Enterprise organizations solving for remote access have a whole host of different requirements than a home user might have. They not only have to worry about the end users connecting through the VPN, they also have to worry about centralized management of that VPN across a large user group and they have a large network to keep protected.
As such, we will break the considerations you’ll need to work through into those two categories below.
Ease of management
Many hardware VPN server management systems are notoriously difficult to use, requiring almost complete control through a command line interface rather than a user-friendly graphical user interface (GUI).
When evaluating hardware VPNs, you should make sure to look for a simpler control interface than a complex command line control environment.
Ideally, you’ll want the ability to easily deploy and control the VPN server. The more complex the setup and management of your VPN server, the more time you’ll have to spend managing it and the higher the risk of misconfiguration or error.
Look for a solution that makes it simple.
Important management features
There are a few key features that many enterprise IT teams will need to ensure their VPN solution satisfies, including:
- Auditing: your solution will need to provide and maintain a detailed audit trail for forensic purposes.
- Log Shipping: in order to aid disaster recovery efforts, a solution which provides log shipping will be important.
- Monitoring: your solution will need to provide administrators complete visibility into all activity by all users.
Software and environmental compatibility
You’ll want to look for a solution that disrupts your current environment as little as possible. Looking for environment agnostic hardware VPN solutions where centralized management runs as a virtual server is a safe bet.
For instance, our GoSilent VPN server is a virtual machine appliance, meaning it is agnostic of your existing central network environment, operating systems or applications.
Initial set-up and deployment
Another commonly overlooked factor when selecting a VPN solution is the amount of effort it takes for the IT team to get it off the ground. The COVID pandemic has highlighted this problem very clearly; IT teams have had to figure out how to launch a full-scale work-from-home solution while not going into the office themselves.
In addition to the concern for compatibility above, ensuring you select a solution that runs as a virtual server will help make this simpler.
Outfitting your network and users for secure access can also be accomplished much more efficiently and easily with a hardware-based VPN compared to a software solution.
As an example, doing this with Attila’s GoSilent Cube and Virtual Server involves the following steps:
- Set up the virtual server on your enterprise network. This can be set up and completed in as little as 10 minutes.
- Provide each of your users with a GoSilent Cube that allows their corporate, or personal devices if BYOD, (ex. laptops, desktops, smart phones and/or tablets) to connect securely over the open internet to your internal network.
- Users connect GoSilent Cube to their devices (with no setup required for a simple, plug-and-play solution that even non-technical users can deploy in minutes), login and go!
Third party validation
One of the best things you can do to ensure your chosen solution will meet your security needs is to look for a hardware VPN provider that has gotten third party validation of their encryption and overall security posture.
In this case, you should look for the best third party validation available. You can choose to look at solutions that are NIAP Approved, CSfC Certified, or are FIPS compliant. This means that the government itself has fully reviewed the product, as well as tested and vetted the security measures of the hardware VPN and its encryption.
Solutions which have achieved those levels of certification have been approved for use on up to Top Secret level data, meaning your organization can trust their protection for whatever level of security you need.
Depending upon the type of data your organization sends, you may also need to consider if a quantum resistant VPN is something you need.
One of the biggest concerns amongst organizations like the Department of Defense, financial institutions and healthcare providers is the fact that information harvested and stored today could potentially be decrypted in the future.
If you are transmitting encrypted information today with an algorithm that could be broken by a quantum computer, it would be possible for malicious actors to intercept that information, store it in its encrypted form, and save it for a future date.
Once a quantum computer is built that has the speed and processing power capable of breaking that algorithm, it can be used to decrypt and access any information that was previously stored.
So, essentially, you should be concerned about using quantum-resistant cryptography if you have sensitive information that would still be a problem if it was discovered and released in roughly 20 to 30 years.
This is why the government, specifically the Department of Defense, is concerned about employing quantum-resistant cryptography today. Much of the classified information that needs to be protected today will still be classified in 30 years, and could potentially still do a lot of harm if released 30 years down the line.
Another prime example is related to healthcare. Intercepting encrypted medical records today could mean the wide release of personal health information protected by HIPAA in the future.
While 30 years may feel like it is far away, the release of nearly all the information you are working to protect today is a big concern, even when the threat is that far into the future.
If this is a concern for your organization, you’ll want to ensure that your chosen VPN solution uses cryptography that is quantum resistant.
End user concerns
Ease of use and training
Your goal should be to locate a solution that requires absolutely no training at all. Yes, you read that right. It is rare, but not impossible, to find a hardware VPN solution that is so simple for end users that they will require no training whatsoever.
