Most UTM (unified threat management) Firewall devices worth their price tag include a VPN server as part of the mix. In my experience, a UTM is an excellent choice for a small office and/or most smaller enterprises as several of the higher-end devices scale quite far. For a larger, corporate network though, while a UTM (or two or three) might be part of the security mix, larger dedicated components often make more sense.
That being said, if you have a UTM, and it includes a VPN solution, you may be considering taking advantage of this for remote network access. While I wouldn’t necessarily advise against doing this, before going to far down that road I would tell you to look into deploying OpenVPN Access Server instead with Google Authenticator. Here is why…
Considering Open-Source… this is a rabbit trail.
OpenVPN Access Server is a paid solution, built on open-source software and it runs on Linux. I could write an entire article’s worth of reasons for why Open-Source Solutions and Linux often make a lot of sense versus many comparable “closed-source” (and often extremely expensive) options. I am not going to bother to make such an argument here. If you never think outside of the monolithic “corporate software” box, I suggest you hire someone that does as it could potentially save your enterprise thousands (and in the case of very large enterprise networks, potentially millions…) of dollars and even provide you with more secure, and more stable software products. Open-Source isn’t the answer for everything, as there are some areas that are extremely lacking. But when it comes to security, networking, server software, web development, and a plethora of other areas, you would be hard pressed to make a strong argument against open-source. Just to be clear, I am a huge fan of Microsoft and generally love a lot of what they do. I admin and work on all kinds of products both open and closed. I feel that my opinion is pretty widely informed and decently balanced in this area. I am sure everyone else feels the same though 🙂
Anyhow… sorry for that rabbit-trail. The primary problem, in 95% of cases, with using your Firewall/UTM device as a VPN, is that it usually only provides “single-factor” authentication. Furthermore, many UTM VPN’s will not integrate with Active Directory for authentication. So this means you are using accounts that are not centrally managed, don’t have regularly expiring/rotating passwords, often don’t have enforced password complexity/length, and ultimately won’t stand up to a security audit if you are dealing with any kind of regulated data (HIPAA, PCI, PII, etc.).
Now, there are a number of UTM VPN solutions that will plug back into and use a Active Directory backbone. Even with that though, you are still missing a second-factor for authentication. If you don’t know that I am talking about when I say “two-factor” please go read here. For the rest of you, especially those of you who deal with security at your organization, you know a single-factor authenticated VPN solution is somewhat of a no-no and, once again, will fail a security audit if you are dealing with sensitive data.
Why be so anal-retentive about VPN security? Simply put, VPN allows someone, anywhere, to jack directly into your corporate network like they were sitting directly on a local workstation or a server. Any IT person who has been working a job for more than a week should quickly realize what a huge security risk that is. Therefore, if you are going to offer VPN, you better secure it, and you definitely better know who is on the other end. Hence, two-factor authentication is an absolute must, not just an intelligent suggestion.
So you have decided to stick with using your UTM. Why not, it’s there? You are also now convinced you need a two-factor solution. Okay, assuming your UTM VPN setup can work with two-factor, most likely it is going to support RSA. And this is where you are going to stop pursuing this option unless you just like to spend money unnecessarily…
RSA is going to run your organization anywhere from $1000+ per year, in addition to the up-front costs for hardware tokens or the licensing cost for soft-tokens and the RSA device itself. Also, if you don’t have the expertise on hand to deploy and manage such a device, you are going to have to contract that out and you can add that to your up-front and ongoing costs as well. It isn’t unheard of in a small-to-medium size business (say 30 – 50 users) then for a two-factor system to run $10k – $20k up-front costs and $5k annually. Those are very wide ball-park figures and could go up or down considerably depending on your particular situation.
One thing that everyone who has deployed RSA Two-Factor can agree to, is that it is an expensive solution.
Hopefully I have at least convinced you that it is worth exploring other options.
