FOR

No bulky cling-wrapped box, no fat user manual, no CDs, InstantVPN is a subscription-based managed VPN service set up entirely through the web. Utilizing InstantVPN requires no hardware, software, networking or security expertise. You simply follow the instructions on Imperito's web site to install the gateway, client and VPN. I have never come across a VPN system like this before, and I must say, having navigated the installation and set-up with an Imperito engineer over the telephone, I am very impressed.

IT administrators can set up gateways quickly, issue clients and create isolated VPNs for specific user groups, and manage their entire remote network via InstantVPN's intuitive web-based management console. If you have any special requirements or unusual set-ups, they may be accommodated online with an engineer, and the tiny user manual, which you can download, consists of a list of clear-cut instructions. If ever you were apprehensive about establishing a VPN on your network, assuming that the trouble outweighed the security benefits, then InstantVPN, and it really is instant, is a viable option for you. All required configuration and policy databases, including the public key infrastructure, are outsourced to Imperito's InstantVPN data center for faster deployment and easier administration.

The first stage consists of creating gateways and clients, and then creating VPNs and adding members to them. Remember, this is all done through the intuitive screens on the VPN web site. You simply create gateway names and enter the IP range that the gateway will issue to remote access clients. Then, follow the downloading instructions sent to the gateway device. Having created the gateway, the policy server will immediately send you an email message containing a unique, one-time link from which the gateway software may be downloaded, as well as (optionally) a password that will be needed to activate the gateway.

When the gateway is set up and the clients designated, an email is sent directly to the users. When they open it the client software automatically downloads to the desktop along with a digital certificate for user authentication. There is no configuration required. The user only needs to reboot the computer before initiating a VPN session. Henceforth, every time users start their InstantVPN Client software, they will be presented with a list of all the gateways belonging to that VPN. Then it is merely a matter of them highlighting the gateway to be connected to, clicking connect, and the network resources protected by that gateway can be accessed securely, just as if they were on the same local network as those resources.

The second stage consists of actually installing the gateway software on your server, which must be a Windows NT or Windows 2000 server. This is a trivial affair and once the machine is rebooted, the VPN gateway runs as a service.

InstantVPN utilizes industry-standard security including IPsec, PKI, IKE and triple-DES, and the policy server enforces whatever level of IPsec security you choose. Imperito Networks recommends that you choose high security for all your VPNs. If a gateway and a client belong to two different VPNs, they will be forced to adhere to the strictest security level defined for the two VPNs. You are also given the option to restrict the times when members of a VPN can connect, according to dates, days of the week, and time of day. It is important to realize that once a user is authenticated, data does not go to the Imperito Networks data center. Encrypted data flows point-to-point over the Internet and the Imperito servers are present only for authentication and account/policy/certificate management.

Each network you have will require an InstantVPN gateway installation and the InstantVPN gateway needs to have a static IP address from within the participating network. The gateway will enable a secure IPsec connection between the resources on that network and the remote users needing access to these resources via the use of their InstantVPN client. Each participating network must assign a free, contiguous range of addresses because when a remote InstantVPN client connects, the InstantVPN gateway securing the remote client connection dynamically assigns a unique IP address for that client session. Once the client disconnects that address is released back to the pool. Hence, the size of the address pool has to correlate with the number of anticipated remote concurrent logins.

Regarding your particular network topology there are some considerations to be borne in mind; nothing convoluted though, just the type of things any network administrator would expect. For instance, firewalls and/or routers may need some configuration in order to allow the creation of IPsec tunnels between the InstantVPN gateway and the clients. Bearing in mind that many networks use private, local IP addresses (such as 10.x.x.x or 192.168.x.x), and have a device that performs address translation, an InstantVPN gateway installed on a private network requires a static network address translation (NAT). So a public, routable IP address needs to be set aside to be used by the device performing the NAT when translating traffic to and from the InstantVPN gateway.

VPNs, gateways, clients, log files and account information may all be accessed via the web-based management console. Here you can add, edit or delete VPNs, gateways and clients, view traffic or alert logs and check or edit your account information. There are some excellent features incorporated into the management console that greatly simplify the administration of a VPN. These include batch import of names to enable bulk issuance of VPN clients, the ability to deploy or turn off a client instantly in real-time, control VPN access by client, time and location, and single-click suspension of VPN availability. The main thing is you can manage your VPN from anywhere, and at any time, as the management console is accessed via a web-based interface. All you need is a web browser and an Internet connection.
 

SC On-Line
SC Magazine
www.scmagazine.com