The best place to start with this is VPN configuration requirements. Take our GoSilent Cube hardware VPN client for instance. Because there is nothing to configure on a GoSilent, there is nothing to misconfigure. It is as simple as plugging the GoSilent Cube into the end user device (or connecting the two over the GoSilent Cube's LAN). That’s it.
Take ASSETT, a client of ours, as a real-world example. They shipped GoSilent cubes to all of their employees during the COVID-19 pandemic (so no in-person training was even possible). Their employees were able to self-provision the Cubes in minutes, on their own and without the need to install or configure any software or VPN service, in the comfort of their homes.
Size and form factor
Most enterprise hardware VPN solutions are typical rack appliances that are large and bulky.
In general, you will find that you have to sacrifice certain things when shrinking down the size of your VPN client. Typically, if a solution is smaller in form factor, you’ll find that it can protect fewer devices at one time and may have lower throughput or higher latency.
There aren’t many solutions that can provide the performance of an “enterprise grade” remote access solution that are also small enough to be portable. As far as we are aware, Attila’s GoSilent Cube is the only product on the market that offers the performance it does at a size small enough to fit in the palm of your hand.
The majority of hardware VPNs that have the same performance and throughput are at least four to six times the size, require two to three times the amount of power, and weigh two to three times as much as a GoSilent mobile VPN.
Captive portal protection
Particularly if you are using your solution to protect remote or traveling workers, you’ll want to ensure that it provides protection against captive portals.
When connecting from locations with free guest Wi-Fi access, users will often be siphoned through a Captive Portal, requiring personal information for access and approval of terms and conditions, before granting network access or providing an IP address.
In practice, many users regularly choose to use unsecured public Wi-Fi (including networks with captive portals) rather than their own cellular data providers in order to save money on wireless access, making it highly likely that remote employees will at some point choose to use a captive portal to gain access to the internet.
Captive portals provide an easy point of entry for malicious actors looking to gain access to an individual user’s device and, through that, the larger corporate network.
Captive portal isolation involves the use of a combination firewall and VPN hardware with a built in, stateless sandboxed web browser.
You’ll want to ensure that your chosen hardware VPN solution offers this level of protection.
Typically, BYOD has been avoided by organizations that take security very seriously, ranging from large enterprises to government agencies and everything in between, because of their inability to manage and control operating systems, software patches and updates, and device usage.
Unfortunately, for most organizations, in the face of the COVID-19 pandemic, the size of the remote workforce has increased far beyond the number of employer-provided devices that are available, making it critical that organizations put in place clear Bring Your Own Device (BYOD) policies.
The COVID-19 crisis has forced many of these organizations, including government agencies, to take a fresh look at BYOD, and the options available to bolster the security of data when it is shared with employees using personal devices.
Ideally, in this environment, and looking to the future, you’ll want to select a solution that is BYOD-friendly.
The primary security concerns enterprise organizations have with BYOD and VPNs are:
- Malware on the device: Existing malware that may be present on a user's personal device may be able to jump through the VPN into the corporate network itself, which could wreak havoc. It also may be able to steal VPN keys and grant bad actors unauthorized access to your network from other locations.
- Installation, set-up and configuration: Typically there is a lot of training required to launch a VPN solution, and the centralized requirements for the IT staff are often very high.
- Split tunneling: One of the primary concerns with remote access VPN usage is the ability to enable split tunneling, which allows a remote VPN user to access the internet through a public or unsecured network at the same time that they are allowed to access the corporate network through the VPN. You don’t want to have to rely on users to know how to enable and disable this.
- Interoperability: The reality is that you, as the employer, have little to no control over what applications or devices individual employees use for BYOD. This creates all kinds of interoperability concerns where your solution must be able to work agnostic of software, OS or device.
Ultimately, you will want to look for a solution that mitigates all of these concerns, making BYOD not only possible, but easy.
Storage of sensitive data on end user devices
This is a concern for both BYOD and non-BYOD deployments. In the case of BYOD, it is definitely more of a problem, but in both cases the possibility of device theft or loss makes it a real concern to have any corporate information stored on that device.
You can always put in place policies that tell users they can’t do this, and work to rely more heavily on cloud-based applications which store data in the cloud. But in practice, both of those are incredibly limiting to you as an organization.
Instead, you may consider a solution that combines virtual desktop infrastructure (VDI) with a VPN to provide protection without limitations.
A VDI allows end users to work remotely through a virtualized environment that lives on your central server. End user devices connect via the VDI to virtual machines that you have set up on your server, allowing users to execute work as if they are on your internal network.
With VDI, no data is stored on the end user device. Instead, the user can simply see what is on the screen of the virtual machine and interact with it, but not store data from it. VDI supports a range of end user devices, from laptops and desktops to tablets or mobile devices.