ZDNet UK

CBS INTERACTIVE UK BUSINESS SITES:
BNET UK
silicon.com
ZDNet.co.uk

You are here: ZDNet.co.uk > News > Hardware

Server platforms Toolkit

More VPN choice -- why not base them on SSL?

Salvatore Salamone Tech Republic

Published: 27 Aug 2002 15:02 BST

A monthly series, the VPN Advisor will answer your questions about VPN issues and trends. Send in any questions for Salvatore Salamone to answer.

What's the best way to go?
Q: Which is a better VPN implementation, a VPN gateway or server with VPN software installed or a VPN appliance hardware product?

--Michael G. Barroga, network development engineer, Philippine Computer Storage Services, Inc.

Salamone: There is no one best VPN implementation for all situations. Various equipment approaches have advantages and disadvantages, depending on the networking scenario they are used to support.

For instance, using VPN software on a router, server, firewall, or gateway is usually seen as a relatively low-cost way to deploy a VPN. After all, in most cases the VPN software is added to an existing device, so the only required investment is a software upgrade from the equipment vendor.

Another advantage to the additional software approach is that your network does not change. No extra devices need to be installed, and management of the network remains the same. A further advantage is that there is often less training required, since your IT staff will already be familiar with the vendor's methods for setting up and administering the equipment. The VPN configuration and management tools will often use the same interface and nomenclature as the product you've already implemented.

However, one point to consider when adding software to existing hardware is performance. VPN tunneling and encryption tasks will be carried out in software, taking CPU cycles from other processes. This could become an issue. For example, if you buy a router specified to handle a certain packet-per-second forwarding rate and then significantly sap the router's CPU with VPN software, the router's network performance may no longer meet your performance requirements.

For that reason, many router and firewall vendors offer add-on, hardware-assist products for heavy-load VPNs. The hardware add-on product handles computationally intensive VPN tasks, offloading them from the device itself. If such a performance-enhancing hardware add-on is required, what started out as a relatively low-cost solution--adding some software to an existing device--now costs more than expected.

In contrast, a VPN appliance is built to handle all VPN tasks without putting an additional burden on any of your existing networking equipment.

But there are drawbacks to this approach, as well. For example, you'll be adding a new piece of equipment to your network, thus increasing the complexity of your networking environment. Also, the IT staff will often need more training, since the configuration and management tools will likely be different than the ones used on your corporate routers, firewalls, and switches.

And there's a performance issue to be addressed. If you start with a VPN appliance designed to support 100 simultaneous VPN sessions, and you vastly expand your VPN to more users, scaling up the VPN will require the purchase of more appliances.