Product name: Columbitech Wireless VPN
Company name: Columbitech
Price: From $7500 for VPN server and 25 Clients
Server platforms: Windows NT4, 2000, or 2003
Client platforms: Windows 2000/XP and
Requires Free Membership to View
SearchMobileComputing.com members gain immediate and unlimited access to expert guides for mobile deployment, management and security, industry trends, and more-- all at no cost. Join me on SearchMobileComputing.com today!
Kate Gerwig, Editorial Director
Pocket PC 2002 (EUU2)
Bottom line: Stay connected securely, even when roaming between wireless networks
In a nutshell: Uses wireless TLS (WTLS) to secure, compress, and control the flow of mobile data sent over wireless WANs and LANs, without disruption.
Pros:
- Smooths out secure roaming "speed bumps" with minimal or no user interaction
- Robust security options, including AES encryption and strong/token authentication
- Automates login using Win32 GINA and access rules for logging into web portals
Cons:
- VPN clients available for recent Windows versions, but not other mobile devices
- VPN server platform must be sized carefully, particularly for high-speed WLAN
- Network access rules are invaluable, but rather complex for end users to configure
Description:
Today, many laptops and PDAs have multiple adapters, ranging from dial-up and 3G WANs to Ethernet and Wi-Fi LANs. These are often used with VPNs to protect confidential data over public networks. Unfortunately, many VPN tunnels break when a device roams from one network to another, cutting productivity and causing frustration. Products like Columbitech's Wireless VPN (WVPN) help by letting applications connect securely over the best available network and then stay connected when roaming.
Columbitech's WVPN server software runs on a dedicated Windows server, located just inside your network's firewall. An optional Gatekeeper server can be placed in your DMZ to authenticate tunnels, balance load, and provide fail-over in larger installations with multiple servers. Together, these servers are responsible for permitting encrypted access by authorized users, authenticated by your existing CA, ACE, or RADIUS server. WVPN server configuration identifies authentication and data protection requirements (e.g., 128-bit AES encryption, 160-bit SHA integrity, 1024-bit RSA key exchange).
Columbitech's WVPN client runs on Windows 2000/XP laptops and Pocket PCs. After installation, WVPN tries to keep a WTLS tunnel connected to your WVPN Server at all times by using available adapters, prioritized by profiles. For example, I configured WVPN to prefer Ethernet over Wi-Fi, connected via Ethernet, and launched a large file transfer. When I pulled the plug on Ethernet, WVPN kept FTP going over Wi-Fi, reverting without disruption when Ethernet was reconnected. In fact, I could remain completely disconnected for well over a minute without losing my FTP session.
In principal, no interaction is required -- WVPN supports seamless network roaming, doing the dirty work associated with renewing addresses, managing pending data, etc. In practice, there are some caveats. There's a little roaming "pause" that's hardly noticeable during FTP but visible with an interactive application like Telnet. WVPN can be configured to automatically launch dial-up as needed, but mobile devices aren't usually tethered 24/7 to a phone line and WVPN is a bit unresponsive while retrying failed calls.
Another caveat relates to interactive login. The Win32 (but not PPC) client can use your Windows username/password/domain to transparently log you into WVPN. However, if your server requires two-factor SecurID authentication, you can't skip logging in (at least initially). More secure, but less transparent.
Next, when roaming onto a network that requires interactive authentication, you must get around WVPN to complete log in before launching the tunnel. To facilitate this, WVPN can be configured with Network Access rules that get an HTTP login page, submit forms input, and watch for "success" before launching the tunnel. This is handy when using the same network over and over, but what about travelers who visit many hotspots and hospitality LANs? By defining rules for any destination address and/or port, you can manually interact with login portals.
Network access rules can be mandatory (always available) or optional (available only when WVPN can't connect). Keep your network access rules as narrow as possible, because they essentially punch a small hole through the "personal firewall" that WVPN creates on your device. All other traffic goes in and out through the WVPN tunnel. This prevents eavesdropping in transit and allows your company to filter traffic once data reaches the WVPN Server.
Overall, WVPN worked as advertised on my WinXP laptop and Jornada PPC. I'd prefer to have central control over network Aaccess rules, but otherwise found the WVPN Client easy to use and unobtrusive. Due to infrastructure requirements, Columbitech WVPN isn't for individuals. But if you're a network admin who's grown tired of hearing mobile workers cry about VPN roaming pain, check out Columbitech WVPN.
About the author: Lisa Phifer is vice president of Core Competence, Inc., a consulting firm specializing in network security and management technology. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in December 2003