Enterprise-class Virtual Private Networks (VPNs) can be delivered in the cloud or on premises. Their purpose is to make it easy for employees operating remotely from a variety of devices and Wi-Fi connections to securely access databases, sales systems, applications, and company files. By logging into the enterprise VPN via the web, desktop, laptop, or mobile device, they gain access to an encrypted tunnel to the corporate network. A VPN uses site-to-site Internet Protocol security (IPsec) to establish a connection. In addition, IT managers can set rules and policies on who can access what from where.
Table of Contents
- VPN Use Cases
- VPN Vendor Selection
- Top VPN Vendors
There are a variety of use cases for VPNs. These include:
- Secure remote network access to cloud-based and on-premises resources
- Policy-based and segmented access to the network,
- Shielding sensitive resources from the public Internet and offering a more seamless employee onboarding experience.
- Access/authentication support for remote workers
- Secure site-to-site links, perhaps between HQ and branch offices or from branch to branch and partner to partner.
- Managing a network of distributed endpoints.
Also read: Steps to Building a Zero Trust Network
There are many features that should be reviewed in any VPN products and service candidates. Some of the key one to look for during product selection include:
- Overall Security
IPsec tunneling protocols should be used to establish a secure connection between user devices and network resources, as soon as they log into the VPN client. This ensures that only authorized users and devices are approved to connect.
- Endpoint Encryption
Strong encryption support such as AES-256, 3DES-168, or next-gen encryption should always be included in any offering.
- Low-Latency Remote Work
Full access for remote workers includes the ability to connect rapidly from anywhere and at any time and share data securely. Latency must be kept to a minimum.
- Easy OS and Cloud Integration
Any enterprise VPN should be cloud-friendly and cloud agnostic, meaning they can seamlessly integrate with the most popular products like Salesforce, Amazon Web Services, Microsoft Azure, and Google applications, as well as having broad operating system support (Win, Mac, Linux)
The best enterprise-class VPNs should be able to accommodate growing organizations at scale with a simple way to build a low-latency experience for remote workers. But not everyone needs support for thousands of users. The solution should be able to easily support the required number of users. Some VPNs are better for small groups but cost spiral when scaled upwards, or performance drops. Others are better for large numbers.
Support varies heavily from enterprise VPN to enterprise VPN and can add to the overall bill. Choose the amount of support you need at a price you can afford. For some, it is well worth it to pay for dedicated, 24/7 global customer support.
Also read: 5 Best Practices for DDoS Mitigation
Perimeter 81 Enterprise VPN
Perimeter 81 provides several VPN packages. The Enterprise package is customizable and equipped with enterprise-ready security features to manage the network. It is available on-site and in the cloud. It offers zero-trust, agentless access, as well as activity audits and reports to monitor logins, gateway deployments, and app connections. Unlike traditional VPN service providers, which only offer secure remote access through an agent, Perimeter 81 also offers agentless Zero Trust Application Access. This enables granular, secure and policy-based access. All corporate users are provided with 24/7 customer support via in-app chat, email, or phone, while a dedicated solution architect assists with all your account’s needs.
- Apps exist for all the major platforms (Mac, Windows, Android, and iOS)
- Automatic Wi-Fi security to protect employee’s devices when connecting to unsecured public Wi-Fi
- Multi-factor authentication ensures their identity
- Single sign-on capabilities are provided via Okta, GSuite, Azure AD, and Active Directory LDAP
- Zero-trust, agentless access
- Activity audits and reports to monitor logins, gateway deployments, and app connections
- DNS filtering allows blocking of users from accessing specific websites, site categories, and IP addresses with a web browser
- Security information and event management (SIEM) integration enables capturing, retaining and delivery of security information and events in real-time
- Policy-based access to RDP, HTTPS/HTTP, SSH and VNC applications.
Fortinet FortiClient contains a VPN agent, as well as other security features, including soon-to-be released Zero Trust Network Access (ZTNA) for even stronger security in VPN deployment. All levels of FortiClient provide the elements necessary for Fortinet’s Zero Trust Access solution, such as secure remote access (through either VPN or ZTNA), telemetry, URL control, and device risk assessment.
- The SASE edition of FortiClient (premier edition) enables endpoints to connect into Fortinet’s SASE services for remote users, FortiSASE SIA
- Integrates into an ecosystem of security with Fortinet’s Security Fabric, with integrations to share information and security responses with products such as firewalls, sandbox, NAC, EDR, SASE, and SIEM to enable a higher level of protection and security
- By using certificates instead of additional token generators or code calculators, FortiClient can be integrated and deployed quickly.
Cisco AnyConnect Secure Mobility Client provides remote workers with secure access to the enterprise network from any device while protecting the organization. It connects more than 180 million endpoints and serves 60,000 organizations. It offers simplified deployment, configuration, updates and management with one agent for VPN, device compliance, web content inspection, threat detection and remediation and contextual behavior data. Cisco AnyConnect can enable the distribution of Cisco Secure Endpoint to remote users to detect and stop threats.
