A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and other information transmitted between two endpoints. Because a VPN can be used over existing networks such as the Internet, it can facilitate the secure transfer of sensitive data across public networks.

An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers. The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol. This type of VPN may be referred to as either an SSL VPN or a TLS VPN.  SSL VPNs provide remote users with access to Web applications and client/server applications, and connectivity to internal networks. Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security (IPsec) VPNs.

The two VPN technologies are complementary and address separate network architectures and business needs. SSL VPNs offer versatility and ease of use because they use the SSL protocol, which is included with all standard Web browsers, so the client usually does not require configuration by the user. SSL VPNs offer granular control for a range of users on a variety of computers, accessing resources from many locations. There are two primary types of SSL VPNs: SSL Portal VPN’s and SSL Tunnel VPN’s. See previous posts.

1. Identify Requirements. Identify the requirements for remote access and determine how they can best be met.

2. Design the Solution. Make design decisions in five areas: access control, endpoint security, authentication methods, architecture, and cryptography policy.

3. Implement and Test a Prototype. Test a prototype of the designed solution in a laboratory, test, or production environment to identify any potential issues.

4. Deploy the Solution. Gradually deploy the SSL VPN solution throughout the enterprise, beginning with a pilot program.

5. Manage the Solution. Maintain the SSL VPN components and resolve operational issues. Repeat the planning and implementation process when significant changes need to be incorporated into the solution

Application layer, which sends and receives data for particular applications. Separate controls must be established for each application; this provides a very high degree of control and flexibility over each application’s security, but it may be very resource-intensive. However, inventing new application layer security controls can create vulnerabilities. Another potential issue is that some applications may not be capable of providing such protection or of being modified to do so.

Transport layer, which provides connection-oriented or connectionless services for transporting application layer services across networks. Controls at this layer can protect the data in a single communications session between two hosts. The most frequently used transport layer control is SSL, which most often secures HTTP traffic but is also used to implement VPNs. To be used, transport layer controls must be supported by both the clients and servers. SSL portal VPNs operate at the transport layer.

Network layer, which routes packets across networks. Controls at this layer apply to all applications and are not application-specific, so applications do not have to be modified to use the controls. However, network layer controls provide less control and flexibility for protecting specific applications than transport and application layer controls. Network layer controls can protect both the data within packets and the IP information for each packet. IPsec VPNs operate at the network layer; since they can secure both TCP and UDP traffic, SSL tunnel VPNs operate as network layer VPNs.

Data link layer, which handles communications on the physical network components. Data link layer controls are suitable for protecting a specific physical link, such as a dedicated circuit between two buildings or a dial-up modem connection to an ISP. Because each physical link must be secured separately, data link layer controls generally are not feasible for protecting connections that involve several links, such as connections across the Internet.

Another issue is encryption key disclosure; an attacker who discovers a key could not only decrypt traffic but potentially also pose as a legitimate user. Another area of risk involves availability. A common model for information assurance is based on the concepts of confidentiality, integrity, and availability. Although VPNs are designed to support confidentiality and integrity, they generally do not improve availability, the ability for authorized users to access systems as needed. In fact, many VPN implementations actually tend to decrease availability somewhat, because they add more components and services to the existing network infrastructure. This is highly dependent upon the chosen VPN architecture model and the details of the implementation.

VPNs can also provide flexible solutions, such as securing communications between remote telecommuters and the organization’s servers, regardless of where the telecommuters are located. A VPN can even be established within a single network to protect particularly sensitive communications from other parties on the same network

Graphics is the single biggest issue affecting network bandwidth in a virtual desktop environment. If a smooth desktop emulation requires a display refresh rate of 30 frames per second (fps), and a typical desktop may run at 1280 x 1024 x 32 bits per pixel (bpp). The calculation works out to 1.26 Gbps of uncompressed video data per desktop. Heavy high-end graphics intensive environments should plan to implement multiple technologies to address this potential problem.

