VPNs Enable Desktop Virtualization

By Bernd Reder

As the workforce becomes increasingly mobile, the methods by which users access critical business tools must evolve in kind. In the past, the desktop environment and all of the resources it hosted were only accessible if an individual was sitting right in front of his or her computer. But now, with the advent of laptops, tablets and smartphones, we’re seeing a paradigm shift—one in which digital assets are no longer imprisoned by local hard drives.

Virtual desktops allow employees to remotely access their traditional systems from any location, eliminating device storage concerns as well as numerous other headaches for IT managers. For example, if the IT department had to install a suitable desktop environment on every device used by every employee throughout the company, then provide technical support and roll out regular patches for each one, the workload would likely far exceed the department’s capacity.

A Central Virtualized Desktop

With virtual desktops, individuals working off-site can still access all the tools held within their office work stations, from the operating systems to essential applications and associated data. Not only is this more convenient for them, but it is more practical and less cumbersome for IT administrators. All sensitive information and tools are housed and managed in a secure location, mitigating the risks to company data if a security breach compromises an employee’s mobile device.

All of the company resources being accessed remotely are stored in secure data centers. Rather than having to constantly update and patch the myriad of tablets and smartphones that workers use while outside the office, IT managers can focus on deploying security measures that govern remote access privileges. Though this doesn’t completely eliminate the possibility of an attack against an employee’s mobile device affecting the organization, it greatly reduces those risks—more so than any alternative—and better equips IT personnel to safeguard important information.

According to a survey from U.K.-based market research firm Visiongain, more than half of U.S. respondents are either planning to virtualize their desktops or are considering exploring this option within the next 12 months. Visiongain also states that the world market for Virtual Desktop Infrastructure (VDI) products reached $11.6 billion in 2012, and predicts annual growth of almost 15 percent through 2015.

Where VPNs Come Into Play

Paramount to any VDI is a secure link between the virtual desktop and the device being used by an off-site worker to access it. As such, VPNs are indispensable. They ensure that data is transported across a secured, encrypted connection.

However, this is far from a “one-size-fits-all” solution. On-the-go employees will often use various mediums to connect to their virtual desktops, including public Wi-Fi networks at airports and hotels or local networks at the offices of current or prospective clients. A company’s VPN system has to be configured to securely handle all of these options if users are going to be able to safely and efficiently access their virtual desktop environments. What’s more, VPNs must be able to seamlessly handle transitions from one medium to the next, such as LAN to Wi-Fi, so that the connection is not lost or processes are not interrupted at inopportune times. If access proves problematic, the benefits of VDI begin to dissipate.

In order for companies to tap into the benefits of virtualized desktops, they must invest in robust VPN solutions that account for all possibilities and automatically initiate the proper security settings based on the communication medium an employee is using. Whether in a coffee shop with public Wi-Fi or another office location within the same organization, the VPN should be able to manage them all. Such a task is perfectly fitted to a dynamic personal firewall. Where run-of-the-mill VPN systems might fail, expertly developed and well-matured solutions will not.

February Feature of the Month: Integrated Support for 3G / LTE Cards, Part Two

This is Part Two of our February Feature of the Month series. Last week, we honored the all-new Access Point Name (APN) feature in NCP’s entry and enterprise IPsec VPN clients.

Enterprises today are facing significant challenges related to remote computing due to their increasingly fragmented geographies. For instance, companies are not only contending with how to enable automated roaming between their solutions on premises and remote hotspots, but they are also responsible for making sure this seamless roaming is secure for employees working off-site.

To meet these industry needs, NCP engineering has enhanced its client suite to support integrated 3G cards, which ensure secure network connections for mobile workers when used in conjunction with the NCP Secure Enterprise VPN Server. NCP has combined 3G / 4G and VPN connection setup into a single, graphical user interface, simplifying the installation and deployment processes for both IT personnel and individual users.

Additionally, the NCP Secure Enterprise Client allows devices to automatically transition between a variety of communication mediums, including Wi-Fi, xDSL, LAN, ISDN and WWAN, making it easy for users to connect to their corporate networks from any location. Since the solution dynamically redirects the VPN tunnel without disrupting mobile computing sessions, employees are guaranteed uninterrupted connections to their networks.

