What is a VPN Headend?

Quick Definition: A VPN headend is a dedicated device used to manage multiple concurrent VPN connections between end users and the enterprise network. VPN headends provide functionalities such as encryption for secure communication, security posture checking to evaluate the safety of devices accessing the network, and network segmentation. VPN headends differ from VPN gateways in that headends are designed to handle a higher volume of connections. 

If you’ve ever worked from home or you work for a company that allows users to access corporate assets from external networks remotely, you’ve probably encountered a VPN (virtual private network) headend, also known as a VPN concentrator. From your point of view, you log in to your device, open an application, sign in, and suddenly, your device appears as though it’s sitting at a desk in your corporate office. 

In reality, somewhere in your corporate office is a device establishing and terminating secure connections between your device and devices on the corporate network, regardless of your physical location.

This secure connection is important because, without it, two things are likely to occur: you most likely won’t be able to access corporate resources since many organizations have security policies preventing public access to their assets (and without a VPN, your device would be considered a public device), or your device would be able to access corporate resources at the risk of your traffic being intercepted.

Neither of these VPN-less options is conducive to a productive work day since you either wouldn’t be able to work at all, or hackers may be able to view all the same corporate data you interact with throughout the day. 

What are VPN Headends?

So, what is a VPN headend or VPN concentrator, and what does it do? Establishing, managing, and terminating encrypted connections is a rather intensive process and not something just any device is capable of handling. 

A VPN headend is a dedicated device that establishes and provides multiple simultaneous secure connections between an organization’s users and enterprise devices. While some VPN headends are enterprise-grade appliances, many virtual appliances are also available. 

VPN Headend vs VPN Gateways and Firewalls

So, what are the differences between a VPN headend, a VPN gateway, and a standard firewall? The key difference is that a VPN headend is a specialized device designed specifically to provide end-to-end encryption for multiple devices simultaneously. 

VPN gateways can also provide end-to-end encryption for devices, but they’re not designed to process as many connections as dedicated VPN headends. VPN headends differ from firewalls in that they serve almost entirely different functions.

While both work to protect the network, VPN headends protect the network by establishing secure communication between approved external devices and enterprise assets, whereas a firewall protects the network by inspecting traffic as it attempts to enter the enterprise. VPN headends don’t offer traffic inspection, but they do offer traffic encryption. 

What are the Key Components and Features of VPN Headends?

Now that we've covered what VPN headends do in a general sense, let's dig into the details. While the specific features can vary a bit by device, the core features include encryption, segmentations, and posture checking. 

Encryption

The most important function, and the one we most associate with VPNs, is encryption. First, the VPN headend will authenticate users however they’ve been configured to do so, whether username and password, Active Directory, or some other form of authentication. Only then will the VPN headend establish a secure connection and encrypt all traffic between the end device and the enterprise network it serves. 

Network Segmentation

Some, if not most, modern VPN headends are capable of segmenting traffic in ways that dictate not only what IP addresses are available to VPN users, but also what resources VPN users can access while using that VPN. 

Posture checking

Many VPN headends are capable of checking an end device’s security posture for specific configurations and comparing those results with policies prior to allowing the device onto the enterprise network.

Some of the more common configuration checks include the end device’s password policy and whether some form of antivirus is running on the device. If a VPN headend is configured to do so, it may deny access to the enterprise network and provide reasoning as to why access has been denied.

VPN Protocols

There are a few different protocols available to select from when thinking about your VPN headend. Depending on the vendor and appliance you choose, you’ll likely have a choice between IPSec, TLS/SSL, and L2TP/IPSec. 

IPSec, or Internet Protocol Security, is a network security protocol that encrypts packets between two devices on a network. IPSec also authenticates the devices at both ends to verify the source of the traffic.

SSL/TLS, or Secure Sockets Layer/Transport Layer Security, is similar to IPSec in that it provides secure packet transfer and authentication. While the term SSL/TLS is commonly used, SSL refers to an older, more deprecated technology replaced by TLS.

TLS is a more secure option and is an industry-standard. You’ve most likely heard of SSL/TLS when browsing the web, either by using the “HTTPS” version of a site instead of “HTTP” or by viewing the little lock icon next to the URL in your browser.

Finally, L2TP/IPSec stands for Layer 2 Tunneling Protocol. This protocol uses layer 2 forwarding and the older Point-to-Point Tunneling Protocol to provide a connection that is not inherently secure, so it is almost always paired with IPSec. 

What are the Functions of VPN Headends?

As briefly mentioned earlier, VPN headends are specialized devices that provide a handful of important features. For one, they handle multiple concurrent VPN connections between devices in different geographic regions. This allows remote users to securely access the enterprise network and its resources from anywhere in the world, so long as it’s allowed within the VPN settings. This brings us to our next point.

VPN headends also provide posture checking and policy enforcement, which helps enforce enterprise network configuration and security policies. By enforcing enterprise policies, VPN headends help mitigate the risks associated with letting potential non-enterprise devices on the network, as well as ensuring enterprise devices are meeting corporate standards while away from the physical office. 

VPN headends are crucial to enabling seamless remote connectivity to enterprises and their users. These dedicated devices are more robust and capable than some alternatives, such as VPN gateways, which simply don’t have the same processing power to enable connectivity at the same volume. 

What are Some Deployment Considerations for VPN Headends?

When configuring a VPN headend for your enterprise network, it should be either parallel to or just behind your firewall for security. It should also be installed near the same location as the rest of your main network to reduce latency as users attempt to access enterprise assets from the VPN headend. 

Before acquiring a VPN headend solution, be sure to research which available options are most compatible with your existing infrastructure. In addition to vendor compatibility, make sure you’re either meeting legal compliance with any applicable laws in potential locations your users may be working from, or exclude specific locations from your VPN policy so as not to risk non-compliance. 

Enterprises can have a secondary VPN headend; however, it is important to note that the secondary VPN headend will only be used if the primary VPN headend is unavailable. Both will not run concurrently, as you might expect a load balancer to. 

Troubleshooting and Maintenance of VPN Headends

Maintaining your VPN headends is crucial to continuing the security and accessibility those VPN connections provide. Your VPN headend or your users may sometimes run into issues, so we’ll look at some common issues and how to overcome them.

• Denied Access: If one or just a few users are having difficulty connecting to the VPN, it could be that the VPN is blocking their device for non-compliance with policy. Users should be sure to check for any messages provided by the VPN client to help determine the cause and remedy for denial. 

• VPN Headend Issues: If several users are having issues connecting, or the VPN is unavailable altogether, you may need to troubleshoot the appliance directly. To do so, consult the documentation relevant to your exact device make and model for a step-by-step troubleshooting guide, or contact the vendor. 

Conclusion

VPN headends, also referred to as VPN concentrators, enable enterprise networks to host and manage a high volume of VPN connections. They differ from other VPN devices in that they are specifically designed to handle VPN connectivity, which is a resource-intensive process that other devices with VPN capabilities likely won’t be able to handle.

VPN headends provide a number of different secure communication functionalities, such as encryption using various industry-standard protocols, network segmentation, and security posture evaluation. 

To learn more about enterprise network solutions, check out some of our training at the CBT Nuggets website.