Virtual Private Network (VPN): Features for State-of-the-art Remote Access
Everything a Remote Access VPN needs
A remote access VPN solution is only as good as the overall performance of all client and server components. However, technical aspects are not only important in measuring performance. A state-of-the-art remote access VPN must meet the requirements of all stakeholders – users, administrators, security officers, investors, and managers. Modern solutions therefore focus on the following aspects:
Mobile Broadband Support
5G currently enables the highest transmission rates in mobile data networks. The virtual COM ports used by Windows 10 become bottlenecks during 5G data transmission. Either way, communication via the Windows Mobile Broadband Interface guarantees the maximum transmission rate. Another great advantage of mobile broadband support is that the NCP VPN Client automatically supports all current (4G/5G) configurations and all future cards under Windows 10.
If a remote worker moves their laptop within the range of several access points with the same SSID, the system automatically switches to a stronger access point if it notices that the Wi-Fi signal is weak. This happens without interrupting applications that communicate via the VPN. The NCP Secure Client can switch between different access points within company networks (e.g., when changing location with a laptop) without having to re-establish the connection and log on to the VPN gateway again. This means continuous remote access despite changing IP addresses. (NCP Secure Enterprise VPN Server is required).
Seamless roaming develops the concept of Wi-Fi Roaming for all connection media. Seamless roaming is the ability to automatically switch between different networks, for example between LAN, 5G Wi-Fi and mobile networks, without a connection interruption. With this technology, mobile working is much simpler and more practical as applications on remote workstation can stay connected, no matter where they are. The VPN client changes the connection medium in the background and redirects the VPN tunnel dynamically without interrupting the session. This feature requires a current version of the NCP Secure Enterprise VPN Server.
VPN Path Finder
This feature also allows remote access even behind firewalls whose settings prevent IPsec-based traffic (for example, communication with port 500 or if UDP encapsulation is blocked). Using the NCP VPN Path Finder Technology, the NCP Secure Client can also use port 443 to communicate through the firewall (Fallback IPsec/HTTPS). Among the advantages of this approach is that the security policy can be enforced by IPsec. (NCP Secure Enterprise VPN Server is required).
The IKEv2 standard enables faster connection negotiation compared to IKEv1, as IKEv2 is more efficient than the previous version. IKEv2 also supports various protocols (e.g. NAT-T, DPD), which were previously required separately. Authentication is based on EAP instead of XAUTH. The Mobility and Multihoming Protocol (MOBIKE) ensures that IPsec tunnels work even more reliably with mobile applications. The NCP VPN Client Suite is very easy to configure and quick to connect. Thanks to IKEv2 support, virtual private networks can be established even more easily, flexibly and reliably. With IKEv2, the NCP VPN Client Suite is compatible with almost all VPN gateways.
The Home Zone is a user profile specially designed for working from home, which can be easily set up on home networks. Once it is configured, the computer will automatically switch to this mode and use the special firewall rules set up by the administrator that only apply to the home office. This means that the user can conveniently access other devices such as printers or scanners on their home office network. If the user leaves the Home Zone, the previous firewall rules are reactivated. The computer remembers the environment or the network address. If the user returns to the Home Zone, it is automatically reactivated.
With the VPN Bypass feature in the NCP VPN Client, IT administrators can configure that certain applications bypass the VPN tunnel and access the Internet, even when split tunneling is deactivated. This has the advantage that applications, such as video streaming, will no longer overload servers with terabytes of data.
Dynamic Personal Firewall with Friendly Net Detection
Optimized for Remote Access. The personal firewall protects the end device against attacks from the Internet, Wi-Fi and LAN. It is included in all NCP Secure Clients, which means it is independent to the operating system and can be managed centrally (via NCP Secure Enterprise Management). The firewall protects the PC during system startup and adapts dynamically to the remote access environment. The Friendly Net Detection feature ensures the automatic detection of secure and insecure networks. This means that the required firewall rule is activated or deactivated without the user having to intervene. Parameters can be locked centrally, adding an extra layer of security. The parameter lock feature prevents configurations from being manipulated or inadvertently disabled. In this way, the company network can also be securely accessed from lower security locations such as public hotspots.
NCP Personal Firewall features:
- IP network address translations (IP-NAT)
- Stateful packet inspection
- Application-dependent filter rules
- Protocol, port and address-related filter rules
- Friendly net detection
- Automated hotspot detection
- Connection-dependent filter rules
- Extensive logging options
NCP VPN solutions always support the latest, most powerful algorithms and key lengths available, such as elliptical curves. Updates to receive the latest algorithms are done quickly and inexpensively by downloading software updates via the Internet.
Endpoint Security (NAC)
Endpoint Security – also called Network Access Control or Network Admission Control (NAC) – means that all security-relevant parameters of the NCP Secure Enterprise Clients are checked before accessing the company network. This may include checking the status of virus scanners, service information, certificate contents or software versions. Compliance with the security policies is enforced and cannot be manipulated by the user. Access to the production network is only granted if all security guidelines are met. If there are any discrepancies, server access is restricted, and IT administrators can set which data can be still be transmitted and which traffic should bypass the VPN tunnel.
High Availability Services ensure high availability of NCP Secure Enterprise VPN Servers through load balancing and backup mechanisms. They ensure that all VPN tunnels are available for access to the company network at all times – including in the event of a fault. Please refer to the HA Services Data Sheet for more information.
