White Paper
Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations全国中小学生安全教育日
Choosing Remote-Access VPN Technologies, Securing the VPN Deployment
DEFINING REMOTE-ACCESS VPNs
学粤语的方法
Remote-access VPNs allow cure access to corporate resources by establishing an encrypted tunnel across the Internet. The ubiquity of the Internet, combined with today’s VPN technologies, allows organizations to cost-effectively and curely extend the reach of their networks to anyone, anyplace, anytime.
VPNs have become the logical solution for remote-access connectivity for the following reasons:
Provides cure communications with access rights tailored to individual urs, such as employees, contractors, or partners
Enhances productivity by extending corporate network and applications
Reduces communications costs and increas flexibility
USING REMOTE-ACCESS VPNs TO IMPROVE BUSINESS PRODUCTIVITY
Anytime, anyplace network access gives employees great flexibility regarding when and where they perform their job functions. VPNs accommodate “day extenders”, employees who desire network access from home after hours and weekends to perform business functions such as answering e-mail or using networked applications. Using VPN technology, employees can esntially take their office wherever they go, thus improving respon times and enabling work without interruptions prent in an office environment.看医生英语
VPNs also provide a cure solution for providing limited network access to non-employees, such as contractors or business partners. With VPNs, contractor and partner network access can be limited to the specific rvers, Webpages, or files they are allowed access to, thus extending them the network access they need to contribute to business productivity without compromising network curity.
TECHNOLOGY OPTIONS: IPSEC AND SSL VPNs
There are two primary methods for deploying remote-access VPNs: IP Security (IPc) and Secure Sockets Layer (SSL). Each method has its advantages bad on the access requirements of your urs and your organization’s IT process. While many solutions only offer either IPc or SSL, Cisco® remote-access VPN solutions offer both technologies integrated on a single platform with unified management. Offering both IPc and SSL technologies enables organizations to customize their remote-access VPN without any additional hardware or management complexity.
SSL-bad VPNs provide remote-access connectivity from almost any Internet-enabled location using a Web browr and its native SSL encryption. It does not require any special-purpo client software to be pre-installed on the system; this makes SSL VPNs capable of “anywhere” connectivity from company-managed desktops and non-company-managed desktops, such as employee-owned PCs, contractor or business partner desktops, and Internet kiosks. Any software required for application access across the SSL VPN connection is dynamically downloaded on an as-needed basis, thereby minimizing desktop software maintenance.
SSL VPNs provide two different types of access: clientless and full network access. Clientless access requires no specialized VPN software on the ur desktop. All VPN traffic is transmitted and delivered through a standard Web browr; no other software is required or downloaded. Since all a
pplications and network resources are accesd through a Web browr, only Web-enabled and some client-rver
applications—such as intranets, applications with Web interfaces, e-mail, calendaring, and file rvers—can be accesd using a clientless connection. This limited access, however, is often a perfect fit for business partners or contractors who should only have access to a very limited t of resources on the organization’s network. Furthermore, delivering all connectivity through a Web browr eliminates provisioning and support issues since no special-purpo VPN software has to be delivered to the ur desktop.
SSL VPN full network access enables access to virtually any application, rver, or resource available on the network. Full network access is delivered through a lightweight VPN client that is dynamically downloaded to the ur desktop (through a Web browr connection) upon connection to the SSL VPN gateway. This VPN client, becau it is dynamically downloaded and updated without any manual software distribution or interaction from the end ur, requires little or no desktop support by IT organizations, thereby minimizing deployment and operations costs. Like clientless access, full network access offers full access control customization bad on the access privileges of the end ur. Full network access is a natural choice for employees who need remote access to th
e same applications and network resources they u when in the office or for any client-rver application that cannot be delivered across a Web-bad clientless connection.
IPc-bad VPNs are the deployment-proven remote-access technology ud by most organizations today. IPc VPN connections are established using pre-installed VPN client software on the ur desktop, thus focusing it primarily on company-managed desktops. IPSec-bad remote access also offers tremendous versatility and customizability through modification of the VPN client software. Using APIs in IPc client software, organizations can control the appearance and function of the VPN client for u in applications such as unattended kiosks, integration with other desktop applications, and other special u cas.
Both IPc and SSL VPN technologies offer access to virtually any network application or resource. SSL VPNs offer additional features such as easy connectivity from non-company-managed desktops, little or no desktop software maintenance, and ur-customized Web portals upon login. Table 1 compares the two technologies.
Table 1. Comparing IPc and SSL VPN Technologies
Characteristics
Application and network resource access SSL (using full network access) and IPc VPNs offer broad access to virtually any application or network
resource
End-ur access method SSL VPNs are initiated using a Web browr
IPc VPNs are initiated using pre-installed VPN client software8006
End-ur access device options SSL VPN enables access from company-managed, employee-owned, contractor and business partner
desktops, as well as Internet kiosks
IPc VPN enables access primarily from company-managed desktops
Desktop software requirements Only a Web browr is required for SSL VPN
IPc VPN requires proprietary pre-installed client software
潘多拉 永远的生命
Desktop software updates Basic SSL VPN access can operate without any special-purpo desktop
2012浙江高考语文
software, thus no updates are
required. Full network application access is provided using software that automatically installs and
updates without any ur knowledge or intervention.
