myriad other points of attack. VPN authentication and encryption can also place a significant load on a general-purpose server.
Unless you support a limited number of clients, you should dedicate a single system exclusively to providing VPN services. With a sufficient number of clients, software-based VPNs can become bogged down. The maximum numbers of users that can be supported (often expressed as the simultaneous number of tunnels) are much lower than with a dedicated hardware solution. Hardware-based VPNs can vary in cost from under $100 to well over $200,000. Only the larger, more expensive, multiport routers have the custom application-specific integrated circuits (ASICs) and advanced technology to handle enterprise or service provider-level needs. High performance, massive client loads, redundancy, and load balancing are only possible when dealing with the largest dedicated hardware devices. Support for additional networking protocols or triple Data Encryption Standard and Internet Protocol Security typically require more costly equipment.
Small and branch offices can certainly rely on software VPNs, but Cisco, 3Com, Symantec, LinkSys and other vendors offer many attractive hardware devices that support VPN functionality. Usually, these appliances combine firewall, Network Address Translation and VPN capability into a single box. Administration is typically done through a web browser interface. Placing a VPN on a network potentially exposes it to unauthorized access. Make it a routine to check log files to detect who and when your systems are being accessed.
Remember that firewall devices are of paramount importance to complement your overall security plans. Another viable option to consider is the outsourcing of your VPN to your Internet service provider. Corporations have learned that offloading equipment maintenance and administration tasks to others for e-mail and application hosting may reduce costs. When going this route, consider account administration of your VPN users as a critical concern. Historically, I tend to caution against solutions that take control out of the corporate computer room. Make sure that your provider can meet your demands for security, performance and ease of use.