In most IT departments, remote access to central data bases and company resources is a hot topic. The market offers a huge variety of remote access solutions, with each solution reflecting the strategical orientation of its producer. Here are some of the Top 10 remote access misconceptions:
- It is impossible to manage large-scale remote access projects
In a system, an application independent VPN client appears as network card. For this reason it has to be installed with administrator rights and every single client has to be personalized afterwards. In addition to the VPN feature, the computer is to be protected by a firewall, which ideally is dynamic, automatic and centrally manageable, Endpoint Security Checks (virus scan software, firewall, etc.) and strong authentication. Furthermore, communication media have to be defined, which the user is allowed to use in order to set up an internet connection in different environments (e.g. 3G, public hotspots).
This definition frequently increases the amount of time and money, that has to be spent on documentation and training. We have created a secure Enterprise Management System, to enable businesses to easily manage your remote access network. The Secure Enterprise Management System allows for comfortable and structured management of networks of all scales. Fully automatic, a console monitors compliance to security policies as well as rollout and operation of the tele-workstations. This includes software and configuration updates, user management, licenses and certificates. These and other features help you to easily control your virtual private network. At the same time this system saves you time and money.
Remote users benefit from “One Click Client Suites”, i.e. one click is sufficient to activate all important features (internet connection setup and dynamical personal firewall). The administrator is in a position to centrally set and lock all configuration parameter. This excludes the majority of support requests which are caused by misconfigurations. The intuitive graphical user interface reduces time and money spent on training to a minimum.
- Remote Access is expensive
In addition to (mostly rather low) acquisition costs for the VPN software the following factors influence the solution’s total costs:
- Further costs for acquisition, rollout and operation of a dynamical, automatic and centrally manageable personal firewall.
- User-side: frequently costs for documentation, training and user helpdesk are hard to estimate. Documentation for internet dial-in alone frequently exceeds the capacities of the managers in charge
- Administrator-side: training, documentation and extensive routine tasks
- Time-consuming and expensive rollout and update processes
- Costs for security issues regarding the use of public hotspots are almost impossible to estimate. As a consequence, the use of public hotspots is frequently being forbidden, which, in turn, results in a loss in productivity. However, if the use of public hotspots is to be allowed, further highly expensive security measures are taken.
The statement that “remote access is so expensive” can only be verified with a detailed TCO – Total Cost of Ownership – analysis. ROI (Return on Investment), ROSI (Return on Security Investment) as well as NPV (Net Present Value) should also to be analyzed and taken into consideration, too.
- Remote Access is susceptible to faults
Loss of valuable working time occurs if the user has to manually carry out all steps for connection setup in remote access (like logon to the Wi-Fi network, connection setup, activation of the personal firewall, starting the VPN client). On top of that, operating errors endanger end-to-end security. A centrally managed, automised one click solution elegantly bypasses risks and the loss of production time. Even on the highest possible level of security, no lack of comfort occurs.
- Avoid VPN’s via Public Hotspots
Administrators should be able to have the functionality to centrally sets all rules of the personal firewall, which comes as standard with the NCP Secure Client. The user can neither manipulate nor deactivate these rules. Even when logging on at a public hotspot, the integrated, dynamical personal firewall perfectly protects your computer. Depending on the current remote access environment, the client automatically selects the suitable firewall rule.
- IPsec does not work in certain environments (e.g. hotels)
Internet access is limited in locations with restrictive security settings or in certain mobile communications networks. As a consequence, the company’s VPN gateway is not available via IPsec. New technology removes a major restraint in communication within IPsec VPNs since it allows for data connections from unknown networks, whose firewall settings deny IPsec communication and only allow internet access to web browsers. If this is the case, the client software automatically switches to a modified IPsec protocol mode (”emulates” HTTPS) and sets up an end-to-end tunnel to the company network.
- Client less SSL VPN is easy to manage
Some years ago SSL VPN was introduced into the market with the promise to be easy to manage because it is clientless. At the same time, it was promised that it would meet all requirements for communication. Time proved that this promise could not be kept. Various white papers compare SSL and IPsec and clearly favour the SSL solution. The striking argument is that no VPN client has to be installed at the end device. However, put into practice, both tunnelling protocols have their advantages and thus their right to exist in parallel. This means, that a holistic VPN solution should feature both technologies.
- Personal firewall settings may remain the same no matter the environment
Different remote access environments demand different firewall rules. This means that the firewall rules have to be set manually. From the point of security, this provides high risks. The administrator is the person to set the rules. The user cannot bypass the company’s security policy by accidentally or deliberately changing the security settings!
- Users always know how to logon to the internet
Common VPN client software is based on the assumption that the user has already set up an internet connection. It only negotiates with the VPN gateway about the type of encryption. Mobile employees use various media (public hotspots, 3G, DSL …) in order to set up an internet connection. Experience shows that in this phase the number of errors is highest and most UHD-calls are made. The higher the number of clicks, the more time and money has to be spent on documentation and training.
- Remote Access is limited to certain applications or Windows operating systems
“Clientless SSL VPN” or “SSL VPN Thin Clients” only support certain applications (browser-based or “static ports”). Frequently common IPsec solutions only support Windows XP, Vista or Windows 7, and of these, some only support the 32-bit mode. Some solutions are independent of applications and available for a variety of operating systems – Windows, Mac OS, Linux, Windows Mobile and Symbian. The solutions also support 64-bit mode.
- Global players of the hardware sector (router, firewalls) automatically provide the best remote access solutions
Reality, however, is different. Undoubtedly, these companies offer high class hardware for the central side. Although, their products also have VPN features, they are only equipped with important basic characteristics and on top of that only offer a small scope of service. Remote access client software is frequently added to the package very cheaply. This is often done according to the motto “product works as designed”, or to put it in other words, “it is cheap, so please do not put high hopes in functionality or comfort”. Only a specialist’s solution, which is specifically designed as VPN solution, is able to meet all customers’ requirements in respect to universality, usability and cost-effectiveness of remote access VPNs.