Enterprises should also consider the server resources available to support virtual desktops. Servers handle all the processing and visual rendering for the virtual desktops, so the servers need significant processing and memory resources. In most cases, multiple servers (or even a blade server) will be appropriate to handle desktop virtualization.

But it’s important to note that the total processing requirement is not the simple sum of all desktops. Rather it’s a statistical mean based on the number of processing loads. For example, if you’re replacing 100 desktop PCs with 2GHz processors, you don’t need a server with 100 2GHz processors. In reality, PCs are idle much of the time, and it takes far less processing power to handle most basic operations. Virtual desktop software vendors can typically help solutions providers determine an adequate level of server processing and memory, based on the number of endpoints.

Enterprises should never attempt desktop virtualization projects without considering server redundancy. If you host all your PC’s on one server, you’re entire user base is at risk if you have server outage. Server clustering, redundant connectivity are essential for any type of virtualization.

Storage management and planning is next. All storage processing is handled centrally in a VDI environment with all of the application data stored centrally. Each virtual desktop needs the same amount of storage that would otherwise be on a traditional desktop. If the average PC stores 100GB, including the OS, applications and data — there should be about that much storage available for each virtual desktop. If your plan is to virtualize 100 desktops, you’ll need another 10,000 GB (10 TB) in the data center.

Demand for network system enhancements for current projects is on the rise due to the collapse of the economy. Despite the recession, demand for additional equipment into 2009 will continue. The market for used network products is a growing segment of the larger IT industry. New equipment purchases in this economy require large investment upfront—both the cost and risk are significantly less for used IT products.

Companies urgently seeking to better coordinate increasingly scarce resources across projects, used network equipment implementation can get the functionality benefits very quickly. Many organizations are experiencing a tightening of large system purchases, used equipment as a viable option to take over maintenance and help deploy a new system. Many needed achieve products at a lower cost, critical to fulfilling that financial goal.

Customers are looking for a different type of solution that’s more affordable, which has low risk and doesn’t require a big investment to maintain networks in house. The economic crisis is an accelerator for the used equipment market. Businesses need low cost equipment to get more productivity out of existing resources and to better validate all IT projects.  Pre-owned network equipment is compelling to companies because IT budgets are tight.

Meanwhile, enhanced functionality designed to address IT finanical leaders’ needs during a recession for more financial leveraging and the ability to allocate pre-owned equipment across projects. The recession has so many companies wary of making major investments in new equipment that some are turning to used networking products for flexibility and allows them to only pay for the incremental products as they need it, and that could be just for the duration of a given project.

Desktop virtualization, a.k.a. virtual desktop infrastructure (VDI), is based on thin-client computing. The virtual desktop machine on the server side handles all tasks related to the OS, application processing and storage. Thin-client endpoints typically use some local software (basic OS to boot the endpoint and connect it to the desktop server). But some endpoints use a zero-client approach, which requires no software. These client endpoints normally boot in firmware with no local storage and connect directly to the desktop server.

Virtual desktop management operates entirely at the server level, which simplifies administration. When a conventional PC fails, repairs take time and expertise. Replacing the PC requires work to reinstall applications, reset preferences and recover data (if possible). In a VDI environment, administrators can swap out the faulty thin-client PC, and the user can continue working immediately, which reduces the time and expense associated with desktop support. An administrator can provision a pre-established virtual image and deploy a thin-client PC with a minimum of time and effort. Additional server resources can be applied easily to virtual desktops that require more processing power or scaled back for non-essential users. Deployment of new software patches and upgrades for all virtual desktops can happen at the server level, rather than on each individual PC.

Enterprise security is also centralized at the sever level. Conventional PC’s store applications and data locally, exposing the computers to viruses and spyware and risking data loss. Virtual desktop machines use storage in the data center, so there is no data to corrupt at the endpoint device.

Disaster recovery planning is simplified with virtual desktop software. Servers are backed up routinely and consistently, which allows recovery and restore to servers in a secondary data center without disruption.