With IP Security VPNs established as a preferred method of remote access, businesses now must weigh an array of options that can make deploying and managing these VPNs less daunting.

Optional features range from automatic installation of VPN client software to policy checkers that deny VPN access if personal firewalls aren't turned on and configured properly. The features differ among VPN client software, so customers have to shop carefully.

Remote-access VPNs call for single PCs and laptops to connect to the Internet and establish a VPN tunnel with centrally located VPN concentrators, an architecture that presents two main challenges: first, how to distribute and manage software on a large numbers of remote machines with minimal manpower; second, how to ensure that these machines don't threaten the security of the corporate network.

In the early days of VPNs, these clients weren't deployed in large enough numbers to make distributing and updating them a problem. But today, for large, remote-access VPN deployments, automated distribution and configuration tools are a must, says Larry Bolick, CIO of Aquent, a Boston IT consulting firm that uses Nortel Contivity VPN equipment. Otherwise, updates and policy changes would become too unwieldy to handle, he says.

Most vendors have solved the problem with downloadable software that installs itself so end users can handle it without IT assistance. "The help desk gives them the password to install, and after that, it's all silent and automated," says Gary Gatten, senior network engineer for LabOne, a medical testing firm in Lenexa, Kan., that uses Avaya VPN products.

Once remote-access VPN clients are up and running, policies control the use of their IPSec tunnels. The policies also dictate a variety of parameters such as the VPN concentrators to which they can connect and what level of encryption to use. The clients also must be informed of the removal or addition of new devices to the network.

To handle this task efficiently, Check Point, Cisco, NetScreen Technologies and others offer policy servers that update clients with new policies that have been added since the last time the client machine logged on. These servers can store multiple policies for different groups or individuals. In addition to keeping policies current, this arrangement means no policy remains on the client machine when the VPN connection is severed. This eliminates the security risk that the information would pose if the machine were stolen, Gatten says.