The whole system of VPN does not rely just on a concentrator. It performs the function of aggregation of multiple VPN connections but this device is a part of the system. VPN concentrators still keep becoming better to operate more efficiently and to match modern network ways of operation.
A remote-access VPN consists of a VPN concentrator, which terminates the virtual remote access connections, and software clients that are installed on the remote computers in order to establish the connections.
The clients can connect to a service provider using any transmission technology. Whether you use modems, ISDN, DSL, or cable modems only depends on the access technology offered by the local service providers in the respective regions. The customer no longer needs to have central equipment ready to terminate these connections; this is done by the service providers. The customer only terminates so-called tunnels that are set up by the provider to the VPN concentrator. An increasing number of users has become a problem for ISPs, who on the other hand also have a vital interest in ensuring that enough ports are available. Because if you cannot dial into a service provider, you will not generate any turnover.
When using VPN technology, in which the virtual connections are initiated on the client, you are completely independent of the Internet service provider. You can change it at any time or use several ISPs at the same time without any problems. Because the service provider is then no longer involved in the functioning of the VPN, it only terminates telephone calls and fixed connections and transmits IP packets between end devices and VPN concentrators.
VPN and Firewall Centralized Security Management Platform
With the enhancement of network security awareness and the vigorous development of security technology, more and more governments and enterprises have begun to deploy various security systems, such as firewalls, intrusion detection, VPN and vulnerability scanning System, etc.
Security products are in separate lines, and even devices from the same manufacturer cannot achieve centralized and unified management, causing many hidden security risks caused by insufficient network management methods. Users increasingly need a comprehensive management system to manage multiple security products to form a comprehensive network security system, centralized deployment, and unified monitoring. Therefore, the safety management platform came into being.
Compared with other network products, VPN products have a very significant feature, that is, the deployment of VPN products in applications must be cross-regional and distributed.
IPsec VPN vs. SSL VPN
In the early days, when you wanted to establish a secure channel between the company’s internal network and the outside world, only IPsecVPN was the only option. However, due to the different equipment and connection specifications of each device, a very high degree of sealing was often caused. When connecting to different devices, Different connection software is required, which is troublesome and easy to cause configuration troubles. Although IPsec VPN can provide good security, it is quite inconvenient.
When SSL VPN gradually became a mature technology, many people began to explore whether SSL VPN could completely replace IPsec VPN as a new secure connection method for enterprises. Although in most daily use, SSL VPN can indeed obtain better mobility and flexibility than IPsec VPN, but for overall enterprise applications, IPsec VPN still has its irreplaceable advantages.
With the continuous expansion of the scale of the enterprise, it is necessary to extend the base, but only relying on the Internet to transmit information. The convenience and security of transmission are also reduced, and many internal dedicated application services cannot be used.
When there are more than two bases, the dedicated line is used to connect the two ends by the physical circuit layer, which has excellent security and can effectively avoid external intrusions, but it cannot provide individual Internet connections to obtain a better information transmission function.
Although the use of dedicated lines has a high degree of security and speed, the construction and maintenance costs required are quite high. Except for institutions that require high-security connections, such as financial institutions and military police systems, almost no one uses them.
The service areas of SSL VPN and IPsec VPN are different. The client uses a browser to connect to the SSL VPN and establishes a secure connection channel between the two ends through the HTTPS protocol. Therefore, the SSL VPN device must have the function of a Web server, and the relationship with the client is Server- The to-Client connection relationship can effectively support the one-to-many mode, but the support is poor in the many-to-many situation, and it is not suitable for the Site-to-Site environment.
Although some devices can build a Site-to-Site environment through a build method similar to IPsec VPN, there are inherent limitations in their use and poor transmission performance.
For the client, when using an IPsec VPN connection, a dedicated connection software or dial-up program must be used. The settings are more complicated, and in different connection environments, there will often be unreachable or unstable Situations, especially for mobile users who use dial-up networks.
When using an SSL VPN connection, the mobile client only needs to access resources and programs on the internal network through a browser. That supports the SSL encryption protocol, which can effectively break through the firewall, NAT, and even Proxy Cache and other network security devices.
The connection is limited, and it can support multiple devices such as PDA, GPRS mobile phone, kiosk, and even public computers. It is quite flexible in use. As long as there is an Internet connection environment, mobile users do not need to match dedicated software and hardware. It can also be safely connected back to the corporate intranet.
Free Access vs. Permission Control
IPsec VPN can provide users with free access to all shared resources on the internal network after the client is connected. Except for the policy control set by the original internal network, there is no way to give different permissions based on whether the client computer is internal or external.
For IPsec VPN, all client networks, whether internal or external, are trusted. If the user accidentally allows the infected computer to connect to the internal network through IPsec VPN, as long as the internal network is not properly established. The security protection will cause the danger of viruses.
Compared with IPsec VPN, the default concept of SSL VPN is that all client computers are not managed by corporate security policies and should not be trusted. Therefore, the authority control of SSL VPN does not completely inherit the permissions set in the corporate intranet.
Although it can support the SSO (Single Sign-On) function, the SSL VPN must also grant special permissions to the connection based on the user account or group, so as to control the applications and services that can be used and avoid remote users Unintentionally read resources that are only used by the internal network or endanger the internal network security. The larger the group, the use of IPsec VPN, the longer the distance, the use of SSL VPN.