Quocirca's Straight Talking: Secure remote access closes in

Virtual private networks that use internet protocol security used to be seen as a nightmare. But next-generation IPsec VPNs are changing all that, says Fran Howarth.

Over the past 40 years or so, the way IT has been delivered to end users has changed dramatically. In the 1960s and 1970s, the mainframe dominated and computing resources were generally centralised.

Exclusive column: The Naked CIO

See what this CIO really thinks…

The Naked CIO: Enemies of the state

The Naked CIO: Service level disagreements

The Naked CIO: What makes a great IT leader?

The Naked CIO: Business misintelligence

The Naked CIO: Price of panic

By the 1990s, the client-server computing model came into use, providing a convenient way of interconnecting applications distributed across different locations.

Now, with the internet ubiquitous, we are all used to a highly distributed computing environment, with information obtained on demand via a wide array of computing devices, many of which are mobile.

This distributed computing paradigm allows for a highly mobile workforce, which has created demand for technologies that enable workers to remotely access their organisation's centralised network resources.

But hackers are increasingly targeting those networks, looking to steal valuable information. On top of that, with more than one billion users accessing the internet in 2007, there is a colossal amount of information being exchanged that could fall into the wrong hands.

In today's highly regulated environment, large fines are being imposed on organisations that lose personal data.

Those consequences mean technologies that provide remote access to computer networks must be highly secure. Over time, virtual private networks (VPNs) have become the de facto technologies for achieving secure remote access.

These commonly come in two flavours. On the one hand there are secure socket layer (SSL) VPNs, which are easy to deploy, but which generally provide access to a fairly limited range of applications, primarily those that are web-based.

On the other hand, internet protocol security (IPsec) VPNs provide a level of network access that is comprehensive and offers an experience similar to being physically located in an office. But these VPNs have traditionally been cumbersome to deploy and manage.

These drawbacks are something most vendors of IPsec VPNs have been working on. One of the main problems with first-generation IPsec deployments was that they traditionally required a software agent to be installed on every device under management.

Installing this agent meant IT had to visit each device not just for initial set-up but for upgrades and maintenance. These demands added greatly to the complexity of the deployment and wasted manpower.

Next-generation IPsec VPNs now on the market aim to streamline remote access deployments. A key development is the management console through which software configurations, digital certificates, policies and software updates can be created and pushed to personal firewalls for each device.

This development allows software agents to be pushed over communications lines to end users without the need for manual intervention and preventing any tampering with security controls. Now that devices can be centrally managed, costs can be controlled better and fewer administrative resources are needed for managing the deployment. But it doesn't end there.

Vendors have been quietly adding a host of other features. Quocirca recently produced a report outlining what it believes are the essential elements to look for in today's versions of IPsec technology. These include:

• Centralised management capabilities, along with provision of personal firewalls.
• Authentication and access controls, backed up by provision of strong authentication capabilities for securely authenticating all users.
• Security controls, including network access control capabilities to ensure that devices under management conform to policies set.
• Logging and reporting capabilities to provide evidence that controls are working as they should according to policies.
• Support for a wide range of communication methods, including for mobile devices, as well as for all flavours of operating system in use.

With these developments, the headaches associated with managing large-scale IPsec deployments - which provide the most complete secure remote access solution available on the market - are largely a thing of the past.

Today's technologies can provide highly secure remote access in a wide range of scenarios at a much lower administrative cost than first-generation products.

Quocirca's report The essential elements of secure remote access is free for download here.

A leading user-facing analyst house known for its focus on the big picture, Quocirca is made up of a team of experts in technology and its business implications. The team includes Clive Longbottom, Bob Tarzey, Rob Bamforth, Dennis Szubert, Louella Fernandes and Fran Howarth. Their series of columns for silicon.com seeks to demystify the latest jargon and business thinking. For a full summary of the consultancy's activities, see www.quocirca.com.