- As users access the web, their connection is directed through a filter for web threats
- End-to-end encryption including data-in-motion
- Client authentication credentials apply specific web usage policies and security that can vary based on the location the user is connecting from
- Integration with Cisco Identity Services Engine and HostScan technologies
- Insight into user behavior and network and application access (e.g., non-approved app access, app use, and granular access control)
- AnyConnect is a VPN agent that has a range of access features from very basic VPN access to Cisco IOS based head-ends to more sophisticated policy driven access to Cisco Secure Firewall ASAs
- AnyConnect provides endpoint posture checks across wired, wireless, and VPN networks when combined with Cisco Identity Services Engine
- AnyConnect has a range of access control capabilities such as validate users and devices in single transaction when used in conjunction with Cisco Wired and Wireless Infrastructure and Cisco Identity Services Engine
- AnyConnect integrates with the Umbrella Cloud for DNS Security and the SWG (Secure Web Gateway) Content.
Pulse Connect Secure (acquired by Ivanti) protects remote and mobile enterprise access, enabling zero trust secure access from any device to applications and services in the cloud and data center. It delivers fast, secure access to applications and services with client and clientless support for desktop, laptops, tablets, and smartphones. Features include certificate-based authentication with an embedded certificate authority and integrated endpoint container. Support for SAML authentication allows enterprises to blend data center and cloud resources. It has a centralized web-based console, provides end-user self-provisioning, and integrates with policy management platforms.
- Not running VPN and firewall in the same appliance has scalability benefits and avoids single point failure in the network
- Unlike mobile gateway solutions, Pulse Connect Secure provides an access solution spanning across desktops, laptops, and mobile devices that consolidates compliance enforcement
- Stateful posture validation continuously monitors the endpoint throughout the session lifetime and any compliance violations are addressed by immediately restricting access
- Pulse Connect Secure can be deployed as a hardware or virtual appliance
- Intelligent, dynamic, multi-factor authentication based on numerous user attributes
- Clientless Access – Access web applications and virtual desktops with nothing to install
- Integrated with directory services like Active Directory and LDAP, and support MFA, SAML 2.0, PKI, IAM, and digital certificates.
NordVPN Teams is the enterprise version of a well-known consumer and individual VPN product. It is easy to use and fits organizations of all sizes. Each organization using this service gets dedicated VPN servers on premises and a dedicated IP address for every VPN account. Third-party authentication is available via Okta, GSuite, Sami, Azure AD, and OneLogin. It can deal with Windows, Android, Mac, Linux and iOS clients.
- A network spanning thousands of servers in dozens of countries
- Simple and centralized billing
- AES 256-bit encryption
- If a connection drops for even a second, the kill switch cuts off all internet traffic on the device, ensuring no information gets exposed online
- Third-party logins from Azure AD, Google, and Okta can be used to log into NordVPN Teams.
AccessAnywhere focuses on providing small and mid-sized enterprises with corporate office VPN connectivity needs. It offers mobile employees access to the information they need no matter where they are by connecting a cloud server to the corporate network, as well as hooking up remote VOIP phones to the head office PBX, syncing domain controllers across distance offices, and gaining remote access to partner resources.
- Directly access shared folders and files on office computers or NAS storage servers
- Allows employees to work directly on Microsoft Office and other file types as well as databases as if they were on a local network
- Network drive mappings created in the office, work without change when connected to the VPN
- Share files, like an ACT! or QuickBooks simultaneously with other remote users, without locking up an office desktop
- Encrypts all traffic through the VPN tunnel
- No need to purchase equipment, hire staff, or manage software.
Twingate positions itself as an easy way for IT departments to get rid of aging, internally managed VPN equipment and hand it over to an external provider that can rapidly implement a modern zero trust network in the cloud. IT teams can use it to configure a software-defined perimeter without changing infrastructure, and centrally manage user access to internal apps, whether they are on-premise or in the cloud.
- Zero trust architecture
- Delivered as a cloud-based service
- Can scale from 10 to 10,000 users
- Deploys in minutes
- Split tunneling reduces the network burden
- Intelligent routing eliminates backhauling
- ViPR technology in smart clients handles authorization and routing decisions on devices
- Load balancing, redundancy, and scaling managed by the provider.
ExpressVPN is a virtual private network service that encrypts users’ web traffic and masks IP addresses. It is best for organizations that need to support a relatively small or changing group of users with fast service and a good VPN. It lacks the bells and whistles of other VPNs but is very fast to set up and easy to manage.
- Specific VPN apps available for Windows, Linux, Mac, IOS, Android and other endpoints
- VPN extensions for leading browsers
- IT can have individual users set up the connection rapidly in emergencies
- 256-bit encryption.