|« IPv6 for Enterprise Networks Review||Encryption: Introduction and Applications »|
|posted in General|
|by david7eagle on August 22nd, 2011||tags: VPN|
Small businesses are an essential part of the network market. They provide economic growth and are crucial target for any networking company’s market share. Though small businesses do not generate as much revenue for networking companies as enterprise customers do, getting a business to adopt your products early on is sound marketing. As a business grows, the need for more flexible communication will prompt a small business owner to ditch their AT&T 2 Wire and move up to a better device.
The small business environment differs significantly from the enterprise. There is generally little or no existing infrastructure, a limited budget, and a particular need for user friendliness and simplicity for the end user. In this blog post, we will briefly review the basics of VPN protocols, how they apply to the small business environment, and then pay special attention to several specific solutions that are less known, particularly in the Mac world.
Brief Points on VPN Protocols
PPTP: Included in both Windows and Mac operating systems, Point-to-Point Tunneling Protocol operates at Layer 2 and extends PPP onto the WAN. Connection initiation is handled on TCP port 1723. The TCP connection is then used to create and manage a GRE tunnel to the destination. PAP, CHAP, and for Microsoft clients, EAP-TLS, are used for authentication. PPTP’s reliance on CHAP’s insecure architecture makes it a poor choice for security minded applications.
L2TP: L2TP has no native security and is most often used to initiate connections for IPSec tunnels (IPSec over L2TP).
IPSec: The internet Protocol Security Suite has extensive applications in creating VPNs. Authentication Header (AH) and Encapsulating Security Payload (ESP) are used to encrypt both IP packet headers and payloads. HMAC-SHA1 is used for integrity validation. In a VPN environment, the Diffie Hellman algorithm is used for initial key exchange during tunnel setup. Once relegated to the enterprise due to the complexity of its implementation, IPSec has now been brought to the small business world through Cisco’s RV line of routers and the Quick VPN client.
SSL/SSH: Accessible from a web browser and secured by the popular certificate based SSL/TLS security suite, SSL VPNs are gaining popularity as a light but efficient method of providing remote services.
Creating VPNs for Windows Clients
Unless a small business client has specifically decided otherwise, the Cisco Quick VPN Client is a good reason to choose the bridge logo. Quick VPN allows easy implementation of IPSec on Windows clients and is supported on all of the Cisco RV Small Business series routers. Its ease of setup and use make it a very attractive option. The rest of this post will focus on bringing VPN support to Mac clients.
Creating VPNs for Macintosh Small Business Users
Yes, the cult of Apple. They claim to be smarter than Windows users… and more sophisticated. Despite the fact that my image of the typical Mac user is heavily influenced by the granola eating, apple loving, iPad touting hippies you meet in Ashville, NC (the closest really lefty city from where I live in upstate SC), I realize that Macs have a significant market share among small business users. Indeed, an increasing number of small businesses have added Macs into their networks. In fact, you will find Macs outside of the traditional confines of creative professionals and their shops. Small business government contractors will almost always choose all Macs over UNIX in avoiding Windows do to security compliance requirements.
Because Macs have traditionally been shunned in the Enterprise environment, the small business contractor will need to work a little harder to put together a manageable and reliable VPN solution. Major manufactures have taken different approaches to providing services for Macs. Cisco discontinued their Mac Quick VPN client with support ending at Mac OSX 10.5. This left Snow Leopard users in the lurch, though an enterprise client is available through a Small Business Pro contract. Recently, however, Cisco added PPTP tunnel support to its new entry level RV110W. Given PPTP’s less than stellar security, many small business users will probably look elsewhere.
Mac Users have a list of diverse choices:
- Apple Server: If your client already has one, that’s great. If not, they might balk at the $1000 price tag. Apples native VPN solution, Mac server allows the creation of PPTP and IPSec over L2TP. Implementation is somewhat complex, as with all UNIX server. Gratefully, The apple GUI will make some things easier.
- IPSecuritas – This free program from Lobotomo Software creates an IPSec client that can connect to a host of different Gateways including the Cisco RV Series routers. In my experience, the program is somewhat buggy and generally hard to implement. Some small shop users will be restricted by the fact that especially high upload speeds are required on the gateway end.
- Equinux VPN Tracker – This professional VPN client uses IPSec and provides advanced authentication and certificate integration that is suitable for the enterprise.
- Flying Mac Presence – This VPN client allows mobile devices such as iPhones and iPads to create HTTPS connections to a gateway. If you have a home users looking for convenience on the go, this is a good option.
- Yazsoft Share Tool 2 – My favorite one in this list. Share tool runs Apple’s Bonjour network initiation protocol over SSH. I just recently implemented it and can attest to the fact that it really just works. Users’ passwords and the gateway WAN IP are hashed on Yazsoft’s website. After logging in, users can access a host of Bonjour services including file sharing with AFP, screen sharing, iTunes streaming from other computers or to their speakers, and even wireless printing to home printers on the go. Given ease of use, you have good shot at impressing your clients.
What solutions do you use for your small business customers and friends? Comments and questions are welcome.
A thread has been created on the site forum specifically for commenting on this blog post.