Remote Access Apps for All
The traditional remote-access marketplace has evolved into four different solutions that can provide secure connectivity. The four solutions include two different types of virtual private networks (VPNs) and two different types of shared computing (terminal services and what we'll call "Web-based remote access").
|More Tech Trends on CIO Update|
Three Steps to Greater Value
Misconception No. 2: Believing the Hype of Technology and Tools
Is Vista The Last of Windows?
To Build or Buy? That is No Longer The Question - Part I
The first and most prevalent type of VPN made use of secure Internet protocol (IPSec) connections between remote users and their corporate headquarters. Leading vendors in this area include Cisco, Juniper, and Checkpoint Software.
They allow remote users, once properly authenticated, to appear to be on their local headquarters networks and have the same types of access that they would have if they were plugged into the local Ethernet in the office wall, albeit at a much slower connection.
IPSec networks are cumbersome to configure and require an expensive VPN gateway to handle inbound calls. They require the IT staff to touch each remote user's PC and configure the special client software used for the connection.
The most secure VPNs are often only the result of a great amount of work, routine maintenance, and vigilance on the part of IT administrators that need to balance the configurations of the VPN with corporate firewalls and placement of secured servers on appropriate network segments.
In addition, all enterprise applications must be installed on the remote PC too. This means that IPSec connections aren't possible from PCs that aren't managed by the IT department, such as those used at Internet cafes.
Because every application is running over the remote link, applications can perform poorly and in some cases have problems dealing with the longer network latencies of the VPN connection. The VPN by itself can't deal well with poorly maintained remote PCs that could infect a corporate network with spyware or viruses, since the remote PC is connected as a full-fledged local entity.
Many IPSec VPNs are used for office-to-office connections, rather than single user access, and these are somewhat easier to configure (since the two or more VPN gateways are configured for network-to-network connections).
A newer and more flexible type of VPN is one based on secure sockets layer (SSL) connections. Leading vendors in this area include Juniper, F5 Networks and Aventail.
SSLs don't require any client software outside of a Web browser, so they are useful for times when users find themselves at Internet cafes or on other public computers that are out of the reach of the IT department.
However, the SSLs suffer from disadvantages. They can be difficult to configure for particular Web-based applications such as Outlook Web Access, and are designed to work with Windows and Internet Explorer and not many other combinations of operating system and browsers.
They also suffer from an insecure endpoint like their IPSec cousins, although many SSL VPN vendors are adding endpoint security routines to help tighten things down. Every SSL VPN comes with special "network extension" client software that is typically downloaded on the fly when a user first connects to a VPN gateway.
This software must be used when a remote PC wants to become a full participant on an enterprise network and will require some additional configuration.Terminal Servers
A different twist on remote computing is found with terminal server products, which can sometimes be used in conjunction with one of the VPN solutions. Leading vendors in this area include Microsoft, SSH Communications (limited to text-only applications), and Citrix.
Here a computer runs a special operating system that turns a Windows PC into a multi-user environment. Remote users are just sent screen images and keyboard commands, cutting down on the amount of data that needs to be transmitted across a slower-speed link.
The terminal server solution makes for a more secure endpoint, since an infected remote PC also doesn't appear on the enterprise network and no actual data files are moved over the link. And enterprise applications do not need to be installed on the remote PC. However, these solutions can be expensive to deploy and maintain.
"Web-based Remote Access"
The last solution we'll call "Web-based remote access," (WBRA) and this involves using a remote-control application from leading vendors such as LogMeIn and Citirx/GoToMyPC to send screen images and keyboard commands across the link, just like terminal servers.
The difference is that instead of connecting into a central server, the remote access users are doing one-to-one connections to a specific desktop computer that is running the host version. All that is needed on the remote end is a browser, just like the SSL VPNs.
Unlike the other three solutions, Web-based remote access is fairly easy to setup and doesn't require much if any IT support. They maintain end-point security just like the terminal servers, because no data files (or viruses or other infections) are moved across the remote link.
Finally, Web-based remote access products can cost significantly less than the other three solutions because there is no dedicated concentrator or gateway hardware involved.
The downside to the Web-based remote access is they are one-to-one solutions, so each remote user must be connecting to a target host PC on the enterprise network, and this host PC must not be turned off when the user is away from their desk.
Some corporate IT policies prohibit desktops from always being powered on. However, having a "second" PC back in the office could be more cost effective than buying a VPN concentrator and related software, especially when the support costs of having a VPN are included.
Which remote access solution you ultimately choose will depend on a lot of factorscost, convenience, and support levels required. For some companies, a mixture of approaches might be best.