2 VPN Limits: In Detail

2.1 Client Software: Managing Clients

Most VPN systems require software to be installed on client devices to support strong encryption and VPN protocols. Even when some form of VPN software is included in an operating system, such as Microsoft's PPTP, it must be correctly configured with address information, encryption keys and other critical settings.

The dependence on extra installed VPN software leads to a number of issues:

Is the VPN software compatible with the version of the operating system being used?
Is the software compatible with the existing network configuration?
How often must the software be updated with new configuration information?
How is software or configuration to be updated?
Is the operating system supported? (Maybe your partners use Macintosh or Unix?)
Is the VPN compatible with other VPN software which may be already installed?
Is the configuration compatible with the partner network?
Who is responsible for maintaining and supporting the system where the software is installed?

These issues can be addressed (with some effort) for a single organisation which has control of all the infrastructure involved. Unfortunately most remote access systems also cover business partners, suppliers, vendor support and often customers. In these scenario the same issues can be much more difficult to address.

Availability of VPN client software also faces additional demands arising constantly from new network capable devices:

PDA's and Pocket PC's
WAP enabled cellular phones
Internet enabled appliances, such as Web-TV and 'Smart Phones'.

Even when standard PC/Windows systems are available, it may be impossible to install or properly configure VPN software in other environments such as:

Internet Cafés
Airport Lounges
Hotel Business Lounges and In-Room PC's

2.2 Firewalls: VPN Configuration and Control Issues

**Figure 2:** VPN's suffer restricted deployment
$\resizebox*{0.9\textwidth}{!}{\includegraphics{fig/aw-vpn-trouble.eps}}$

When VPN software is properly installed and configured, its use from an unrestricted Internet access point, such as a dialup ISP account, is normally efficient and straightforward. In this situation VPN software should function 'as advertised' and offer the user private and secure remote network access.

However, the real world experience may be different. Users are often subject to Internet access control and filtering arrangements. A remote user who is connected to a partner or suppliers company network, or even one who is using a hotel LAN or some cable access services, must access the Internet through a third party firewall security system. Most third party firewall systems will reject any traffic they do not recognise. VPN traffic appears to firewalls as a special class of network traffic. The firewalls cannot see 'inside' the connection due to the encryption component of the VPN. The inability of the firewalls to inspect the encrypted connection means that it is against the security policy of the organisation to 'allow' this traffic to pass. This would be equivalent to opening an un-inspected route into the network which would allow data to go in or out without being checked against the security policy. As a result most firewalls will normally not allow the connections to proceed. (Figure 2)