Various products that realize VPN

Using the VPN protocols introduced so far, you need a VPN gateway and software to actually build a VPN.Here, I would like to look at products to realize VPN, such as routers, firewalls, UTMs, and dedicated appliance.

LAN connection VPN and remote access VPN

　Even if you say VPN with a bite, there are actually two types of use: LAN indirect VPN and remote access VPN.

　VPN between LAN connection VPN and remote access

　The LAN indirect VPN literally is a form of interconnecting LANs with VPNs and is also called VPN between sites.In order to achieve this, a device called a VPN gateway to build a VPN tunnel is required.That is, the packet from the client in the LAN is encapsulated and encrypted with a VPN protocol, and the destination VPN gateway is played.On the other hand, the VPN gateway, which receives the packet at the exit of the VPN tunnel, plays the role of sending it to the destination client by deducting the tunnel and decrypt the encrypted packet.

　On the other hand, the remote access VPN built a tunnel between PCs and LANs in response to a connection request from a mobile environment or a PC on a business trip.In other words, unlike the LAN connection VPN, the VPN gateway communication partner is a VPN client software mounted on a PC.

　In this way, the product that realizes VPN differs depending on the usage form.Below, let's look at the details and how to select these VPN products.

Standard router and firewall with VPN construction

　Currently, routers and firewalls are mainly used in the construction of LAN -connected VPN.Most of the VPN protocols used are IPsec, but there are models that support Layer 2 VPN protocols such as L2TP and Ethernet over IP.

　In the first place, it is extremely natural for a router that plays the role of LAN indirect itself to be equipped with a VPN function.Until now, the destination routers and hosts, which have been transferred via WAN or Ethernet, should be transferred after various VPN processing such as tunnels, encryption, and tampering detections.It is natural that the gateway type firewall, which is installed on the Internet and LAN border, operates as a VPN gateway.

　What changed significantly in the process of spreading the broadband after 2000 was the shift from software to hardware.As mentioned in the previous part, in VPN protocols such as IPsec, the original packet itself, calculation of hash values for falsification detection, authentication, and installing a new header, for each packet.Do it.In particular, cipher processing to prevent eavesdropping on packets and tampering is applied to the CPU.It is good if it is an ISDN band, but when ADSL and FTTH are the main, this load becomes a large bottleneck.

　As a result, software -based VPN products hide, and for LAN -connected products, appliances that use dedicated hardware such as ASIC are the mainstream.Typical products include online screens (now Juniper Networks) firewall VPN appliance "Netscreen Series" and Yamaha's "RTX1000".

Yamaha's VPN router "RTX1000"

　In addition to the firewall and VPN appliance since 2005, UTM (UNIFIED THREAT MANAGEMENT) with multiple security functions such as antivirus, IDS, IPS, anti -spam, and web filtering has emerged.VPN is completely integrated as part of the functions of security equipment.In fact, the next part will introduce examples of UTM's Internet VPN construction.

　Nevertheless, there are cases in which an existing special machine is used for the construction of VPN, which is the basis of a corporate network, so it is not always possible to choose which one to choose.In any case, the unit price of the tunnel has fallen sharply than five years ago, and you will not feel dissatisfied with the performance.

Remote access converges to SSL-VPN

　On the other hand, for remote access type VPNs, a tunnel will be built on the VPN gateway that is the entrance to the LAN from the remote PC.Therefore, in order to implement the VPN function of the client PC, it is necessary to select whether to install a VPN protocol supported by the client PC OS or to install software separately.In the case of Windows, PPTP is supported as standard, but unfortunately there are few products that support PPTP on the VPN gateway side that receives incoming calls.For this reason, in the past, VPN gateway vendor IPsec client software was often installed to achieve remote access.

　However, if a VPN client software is introduced for each PC, the management is troublesome, and a license for the number of connections is required.That's where SSL-VPN appeared.Using SSL-VPN can remotely access from the web browser, so there is no need for dedicated VPN client software.An appliance called SSL-VPN gateway is installed between the Internet and LAN so that incoming calls from remote PCs can be accepted.The client side specifies the URL of the SSL-VPN gateway in the web browser and passes the user authentication to access the server in the company via the SSL tunnel.

　Initially, SSL-VPN, which only supported communication on the web, has recently been able to support other application communication through Active X Control.In addition, access control for each application is easier than IPSEC, and there is no need to change the firewall settings (because SSL is usually set up).As a result, it is popular as a remote access VPN method.

　In recent years, SSL-VPN has been handed down as a means of realizing a pandemic or disaster-related work, and there is an instant license that is conscious of pandemic and disaster countermeasures.

Sonic Wall's SSL-VPN gateway "Aventail e-Class SRA EX7000"

　Products were initially expensive, but inexpensive SSL-VPN gateway has recently appeared.In addition, more and more products are integrated as UTM functions like IPSEC, so I would like to add them to options.