A Virtual Private Network (VPN) concentrator is a combination of hardware and software that helps facilitate many VPN tunnels at the same time. A concentrator is like a normal VPN router in that it creates encrypted connections between two peers. However, it’s capable of servicing hundreds or thousands of users simultaneously and in a dynamic fashion.
VPN concentrators typically sit behind a firewall on dedicated hardware with proprietary software installed that can support a specific number of simultaneous connections. Most Next Generation Firewalls (NGFWs) provide this capability built-in, alongside other features such as web-filtering, IDS/IPS, and site-to-site VPN configurations.
VPN concentrators are VPN gateways that manage encrypted tunnels in a hub and spoke design. Traditional VPN concentrators are dedicated devices that handle the function of encrypting and decrypting data dynamically as users connect to it using a variety of VPN types. There are also software versions of this, and most modern firewalls include a VPN concentrator built in as a feature.
Who Needs a VPN Concentrator
Any organization in which users connect to an internal network remotely needs a VPN solution of some kind. Deciding what type of VPN solution is needed depends on the size of the organization and how heavily the organization will be relying on remote connections.
Organization size
Here size does matter. If there is a large organization with many users that need to ability to access the organization’s internal network remotely, let’s say 500+ remote users, then it may be best to go with a dedicated VPN solution such as a VPN concentrator. For medium to small organizations, the need could be accomplished with a VPN solution built into a product that performs multiple functions such as an NGFW.
Reliance on remote connections
Reliance on remote connections is a great determining factor for the need for a VPN solution. If your organization has the need for users to perform critical work functions remotely regularly, then you would likely benefit from a dedicated VPN solution such as a VPN concentrator. On the other hand, if your users only need to be remote on occasion, (sick children, house repairs, etc.) then a VPN solution built into another appliance would be fine.
What to Consider When Looking For a VPN Concentrator
VPN concentrators primarily allow remote connections in two ways: SSL VPN (browser-based) or IPsec (VPN software-based). The right choice will depend on the needs of the organization and how the VPN will be used. Many solutions, including Pulse Connect Secure and Fortinet, offer both methods as options. Do your research to determine what kinds of options will be available.
SSL VPN connections
With SSL VPN connections remote users will connect via a web browser to specific applications inside of an organization’s internal network. SSL VPN does not require the installation of additional software on the user’s computer. This method always uses port 443 and provides very limited use of the tunnel where only the internally hosted resource or application is being accessed rather than the entire network.
Conceptualizing SSL tunnels
An SSL VPN setup would be like watching TV through a window while you stand outside of the house. The house is the internal network of the organization you are connecting to and the TV is the application you are accessing. All that is needed on the client side of this configuration is a web browser.
IPsec connections
Many concentrators will have a small software client installed on the user’s machine that establishes an ad-hoc IPsec tunnel with the corporate network. Typically, the VPN concentrator is at the edge of the corporate network. The device is connected to the internet either directly as a part of an NGFW or right inside the network behind the firewall. The VPN concentrator manages all the tunnels after a user has been authenticated with appropriate credentials.
Conceptualizing IPsec tunnels
Using the same analogy as before, an IPsec tunnel setup would be like standing inside the house watching TV. This type of connection could be established either with a software client provided by a VPN concentrator or VPN software built into the user’s computer’s operating system. IPsec is often the preferred choice for site-to-site VPN configurations as well, which is best when both nodes will remain static.
Decide How You Want Users to Connect
Depending on how you intend your users to connect via the VPN concentrator there are a few different options you can configure on most of the offerings available. By choosing a VPN solution that has both SSL and IPsec VPN capabilities, you can use a mix of options to determine how best to provide access for users based on their scenario.
Scenario 1
Remote users that only need access to an internally hosted application or terminal service such as Windows Remote Desktop Services (RDS). This scenario can be accomplished with SSL VPN access only. The design approach should be to minimize the network traffic footprint as much as possible while still providing access. And as a security concept, it is best to provide tailored access to resources based on need.
Scenario 2
Remote users that need access to more comprehensive internal resources beyond a single application. This scenario would require an IPsec tunnel to accomplish the access needs. In this scenario, as with the first one, security should be considered when designing. If full tunnels to the internal network will be established, then permissions should be in place to ensure that the remote user only has access to what they need.
How IPsec Interacts with VPN Concentrators
When using any kind of IPsec platform, Internet Key Exchange (IKE) is used to negotiate between the VPN peers either using UDP port 500 or UDP port 4500. Which port is used for IKE negotiations depends on the situation. UDP port 500 is used for IKE all the way through in two cases. First, when there is no Network Address Translation (NAT) between two VPN peers (think site-to-site). Second, when there is a NAT between the peers but one or both sides do not support the official NAT Traversal (NAT-T) standard.
UDP port 4500 is used for IKE negotiations and encapsulating ESP IPsec traffic when there is a NAT between the VPN peers (common) and NAT-T is supported by both sides. The initial IKE negotiations use port 500 until both peers agree to use NAT-T then switch to port 4500.
Configuration for IPsec-based connections
When considering how to set up your VPN concentrator’s IPsec features there are two areas of the configuration worth consideration. First, traffic encapsulation with NAT devices on the client side. Second, whether to use full or split tunnel configuration.
In most networks today user-side devices sit behind a NAT device. This type of setup provides translation between private IP addresses assigned to devices internally and the public IP address provided by their Internet Service Provider (ISP). That is, most user-side devices do not have a public IP address assigned to them directly.
Usually there is a NAT device between the two points of the VPN tunnel – the VPN concentrator and the user-side device. Many NAT devices do not allow the passage of true IPsec traffic, such as Encapsulating Security Payload (ESP). NAT-T encapsulates the VPN traffic within UDP traffic to overcome this issue. As a result, NAT-T is found in most VPN solutions that use IPsec tunnels.
Full-Tunnel vs Split-Tunnel VPN
When configuring the types of VPN connections with a VPN concentrator, you can configure the dynamic tunnels to be full-tunnel or split-tunnel. With any IPsec VPN connection, there is the option to route all traffic across the tunnel (full tunnel) or only a portion of it (split tunnel).
Split tunneling is when you section off the traffic from the client-site VPN peer to send corporate traffic (destined for the organization’s internal network) through the VPN tunnel established and normal web-browsing traffic straight out to the internet. Split-tunnel configuration is very common and usually provides a better experience for the remote user.
Full-tunnel VPN is when all the traffic on the client-side VPN peer is routed through the VPN tunnel and back to the organization’s internal network. This means that regardless of what the user is accessing the traffic is routed through the organization’s internal network. Using a full-tunnel is one way to run web filtering and other corporate policies on remote machines. This setup is less common than you might think because of the large amount of traffic that needs to be processed.