"One size fits all" does not apply for VPNs – the combination of these three components is absolutely necessary to enable practical implementation of Virtual Private Networks.

Security

        While most VPN vendors provide authentication and encryption, these two technologies only provide privacy for data communications. The security component of a VPN must include all three of the following technologies in order to guarantee the security of network connections, the authenticity of VPN nodes, and the privacy and integrity of data.

Access Control

        Access control dictates the amount of freedom a VPN user has, and controls the access of partners, employees and other outside users to applications and different portions of the network. A VPN without access control only protects the security of the data in transit – not the network itself.  Rigorous access control capabilities protect the corporation's entire network, including a wealth of intellectual property and information, to ensure that VPN users have full access to the applications and information they need, but nothing more. Both of these key access control capabilities are virtually ignored by most VPN vendors.

Authentication

        Authentication is the process of verifying that the sender is actually who he says he is. Support for strong authentication schemes is particularly critical to VPN implementations to ensure the privacy of both gateway-to-gateway and client-to-gateway communications – the identities of both corporate sites and individual users must be verified. A variety of authentication methods are available to meet the needs of particular VPN deployments, including traditional username/password authentication, RADIUS or TACACS/TACACS+ servers, LDAP-compliant directory servers, X.509 digital certificates, and two-factor schemes such as those involving hardware tokens and smart cards.

        In addition to the strength of the authentication scheme deployed, other critical factors to consider are broad application support and scalability. Users of any IP-based service must be able to be authenticated in order to establish a secure VPN session. Scalability is of particular concern for remote access VPNs where the number of mobile clients is expected to grow. The authentication scheme implemented for such deployments must be both manageable and easily deployed for large numbers of individual users.

Traffic Control

        A natural consequence of increased Internet usage for business communications is network congestion, which can adversely affect the performance of the VPN and other mission-critical applications. As an extension of the enterprise network, a VPN naturally increases network traffic as well as the risk that network performance may be affected. VPN benefits will not be fully realized if users suffer from poor response times, gateway crashes, or other network delays or failures.

        A VPN solution must guarantee reliability and Quality of Service by enabling managers to define enterprise-wide traffic management policies that actively allocate bandwidth for inbound and outbound traffic based on relative merit or importance. This ensures the performance of mission-critical and other high-priority applications without "starving out" lower priority applications. The burst and delay effects of Internet traffic are eliminated, allowing network managers to manage or tune the network traffic using weighted priorities, limits, and service guarantees. This "tuning" approach optimizes network performance and alleviates network congestion for "must see" traffic, forcing less valuable traffic to wait until the most important VPN connections are made.  Intelligently managing network bandwidth is one way to ensure that VPN traffic does not slow overall network performance. Today, organizations implementing Virtual Private Networks want a guarantee that the additional processing requirements of the mathematically-based encryption processes will not degrade network performance. The best way to achieve this guarantee is to offload all cryptographic operations to a co-processor dedicated to encrypting and decrypting messages. This not only optimizes performance, it provides an additional measure of safety in the storing of the keys used for the cryptographic functions. Combining both hardware-based acceleration with a software-based VPN solution offers the highest performance, flexibility and scalability possible in today’s market, allowing the VPN to scale from T1 links to Fast Ethernet speeds without draining CPU resources.

Enterprise Management

        As today's network infrastructure continues to grow, the ability to manage increasing complexity is a crucial differentiator for VPN solutions. A VPN is an extension of the corporation to the outside world, and is therefore also an extension of the enterprise's total security policy. It is imperative that the VPN can be managed from the same integrated console as the rest of the organization's security elements. This is a critical step in implementing a successful and secure network, regardless of the number of regional offices or nodes in the VPN. In addition to ensuring bulletproof security for the organization, centralized, policy-based management offers a number of benefits that translates to swift and easy addition of new users, new offices and new applications, offering the flexibility needed to meet an organization’s changing needs.

The rapid adoption of the "extended enterprise" has caused an explosive increase in the number of applications, users, and IP addresses in use across many organizations. Managing this voluminous amount of user information poses formidable challenges for both network and security administrators. 

In addition, neither security in general nor VPNs in specific are single-platform applications.  Today's networks include a conglomeration of heterogeneous platforms and operating systems. A true enterprise VPN solution must be able work across multiple platforms in order to be effective.  In addition to multi-platform support, a VPN must be able to interoperate between different vendors’ solutions and applications. For example, a VPN with partners, distributors and customers will likely have implemented a wide variety of security solutions. Interoperability based on industry standards ensures that the VPN will be an effective business communications tool, no matter which vendor's implementation is selected.