The NCP Secure Clients integrate cryptographic algorithms according to the FIPS standard – an international security standard. The embedded cryptography module that contains these algorithms is certified according to FIPS 140-2 (certificate #1747).
Integrated, Unlimited RADIUS Server
In addition to extensive control and monitoring mechanisms, an unlimited RADIUS server is an integral part of NCP Secure Enterprise Management. Existing RADIUS systems can be combined and replaced economically.
Virtualization is currently the most important trend in IT. It holds the potential for many measurable benefits in data centers – from improving efficiency and availability to cost savings and higher productivity. The NCP VPN solution is entirely software-based and offers all the prerequisites for significant cost savings when installing and operating even larger VPN environments.
All NCP Secure Clients display all connection and security states independently to the operating system. Cursor-sensitive tooltips provide quick information in plain language. The connection procedure can be automated, and the user has a clear visual indication of each stage. Problems are shown in red. This simplifies troubleshooting and support. International users benefit from the clear language selection options.
Client Configurations are Easy to Create and Manage
Each NCP Secure Client has its own configuration file in which all connection parameters are stored. The administrator can specify each parameter and, if necessary, block subsequent changes by the user. This creates freedom for configuring individual remote access requirements. The configuration files can optionally be created, managed and distributed automatically by NCP Secure Enterprise Management.
APN from SIM Card
The APN (Access Point Name) defines the access point of a provider for a mobile data connection. The APN data is automatically transferred from the SIM card to the client configuration during a provider change. This facilitates using more cost effective local providers abroad.
Automatic Media Recognition
The NCP VPN Client checks the available connection media before each connection and automatically selects one from a predefined sequence. Users can still select the connection media manually if they need to.
Convenient Domain Logon
When Windows Pre-Logon is enabled, a VPN connection can be established to the company network before logging on to the Windows system. The user login to the local Windows system is then done through this VPN tunnel, so that users can be authenticated via the central Windows domain / Active Directory. From the latest client version, logging on to a Wi-Fi HotSpot securely is supported in the pre-logon phase meaning that the client is optimally protected by the integrated dynamic firewall at all times when logging on to a HotSpot.
NCP Secure Enterprise Clients can be integrated into a company-wide and centrally managed VPN. NCP Secure Enterprise Management offers central client configurations, mass rollout, software updates, certificate management and security policy verification.
Automatic, Network-dependent Adaptation of Firewall Rules
All NCP Secure clients have a dynamic personal firewall.
In a VPN, it is no longer sufficient to allow access to the company network using just a username and password. Both are easy for hackers to intercept. This is why the NCP VPN solution only uses strong authentication methods: the integrated Advanced Authentication, OTP token (One Time Password), elliptical curves (ECC) and digital certificates in a public key infrastructure (PKI) as well as biometric technologies. One-time passwords are generated dynamically; they replace the static passwords and immediately lose their validity after use. Digital certificates have an even higher degree of protection and can also be used universally. They are available as software certificates or on a smart card as X.509 v3 certificates. Multi CA support means that IT administrators can work with several Trust Centers or Certification Authorities (CAs).
The parameter lock in the NCP Secure Clients has two essential functions. On the one hand, it reduces the complexity of the configuration options. In this case, parameters for functions that are not required are hidden and users can only see settings that are relevant to them. On the other hand, IT administrators can prevent users from changing certain configuration parameters. This eliminates the risk of incorrect configuration and undesirable changes.
Clients for all Major Operating Systems
To ensure that all users can benefit from the advantages of a remote access VPN, NCP solutions supports a wide range of operating systems: It doesn’t matter whether Microsoft Windows, macOS, or Linux are installed. NCP has a solution for all major operating systems.
Minimize Support Costs
Support costs account for a large part of Total Cost of Ownership (TCO). To keep support costs as low as possible, NCP Secure Clients have a user-friendly GUI and can be configured to only show options that are relevant to the user thanks to the parameter lock. Network administrators can specify client configurations for individual users. The parameter lock prevents subsequent manipulation, whether intentional or by mistake. Faults are indicated in plain language via error messages in the intuitive GUI. This helps support teams to resolve problems quickly.
Protection from Undesirable Manipulation
The NCP Secure Client is designed to be easy to use and administrators can set which features and configuration options are available to users, for example by using the parameter lock. Network administrators can specify client configurations for individual users, preventing subsequent manipulation.
Minimize Administration Costs
As a single point of administration, NCP Secure Enterprise Management has all the features required for operating a VPN cost-effectively. It reduces the time required for configuration roll out, certificate management and software distribution. All necessary changes, such as personnel changes can be implemented in real time. This can lead to massive cost savings and relieve the burden on network administration.
Minimize Identity and Access Management Costs
The NCP VPN solution is fully compatible with all major network technologies and operating systems. It is easy to integrate into existing identity and management systems (IAM). Complex upgrades of existing systems and/or expensive new investments in IT infrastructure are unnecessary.
Multitenancy Support through VPN Gateway Sharing
This feature allows multiple VPNs to be operated simultaneously for different companies via a single NCP Secure Enterprise VPN Server. A closed setup is configured for each company, which only its employees can access. VPN gateway sharing eliminates the need to invest in several individual systems. Managed Security Service Providers (MSSP) also use this advantage for the development and operation of managed VPNs.
Bring your own device
Employees work with their own devices. BYOD concepts increase user satisfaction and, consequently, productivity. To ensure that the advantages in a remote access VPN are leveraged for all users, NCP solutions offers a wide range of operating systems for integrating all devices into a universal VPN.