VPN Concentrators: What are they?
Not many people know what a VPN Concentrator is, including most small business owners I have been contracted to help setup or secure networks for. Which is often a problem, as too many business owners are leaving their networks open even though they may contain sensitive information.
What is a VPN Concentrator?
A “VPN Concentrator” is essentially an advanced router that is setup to handle multiple secure connections into the given network, or in other words, a VPN Concentrator is a device that handles multiple VPN tunnels remotely.
Rewinding back a bit more than a dozen years or so, Windows NT 4.0 was the OS of choice for many server administrators, and dial-up was the only internet available. NT had a connection protocol we used through our dial-up modems called Remote Access Service (RAS), which allowed for multiple users to securely remotely access the network from anywhere in the world. In order for these servers to operate, multiple dial-up modems would be bonded, or joined, in order to increase ingress and outgress bandwidth.
Fast forward to today’s business networking needs, we now use these VPN Concentrators to handle anywhere from hundreds to thousands of remote clients through remote encrypted VPN tunnels. A VPN Concentrator is not to be confused with Site-to-Site VPN, which is typically used to securely tunnel two or more office networks to a mainframe database for example. The figure to the side visually displays a simplified path for VPN Concentrator setups, demonstrating users from anywhere, logging in securely with authentication to the business server.
Small Businesses Often Lack Security
Too many small & medium business operators end up leaving their networks prone to attacks by using other methods of remotely accessing their networks. I often come across clients using remote desktop access software, and this is where a security weak point is created.
Unbeknown to the business owners, when using apps like remote desktop, attackers that happen to sniff out the network’s static IP having a remote desktop VPN login, would immediately start attempting to crack the password, quite possibly succeeding and breaching through without detection.
VPN concentrators are not always the answer, and it remains perfectly fine for home users to utilize remote desktop apps, especially if they operate on a dynamic IP, and always close the server client if no use of it will be made, as best practice to avoid intrusion.
A business server on the other hand, should always opt for a minimum of a VPN router, which is pretty much the same thing. The term ‘VPN Concentrator’ is actually not even used that often anymore, as manufacturers no longer actually produce standalone concentrators, and now opt to include a combined firewall, as where in the past, the two were separate.
If we rewind back once more, the most popular models happened to be made by Cisco and Netgear, respectively called; Cisco 3000 series VPN Concentrator and Netgear’s ProSafe SSL VPN Concentrator. All of these models are now on ‘EOL’ – End of Life support, and you can probably find some used ones for cheap, but new models are less prone to security flaws and operate better with higher processing power. The new standard is arguable the Cisco ASA line, offering nothing but the best in terms of firewall protection and VPN Concentrator capabilities. End-users may also opt to only use Cisco ASA routers strictly for the firewall, or VPN Concentrator, disabling either or.
VPN Concentrators or VPN Routers
Picking a VPN Concentrator or VPN tunneling capable router requires a little bit of assessment in order to make the right choice. VPN routers range in capabilities and a few perks need to be considered depending on the kind of remote access needs and applications that you’re going to have.
High end VPN concentrators may not necessarily be what you need, or too costly for small companies. In these cases, considering a more affordable, VPN capable router as a gateway checkpoint for your server can also be an adequate setup, but generally requires more IT network administrator man-hours to manually configure VPN clients on all remote desktops and devices, where higher end concentrators provide a complete, all in one solution with client software and even web portals to match the platform, making it easier to setup, and for employees to use through web.
Other important factors to consider;
VPN Concentrator vs. Site-to-Site VPN
As I mentioned earlier, site-to-site VPN connections are not the same thing as a concentrator. If you only need to connect 2 to 3 sites or so together, Site-to-Site VPN would be the right solution. Instead of having a router managing and authentication multiple remote users for access from anywhere, site-to-site setups are designed to tunnel fixed locations, such as your home office to your main office, or branches located in other cities, in order to gain access to the same database and systems.
But, if you need to grant remote access from random locations, mobile devices, or simply to multiple users, a VPN router or concentrator is the ideal solution.
VPN Concentrator SSL vs. IPSec Encryption
Concentrators usually utilize VPN encryption using either IPSec or SSL for web based applications. This becomes an important factor to consider, as it can affect how and where a user can connect from, as well as the amount of client-side software configuration required.
IPSec will require client software in order to connect to the VPN tunnel, and provides more configurable options, in terms of local access and security levels. It presents a very high level of security and encryption, but requires more IT man hours to setup a whole team.
IPSec is better applied to fixed remote locations, and less to travelling laptop or mobile users, as some connection points may be set to block IPSec traffic. Meaning that if you’re a salesperson attempting to VPN into the network from a Wi-Fi hotspot, there is a chance that the connection will be blocked due to IPSec.
SSL becomes a popular choice for these scenarios, where many remote users will be connecting from various international connection points. Additionally, using SSL VPN provides the possibility of eliminating some of the end-user configuration and client software required.
SSL is now a standard for web encryption, meaning that every computer already has the capability of utilizing the protocol without having to configure anything. It is also much more preferable to use SSL for access to web application software for employees, as it grants less local access, but a way better platform for online web apps. Unfortunately, some other applications or software can have an opposite limitation, only allowing for IPSec VPN connections to be able to access the OS remotely.
It’s always a matter of properly assessing your business needs in order to better select the right solution to secure your server, provide reliable remote access, and protect against outside attacks attempting to gain access.
That is a really well explained article – great job :)