When evaluating whether or not to deploy a software VPN, consider the two types of software VPNs:

• Operating system–based VPN—An operating system–based VPN solution is an application that runs on a Microsoft Windows or UNIX OS. These are generally used in smaller companies, as this device tends to be less scalable and less stable than other VPN solutions. Operating system–based solutions are generally less expensive, especially when running on a shared server, which may host other applications. Many of these solutions are open source, which further reduces the cost, although it can increase the complexity of the solution.
  One potential security issue with this solution is that the server communicates with the public network (generally the Internet) for the connections to occur. Any time you connect a server and the associated OS to a public network, you increase the security risk, because you are exposing it to a much larger pool of attackers. You can mitigate this risk by limiting the ports open to the server, and, if you are using only site-to-site VPN connections, you may be able to restrict the connections to specified IP addresses. You can also add a firewall to the VPN server, which adds to the overhead on the server, but it will provide additional protection to offset the increased exposure.
• Module-based VPN—A module-based VPN runs as a component on a larger system. These are sometimes included as part of the overall feature set, or in other cases may require the purchase of additional licenses to use the VPN. An example of this would be the VPN capability included with many firewalls. Many routers also offer this type of capability, which permits the easy encryption of wide area network (WAN) links for security-conscious companies. The benefit of this type of VPN solution is reduced complexity of the environment, since you have fewer discrete devices to manage. VPN modules are also typically less expensive than hardware VPN solutions. Some vendors also offer hardware accelerators for improving overall performance of this solution.

Hardware VPNs are dedicated appliance-based solutions, generally based on a router-type platform. Hardware VPNs are the most common type of VPN deployed in corporations today. Although hardware VPNs can be complex to deploy, these devices are typically more scalable than software counterparts, and they can be easily deployed in a redundant manner. Hardware VPNs can increase the complexity of an environment, because you are deploying additional equipment. The good news is that you can usually manage this additional hardware with the same types of network management tools you use to manage the routers and switches in an environment.

Hardware VPNs can create some security issues, largely related to potential vulnerabilities in the VPN software code on the appliance. A number of security alerts related to VPN vulnerabilities have appeared in recent years. Fortunately, you can manage this issue fairly easily by keeping current on your vendor’s security alerts and by upgrading VPN code in a timely fashion. If your organization does not have the skills or ability to test the solution thoroughly, it might be preferable to run the N–1 version of code, where N is the current version of code, unless a known issue with that previous version of the code has been published.

Ultimately, the requirements of your business will drive your selection of a software or hardware VPN. The good news is that many options are available for every size network.