What is a VPN Concentrator

Introduction to VPN Concentrators

Security is a common topic when it comes to businesses with multiple geographical locations. As topics like work from home have become more popular and now the modern-day environment is forcing companies to work from home to stay afloat, the issue is amplified.  Be it medical information, financial information, or other proprietary information that needs to traverse the network highways, getting that data from point A to point B safely is the task of today’s IT groups.  While Virtual Private Networks (VPNs) to encrypt data for transport have existed for almost 25 years, with more users and more data needing that encryption, VPN Concentrators are needed to manage the flow of users and data encryption for an organization.

VPN Concentrator

A VPN Concentrator is a dedicated piece of hardware that secures the VPN by managing the flow of data from users who may be in random locations, accessing random hotspots, to access and exchange data with their organizations systems.  The following flow would be a typical VPN concentrator setup:

VPN Connectors are sometimes referred to as advanced VPN routers. While the function of a VPN Concentrator can be handled by software, it depends on the CPU’s ability to handle the load as it is resource intensive. The concentrator creates and manages VPN tunnels (or multiple tunnels within a network) in a centralized fashion that will hold and protect the data from the source to the destination. This tunnel essentially provides an armor plate covering the data as it moves from one destination to another.  They also authenticate users, encrypt, and decrypt data, as well as assign IP addresses. This piece of hardware is placed just outside of the organization’s system and controls both the inputs and outputs of information assigning cryptographic keys to each user.

The VPN Concentrator will generate a secure tunnel so that the user can receive any information flowing through it. Many applications will generate this tunnel as soon as the application is opened to securely transport data. Without this security, an organization opens itself up to not only the ability for unauthorized individuals to access the data, but also the ability to insert malware into the data.

One distinct value of the VPN Concentrator is the ability for it to manage multiple users. They can handle 10,000 users easily regardless of where the users are located. Each user’s data is being encrypted going in and out of the company dB or system allowing for total security in the transfer process. Allowing this separate piece of hardware to manage this process keeps the servers from getting bottlenecked trying to manage and encrypt multiple streams of data in large organizations.

Many VPN Concentrators also come with strong firewalls in addition to the encryption, the ability to create tunnels, and assign tunnels to remote users.

Big or Small Companies

Certainly, the scale of functionality of VPN Concentrators make them a must for large organizations with remote employees. So the ability to ensure the security of data easily for 10,000 users will cover many organizations. But what about smaller businesses? Smaller businesses, even if lacking the large business funding, can still take advantage of the benefits of VPN Concentrators, by utilizing alternative methods versus a piece of hardware and they should.  There are standard Windows Routing options, which are moving packets of data from its original source to the destination via the Microsoft Windows platform. There is also Remote Access functionality a small business may use to access their organization from home.  The issues with these methods are that it leaves the domain controller, charged with authenticating users, open to the internet.  This generates a security risk if someone comes upon the IP address and attempts to get past a password or minimal security.  This could spell disaster for a small business, but thankfully, the options for VPN Concentrators are vast. VPN Concentrators are however more expensive than a VPN browser, so it might not be the best option for a small business, and certainly is not needed for a home network.

What are the VPN Concentrator Options?

There are multiple options available that are dependent upon the needs of the users. For example:

  • Are the users working from their homes?
  • Are the users regularly in different locations, such as a traveling salesperson?
  • Are they in a building where IPsec is blocked from passing through a firewall like many hotspots are set up to function?
  • Is there a need for scalability?
  • Is there a need to coordinate data with a third party as well?

VPN Concentrator Alternatives

Based on your company’s needs there are multiple ways to deploy similar functionality as a VPN concentrator. Let’s look at a few of these.

VPN Router

Some VPN Routers can tunnel, but it is important to consider what kinds of applications you will be using as well as what kind of access you will need.  These may be less expensive, but VPN Concentrators are built to be much more flexible and robust than the routers. Routers require configuring client’s remote devices individually. Depending on the number of employees the cost could quickly outweigh the benefit with this alternative.

Site to Site VPN

This option is most valuable if there is only the need to connect two to three sites together and you are not needing to deal with other remote connections. However the tunneling protocols are set up to specific databases and locations. If there is the need for remote access, then VPN Concentrators are a better option.

Remote Desktop Software

These also create a secure connection between the source and the company. These connections would be targeted either within the organizational facility or on an exceedingly small scale. This is not an option with medium to large organizations to handle remote access.

Types of VPN Concentrator Encryption Protocol

IPsec Encryption

Internet Protocol Security (IPsec) is commonly used. It is extremely secure and effective; however the clients will need to have software configured on their device to connect to a VPN Network, but this also provides additional options.  The access compares to being connected locally and works the best with connecting a VPN from a permanent location such as a primary office or your home. This connection is best used to connect headquarters to branch offices.

SSL Encryption

Secure Socket Layer (SSL) is another type of encryption that most browsers include. It uses the Transmission Control Protocol (TCP) Port 443 which most browsers use. This option allows the users to forgo individual software configuration. This creates additional freedom for users to access from any remote location, however, they are restricted to systems that are web based in order to access.

VPN Concentrator Options

When dealing with these VPN Concentrator options there are other items to consider such as what a wi-fi hotspot will allow. Some might totally block all IPsec traffic. Therefore there are a couple methods to transport the encrypted data.

Transport Mode –This method wraps the encrypted data in a header and trailer and allows the data to reach the remote site.

Tunnel Mode—This even more advanced method will encrypt the header and footer but brings an additional IP Header to the front of the data packet. This extra feature prevents anyone intercepting the packet from knowing where it is headed.

Does a Concentrator Impact Performance?

VPN Concentrators are quite efficient. Hardware components are designed to take the load off the CPU making it extremely effective and productive. We mentioned earlier the ability to easily handle 10,000 users. They are known for the strong performance and output. They use modules called Scalable Encryption Processing (SEP) managing the encryption process without diminishing the performance. They have become essential to both small and large business operations for controlling data security. The only scenario where performance will decrease is by trying to use software or Windows based options for too many users, thus overtasking the machine.

Best VPN Concentrators

There are multiple VPN Concentrator manufacturers in this space. The number of VPN tunnels and efficiency impact the price. A couple of the top models are the Cisco Meraki and ShortTel.

Cisco Meraki- The Cisco Meraki can be set up for VPN Router or as a VPN Concentrator. There is built in redundancy to protect packets in the event of failure.  Price Range $8,000-$12,000

ShorTel—This model will connect remote IP phones to the system. Once connected it provides an extremely secure work environment. There is minimal configuration. The ShorTel phone is connected to a broadband router and functions comparable to a local connection. There is a limitation on the simultaneous connections with the 4500-model supporting 10 and the 5300-model supporting 100. It also needs a DSL, Cable or Fiber connection.  Price Range $1,200-$3,000.

Summary

It is important to understand exactly what your needs are as an organization before determining the best VPN Concentrator functionality to employ.  As we have briefed several different options, each of them carries pros and cons in terms of complexity, limitations, price point, and security.  The time investigating and implementing is worth it when compared to having to explain how all your customers social security numbers ended up getting hacked.  A fully implemented VPN Concentrator will give you complete security peace of mind.