rankinIPc VPNs can automatically update, but is more intrusive and requires ur input
Customized ur access SSL VPNs offer granular access policies to define what network resources a ur has access to, as well
as ur-customized Web portals
IPc offers granular access policies, but no Web portals
WHICH TO DEPLOY: CHOOSING BETWEEN IPSEC AND SSL VPNs
IPc is a widely deployed technology that is well-understood by end urs and has established IT deployment support process. Many organizations find that IPc meets the requirements of urs already using the technology. But the advantages of dynamic, lf-updating desktop software, ea
of access for non-company-managed desktops, and highly customizable ur access make SSL VPNs a compelling choice for reducing remote-access VPN operations costs and extending network access to hard-to-rve urs like contractors and business partners. As such, organizations often deploy a combination of SSL and IPc approaches. IPc is commonly left in place for the existing
installed ba. SSL is deployed for new urs, urs with “anywhere” access requirements, contractors, and extranet business partners. By offering both technologies on a single platform, Cisco remote-access VPN solutions make the choice simple—deploy the technology that is optimized for your deployment and operating environment. Table 2 summarizes the issues to consider when evaluating which VPN technology best fits your operating environment.
Table 2. Choosing a Remote-Access VPN Technology
SSL VPN IPc VPN
X
“Anywhere” access from non-company-managed devices, such as employee-owned desktops and
Internet kiosks
Business partner access X
Ur-customized access portals X
Minimized desktop support and software distribution X
Greatest flexibility to the end-urs X X
Greatest VPN client customizability X
Ability to maintain existing IT deployment and support process X
REMOTE-ACCESS VPN SECURITY CONSIDERATIONS
Worms, virus, spyware, hacking, data theft, and application abu are considered among the greatest curity challenges in today’s networks. Remote-access and remote-office VPN connectivity are common points of entry for such threats, due to how VPNs are designed and deployed. For both new and existing IPc and SSL VPN installations, VPNs are often deployed without proper endpoint and network curity. Unprotected or incomplete VPN curity can lead to the following network threats:
cj什么意思
Allows remote-ur VPN ssions to bring malware into the main office network, causing virus outbreaks that infect other urs and network rvers
Allows urs to generate unwanted application traffic, such as peer-to-peer file sharing, into the main office network causing slow network traffic conditions and unnecessary consumption of expensive WAN bandwidth
Enables theft of nsitive information, such as downloaded customer data, from a VPN ur desktop
Enables hackers to hijack remote-access VPN ssions, providing the hacker access to the network as if they were a legitimate ur To combat the threats, the ur desktop and the VPN gateway that the ur connects to must be properly cured as part of the VPN deployment. Ur desktops should have endpoint curity measures such as data curity for data and files generated or downloaded during the VPN ssion, anti-spyware, antivirus, and personal firewall. The VPN gateway should offer integrated firewall, antivirus, anti-spyware, and intrusion prevention. Alternatively, if the VPN gateway does not provide the curity functions, parate curity equipment can be deployed adjacent to the VPN gateway to provide appropriate protection.
Cisco remote-access VPN solutions offer threat-protected VPN rvices with full firewall, antivirus, a
nti-spyware, intrusion prevention, application control, and full endpoint curity capabilities. The curity rvices are integrated into the VPN platform, delivering a threat-protected VPN solution without any additional equipment, design, deployment, or operational complexity.
STEPS TO SECURING THE REMOTE-ACCESS VPN
Technologies required for mitigating malware such as worms, virus, and spyware and for preventing application abu, data theft, and hacking exist in the curity infrastructure of many organizations’ networks. In most cas, however, they are not deployed in such a way that they can protect the remote-access VPN, due to the native encryption of VPN traffic. While additional curity equipment may be purchad and installed to protect the VPN, the most cost-effective and operationally efficient method of curing remote-access VPN
traffic is to look for VPN gateways that offer native malware mitigation and application firewall rvices as an integrated part of the product (Figure 1).
Figure 1. Securing the Remote-Access VPN—External Security Equipment or Security Services Integrated on the VPN Gateway
CISCO REMOTE-ACCESS VPN SOLUTIONS
Cisco Systems® offers a variety of remote-access VPN solutions customized for small, medium-sized, and large organizations. Available on the Cisco ASA 5500 Series VPN Edition and Cisco integrated rvices routers, Cisco remote-access solution features include Web-bad clientless access and full network access without pre-installed desktop VPN software, threat-protected VPN to guard against malware and hackers, cost-effective pricing with no hidden “per-feature” licens, and single-device solutions for both SSL and IPSec-bad VPNs that deliver robust remote access and site-to-site VPN rvices from a single platform.
The Cisco ASA 5500 Series Security Appliance is Cisco’s most advanced SSL VPN solution, delivering concurrent ur scalability from 10 to 5000 ssions per device and tens of thousands of ssions per cluster through integrated load balancing. Converging VPN rvices with comprehensive threat defen technologies, the ASA 5500 Series delivers highly customizable remote network access while providing fully cured connectivity.
Cisco integrated rvices routers enable organizations to u their existing router deployment to provide core SSL VPN capabilities to as many as 100 concurrent urs. Integrating curity, industry-leading routing, and converged data, voice, and wireless with Cisco IOS®WebVPN provides a highly manageable and cost-effective network solution for small and medium-sized business and organizations.
NEXT STEPS
To learn more about remote-access VPNs or to find the solution that best fits your organizational process and access requirements, plea visit /go/sslvpn, contact Cisco at 800 553-NETS or 408 526-4000, or locate a Cisco VPN/Security Specialized Partner at /wwchannels/locatr/jsp/partner_locator.jsp?page=partner_withincountry_content.be ud to
Printed in USA C11-360982-00 08/06
espoir