Enter OpenVPN Access Server… Depending on your current network environment, the complexity of setting up this service can vary from quite simple (for anyone that has some experience with Linux, Networking, and Active Directory) to somewhat complex. Particularly if your network has a lot of existing infrastructure components (physical and logical) such as firewall’s, vlans, and the like. I will note that regardless of the VPN solution you choose, network complexity is going to increase their deployment complexity across the board. If you have in-house Linux talent and Network administration talent you are pretty much set. If you need to outsource the work to a contractor, it could vary a lot.
Personally, if I were contracting myself out for the work, I would charge a starting rate of around $1500 on up to around $5000 if the network were significantly complex. Particularly if it is complex and undocumented (a common scenario).
Furthermore, there are per-concurrent-connection annual licensing costs for OpenVPN Access Server. This, however, is extremely economical. Access Server is licensed per concurrent user connection NOT per user. This means you can buy 20 licenses and have as many users as you like as long as only 20 are connected at a time. The licensing is also flexible. So you can purchase and add additional licenses at any time. Finally, you get two free concurrent connections to start with and test with. So you can make sure you have a working solution before paying for any of the licensing. You can view the full cost-spread by clicking here.
Additional costs for an OpenVPN deployment are going to vary based on what infrastructure you already have in place. You aren’t relying on a UTM device to handle the connection, but rather a piece of software. That software needs somewhere to run. Luckily it runs on linux, so no other licensing costs need come into play. However you do need a server. Once again though, due to linux being versatile and very light weight, this can be just about anything with a processor and a couple gigs of RAM. The actual linux install really should never take up more than 20 GB of Hard Drive space (extremely minimal). In many cases one of the best options is to deploy it on a VM (virtual machine). If you have an underutilized server on-hand that could double as a virtual-host, your hardware costs could easily be zero. Otherwise, any older workstation or server will do. The only recommendation I would have is that it have a gigabit ethernet connection, if possible, if you are running gigabit switches. If VPN is going to be a “mission-critical” system then I would recommend you put a little bit more thought into hardware and consider setting up a Multi-Server Cluster using two or more physical machines. This does increase your cost, but the dollar-figure is still infinitesimal compared with RSA, especially if you don’t already have a UTM (or two in the case of HA (high availability/cluster)) lying around. Clustering is supported out of the box and it makes OpenVPN Access Server a viable solution for any-size enterprise.
Two-Factor Authentication is handled by Google Authenticator and the capability is built-in to OpenVPN Access server, making deployment a snap. This is the one other “catch” when using this solution. The employees at your company will need either a smartphone or tablet running either Android or iOS. Android hardware can be extremely cheap though (especially if buying in bulk, i.e. 10+ pieces) and you could easily get android phones or tablets for under $35/piece for your employees that don’t have smart devices. They only need Wifi, and don’t need data connectivity, so no ongoing hardware costs.
Google Authenticator is 100% free. It requires a free app from your mobile device’s respective app market. Once their phone is tied to your OpenVPN Access Server (something that happens during registration), it will become a hardware token. This is their second-factor of authentication. Google Authenticator generates a time-synced rotating 6-digit pin number that is created using a private unique shared key. It is vital, therefore, that your server regularly sync’s its clock to an NTP (network time protocol) server and that your employee’s mobile device does the same. If there is too much variance between the clocks, the pin number will not work.
Once you are all setup, the end-user experience is pretty slick. Self-registration is simple enough for most users to learn how to do and the Web GUI that comes with Access Server makes administration pretty painless, even if your admins have never touched Linux.
OpenVPN Access server is therefore extremely secure, extremely easy to manage, low-cost, and totally “auditable” as far as VPN solutions go as long as you use multi-factor via Google Authenticator. I have found performance to be quite good as well. I am not sure about the compression algorithms they use for traffic but the connections actually seem several ticks faster vs. some of the other enterprise VPN solutions I have used.
If you are wondering… no, I am in no way affiliated with OpenVPN and this article isn’t supported/endorsed by them at all. I am just an adopter of the Access Server enterprise product and was blown away by the value if you put a little work into it.
Hopefully you have found this write-up useful if you are trying to make a decision on VPN!