VPN Round-Up – Pros and Cons

Author:  Alex Claro, Solutions Architect Team Lead at Purdicom (CCNP, CWNA)

Previously I have covered the different types of VPN technology and how to configure them. Today I will be weighing up the pros and cons of each providing different use cases for each one.

SSL VPN using WatchGuard Access Portal via a web browser for RDP or specific applications

Pros

• Extremely quick and easy to set up with no configuration required client-side
• For those that need access to a high compute workstation without needing to open RDP or rely on other screen sharing services this provides the most elegant solution without performance issues
• Lightweight so no performance issues and full-featured via the use of HTML 5 allowing you to publish specific applications to specific groups of users
• Can be accessed from anywhere on any device without the risk of a virus or malware infecting the remote station from the users own device
• Integrates with Active Directory, RADIUS and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service

Cons

• Does require a Terminal Server or each individual workstation to have a Static / DHCP reservation
• If you close your browser window you will be logged out of the remote session
• Not compatible with all applications

Use Case

Perfect for those who need a high compute workstation or to access a specific application on the go meaning you could perform work from a tablet without security or performance issues or without needing to install a VPN client or configure one

To see how to configure the Access Portal click here.

IKEv2 VPN Using the inbuilt Windows, MAC and IOS VPN Client

Pros

• By far the most robust VPN utilising multi-layer security with IPSec and certificates to ensure the user is whom they say they are
• Lightweight so performance is not compromised resulting in low CPU usage
• Widely supported by Windows, macOS, IOS and Windows Mobile so there is no application to install client-side
• Integrates with RADIUS and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service
• The configuration files cannot be pushed out by Group Policy yet

Cons

• Doesn’t support Active Directory authentication so requires a RADIUS server with Certificate Authority
• Requires IPSec to be allowed outbound

Use Case

Perfect for any application especially if Voice is a requirement due to the lightweight protocols in use although RADIUS can be a requirement most enterprises are starting to shift towards using RADIUS / 802.1x infrastructures.

To see how to configure IKEv2 click here.

SSL VPN Using the WatchGuard VPN Client

Pros

• Uses TLS encryption on port 443 which is typically not restricted
• The client can be pushed out via Group Policy without the end-user needing to install anything as such
• Integrates with RADIUS, Active Directory and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service

Cons

• Relies on TCP resulting in it having the most overhead impacting on performance
• It is the most CPU intensive out of all three
• Not suitable for latency-sensitive applications such as VoIP or if you need to transfer large files in a hurry

Use Case

Perfect for those who need to push out a VPN client quickly without the user needing to do anything or those that do not have a RADIUS/Certificate authority.

To see how to configure SSL-VPN click here.

If you would like to get in touch with any further questions about this article or any other technical enquiry, please contact us on +44 (0) 1488 647 647

Author: Alex Claro – Solutions Architect Team Lead at Purdicom (CCNP, CWNA). To read this article and more by Alex on LinkedIn check here:  https://www.linkedin.com/in/alex-claro/detail/recent-activity/posts/