Beyond that, for enhanced protection, the solution automatically recognizes secure and insecure networks to connect to while users are roaming. With its Friendly Net Detection feature, the IPsec VPN client then activates the appropriate firewall and security policies without the end user needing to lift a finger.

Want to learn more about the NCP Secure Enterprise Client’s integrated support of 3G / LTE cards? Additional information can be found here. 

Q&A On SSL VPNs, Part Two: Joerg Hirschmann

This is part two in our Q&A series on SSL VPNs. Earlier this week, we shared insight from Rainer Enders, CTO, Americas at NCP engineering, on the inception of SSL VPN and its key differentiators.

Q: What are the core strengths of SSL VPN, and when might enterprises choose to go with this protocol over IPsec VPN?

Joerg Hirschmann: The pre-installed, SSL approach is ideal for situations in which one doesn’t require transparent connections for secure remote access. For instance, SSL VPN is an optimal solution when enterprises must grant limited access to external associates or partners needing connections only to specific applications (e.g. web-based) or administrative access to specific machines through RDP or SSH sessions. However, the ideal secure remote access solution takes a hybrid approach combining the strengths of both SSL and IPsec.

Q: What about choosing to go with software solutions versus hardware appliances?

Joerg Hirschmann: A software solution is the ideal fit for a virtualized central environment, whereas appliances are usually a better fit in branch offices or a smaller environment without virtualization in place.

If you have any questions on VPNs, the IPsec and SSL protocols or anything else related to secure remote access, send them to editor@vpnhaus.com. 

 Joerg Hirschmann is CTO at NCP engineering GmbH. 

Q&A on Employee Provisioning with Joerg Hirschmann: Part 3

This is the third and final entry in our Q&A series on questions related to employee provisioning and VPNs. Last week, we addressed how provisioning can benefit an organizations’ overall security postures as well as the de-provisioning tactics necessary to mitigate security risks during employee transitions. 

Question: Certain scenarios, such as short-term business partnerships, will require adaptable provisioning. How can VPN technology enable temporary and secure remote access? What are other solutions companies can use to incorporate flexibility into their workforce?

Joerg Hirschmann: VPN solutions offer different access points for various types of remote access users. In general, employees will require deeper access to corporate network resources than external partners will need. For that reason, companies should deploy VPN clients to their entire workforce, depending on the necessary access requirements, whereas external partners should access the relevant applications through client-less SSL VPNs, if possible. This will allow external partners to avoid the process of deploying software and licenses.

Organizations can also achieve temporary access, whether it be on-demand or limited hourly access,  by implementing a Remote Authentication Dial-In User Service (RADIUS) server. With this approach, general access limitations can be set automatically, whereas on-demand access will have to be enabled–as well as disabled–manually by an administrator. Again, process quality is important.

If you have any questions that you would like answered on VPNs, remote access, network security and the like, send them to editor@vpnhaus.com. 

Joerg Hirschmann is CTO at NCP Engineering GmbH. 

Secure Communications in Harsh Environments, Part 3

Editor’s Note: This is part three in a three-part series on remote access in harsh environments. Part one of series details the emergence of harsh environment threats, while part two covers the risks of outdoor access points. 

By Patrick Oliver Graf, General Manager NCP engineering

VPN: The Indispensable Barrier

So then, how do you secure SCADA systems against such attacks? The answer is simple, with the same measures as a regular corporate network.  This means, providing a protective mechanism, like firewalls, between regulation and control units and external Internet traffic. Firewalls analyze each access to the system, and block suspicious traffic or access to certain ports.

Furthermore, IPsec VPNs, with DES or AES encryption, are essential. When using protected tunnels to send data traffic, it’s impossible for hackers to listen in to data packets of PLCs, Local Control Units or RTUs, analyze them and draw conclusions to the technologies and systems employed in the SCADA network at hand. If the SCADA infrastructure is decentralized and has endpoints in various locations, it is sensible to implement an additional VPN server and a gateway. In this, the gateway acts as firewall and guardian by deciding which data of which systems receive network access.

Today, controls, data capturing systems and automation systems are similarly prone to hacker attacks as PCs, server and notebooks in a LAN. Therefore, those systems need the same amount of protection. This is especially true for systems with remote access connections. And remote access requires the use of VPNs and the corresponding server, clients and gateways. With that, a VPN is indispensable – even in harsh environments.