Virtual private networks (VPNs) have long been a trusted tool in securing network communication transmitted across the dark void that is the public internet. Whether this network communication is point-to-point, establishing a secured connection between two corporate offices, or simply client computers remotely connecting to the corporate network, VPNs can help secure this communication through both strong authentication and encryption.
Who needs an enterprise mobile VPN?
While VPNs have been around for decades, the world of infosec has evolved over that time, bringing about a world of mobile devices, public wi-fi, and a host of new attack vectors for malicious users. VPNs continue to have a place in infosec, but the waters have muddied somewhat over the years.
At their most basic, VPNs provide the ability for computing devices not physically connected to the corporate network to securely gain access to network resources as if they were physically located at a corporate location. This secure connection involves authentication, where the end user or device confirms with the VPN server that they are who they claim to be.
This authentication process could be as simple as a username and password, or there could be more advanced authentication requirements including multi-factor authentication (MFA), use of a managed device, or even system health (update status, antimalware protection, etc.). The second aspect of a VPN is an encrypted connection, which prevents a malicious user from intercepting network traffic and being able to view or even play back the connection to compromise the network.
It’s important to note the difference between consumer mobile VPNs and those build for the enterprise. Consumer VPNs have become popular as the public becomes aware of the dangers involved with using public wi-fi as well as the level of tracking data phone manufacturers, application developers, and service providers are able to glean from mobile devices. Consumer VPNs offer an increased level of privacy, and in many cases can protect you from the dangers of rogue access points and packet sniffers. Where enterprise VPNs differ is in their ability to provide connectivity to corporate resources that would be otherwise unavailable.
In a modern infosec strategy corporate VPNs are likely only one component of your mobile device security infrastructure and may not even be necessary for many businesses with technologies like web application firewalls (WAFs) and the security features they bring to the table. Incorporating a VPN solution with mobile device management (MDM) and identity management (IDM) are important steps in maintaining a positive security outlook.
What makes an enterprise mobile VPN?
You need to look for only a few features in an enterprise mobile VPN solution. Ease of deployment and integration into existing infrastructure, management tools, and support are going to be key. For example, if you use Microsoft Active Directory to maintain your users and groups, you’ll probably want your VPN to be able to authenticate against Active Directory rather than having to manage users in two places.
Licensing is another key factor, as you may have existing hardware that supports operating as a VPN appliance, but the licensing costs associated with using that option may not be cost effective compared to alternatives.
One major feature you need to consider when shopping for a mobile VPN for your enterprise is its ability to handle different configurations, which are dependent on what you’re attempting to secure. The configuration choice often goes hand-in-hand with device ownership. If mobile devices are corporate-owned, more secure and sophisticated solutions are options, while if they are employee-owned you may be more limited in the level of security you can apply. Ideally the mobile VPN you select should be able to handle each of the following configurations:
- Standard VPN – All network traffic is passed through the corporate VPN server, allowing for monitoring of device usage, but potentially causing performance degradation for the mobile user. A standard VPN often requires the mobile user to manually establish a mobile connection prior to accessing corporate resources.
- On-demand VPN – The VPN connection is established automatically when a predefined corporate resource is accessed. This reduces load on the VPN server and improves performance for mobile users.
- Per-app VPN – Similar to on-demand VPN, but the per-app VPN is focused more on mobile applications than network resources. In this configuration apps used for things like corporate email or line-of-business apps can be configured to use the VPN connection.
- Always-on VPN – Some industries requiring a high level of security may require a VPN connection for all mobile device traffic. With an always-on VPN, the VPN connection is established automatically when the device starts and routes all network traffic through the corporate VPN server
Enterprise mobile VPN market leaders
Many familiar industry names offer mobile VPN solutions, though each comes with its own use cases and features. Matching up your business requirements and existing infrastructure to the ideal VPN solution is the crux of the decision.
Cisco AnyConnect Mobile
Cisco has been a leader in the world of networking since the dawn of time. Cisco offers their AnyConnect mobile VPN client for all manner of mobile devices including Android and iOS obviously, but also BlackBerry and Windows Phone if you still have those hanging around. Both the Android and iOS clients support per-app VPN and may be managed or enforced using MDM tools such as Samsung Knox (for Android devices running on Samsung hardware) and Microsoft Intune.
Citrix SSO
Citrix is another trusted name in the networking arena, and while Citrix SSO is more than just a mobile VPN solution, it does tackle the problem of providing access to corporate resources through a secure connection.
Citrix SSO is the mobile branch of Citrix Gateway, a comprehensive solution for providing remote access to applications, virtual desktops, and other corporate resources. Supported by both iOS and Android devices, Citrix SSO supports all the different VPN configuration highlighted above and incorporates support for various authentication (TOTP, Certificate, username/password) and management methods (Citrix Endpoint Management, Microsoft Intune).
SonicWall Mobile Connect and Secure Mobile Access
SonicWall offers both a traditional mobile VPN solution in SonicWall Mobile Connect, which offers remote access to on-premises corporate resources, as well as SonicWall Secure Mobile Access (SMA). SMA is a unified secure access gateway that provides advanced access control policies, app-level VPN, and advanced authentication options (integration with a SAML IDP for SSO, MFA, etc.).
OpenVPN
OpenVPN is a well-respected VPN solution based on open-source software. While it doesn’t offer the sophistication of other solutions in this list, it does provide traditional VPN access for mobile devices to corporate resources located either on-premises or in the cloud. Note that open-source in this case means free (as in speech) rather than free (as in beer). You will encounter licensing costs for your VPN server.
Pulse Secure Pulse Connect Secure
Pulse Secure may not be as established a brand as some of the others on this list, but in enterprise security circles, it is no less trusted than any other solution on this list. Their VPN solution, Pulse Connect Secure, provides everything from SSO to security posture verification as part of the mobile VPN experience. When leveraged as part of Pulse Access Suite mobile, users can be allowed to connect based on device health, MDM enrollment, or even using anomaly detection and context-aware authentication.
VMWare AirWatch Tunnel
AirWatch is much more than a VPN solution, but VMware’s MDM offering incorporates VPN capabilities into a holistic enterprise mobile device strategy. Using VMware AirWatch Tunnel for always-on or per-app VPN connectivity into your corporate datacenter you can secure mobile access to business applications or virtual desktops. AirWatch Tunnel can even combine with VMware NSX, a network virtualization platform, to provide next-level traffic segregation.