SSL VPN  characteristics include providing secure network infrastructure for specific users like organization employees, contractors and partners, increasing productivity by network expanding outside organization, decreasing communication costs and increasing flexibility.
 
1-Introduction
     To secure access to inside database of organization at any time from any device can used encrypted tunnel by Remote Access VPN.by using VPN, organization give permission to secure access their resources at anytime from anywhere to support they need.
Why use a VPN?
•include providing secure network infrastructure for specific users like organization employees, contractors and partners
•increasing productivity by network expanding outside organization
•decreasing communication costs and increasing flexibility
Implementing a VPN for employees working offsite is a fast, easy and effective security solution. They can use email service or other applications. VPN also allows partners and contractors or out-camps users a limited access to website, files or specific servers.
In addition of encrypted tunnel, the managers should deploy authentication profile and a certificate profile to restrict remote access to private network from a remote location.
2FA is an additional level of security to remote access and restrict the use of unauthorized third-party users.
2FA and OTP technology support network security and authorized users' access.

2- Plan description
2 scenarios of VPN is considered here include Remote Access VPN and 2FA which is used as secure solution of network remote access.
2-1 Remote Access VPN
There are two ways to use VPN. These scenarios are SSL & IPsec.
Each of them has its own advantages based on user requirements and IT processes of organization.
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. SSL VPN does not require the installation of specialized client software on the end user's computer. SSL VPN can be deployed from administer desktop or compute of users, employees, contractors or partners from anywhere. Each software can be downloaded dynamically with less supporting.
There are two different accesses including clientless and client access.
Clientless remote access is remote network access obtained without the installation of software on a user's device. It provides secure and easy access to a broad range of Web resources and both web-enabled and legacy applications from almost any device that can connect to the Internet.
However it is often a perfect solution for business partners or contractors who need access to a very limited set of resources in the organization's networks.
The client VPN service can be deployed without any additional software on user PCs devices. It is possible to access to any network resources or server. The costs of client VPN service are reduced because of lack of IT supporting.
VPN IPsec is remote access technology which is used by organizations. Establishing IPsec VPN on user desktop by VPN client and remote access via IPsec VPN makes extra versatility. The organizations can monitor Client VPN in integrated computer program by using API connections.
IPsec and SSL VPN technology make possible access to network resource. Benefits of SSL VPNs is easy connection of desktop, deployment, management and administration extremely simple and effective, lack of supporting and maintaining of desktop software and possibility of deploy web portal for login users.
Below table compares these technologies:

Full access to all network resources by SSL and IPsec VPN is possible.
Modes of users' access:
SSL VPN can be used with a standard Web browser
IPsec VPN can be used with VPN Client
Selected equipment:
SSL VPN allows users to access from any devices of organization, client device, contractors and business partners' computer and any Internet-enabled location.
IPsec allows to access from desktop of company administrator.
Requirements:
SSL VPN needs a web browser and IPsec VPN needs private and exclusive pre-installed Client.
Upgrading desktop:
Any special software does not need to upgrade. The required software for network connection is installed and upgraded automatically.
IPsec VPN needs users setting but is upgraded automatically.  
Access of custom users:
SSL VPNs provide separate access policy that allow a user to access restricted network resources like custom web portal.
IPsec provides separate access policy except web portal.
There are some advantages make VPN a reasonable choice for cost reduction of remote operations and expansion of network access. These advantages include:
-Being dynamic
-Desktop software with automatic upgrading
-Easy access for private device
-Customizing user access
2-2 2 Factor Authentication (2FA)
FAVAMOUJ with technical experience and specialists in network security, proposes Vasco Two Factor Authentication (2FA) for preventing hacker infiltration.
According to Gartner report, Vasco Company is the leading in 2FA. Its products including Authentication Server and Token which is used all the world. This company has 1000 customers in 100 countries which is including 1700 financial companies with sensitive data.
2-2-1 proposed method of 2FA
FAVAMOUJ proposed method using PIN CODE +OTP +Certificate. It means the user should enter random password and secure password. There are several methods for increasing security which are listed below in 3 examples:
•OTP
•OTP +PIN
•OTP + PIN + Certificate
FAVAMOUJ proposed mode is third one which has the highest security. Also we can use them based on needs or use them simultaneously.
2-3 Vasco Application Authentication Server
Vasco provides software/hard ware Application Authentication Server. Hardware type is deployed in Tehran municipality IDENTIKEY AG 5502 (Appliance 5000 Series) supports 10000 token.
 2-4 Vasco Virtual Authentication Server
It is possible to deploy its virtual type in virtual infrastructure organization.

3- Rational design
All users inside the buildings and who accesses network by internet can use token and enter random password. They will connect the servers after authentication.

4- Physical design
Deploying Fire wall, Anti-virus, Anti- spyware on cisco VPN protect the networks against virus and infiltration by helping endpoint and program monitoring. It is deployed integrated on VPN platforms without any additional equipment, design, implementation or complicated application.
Characteristics of cisco remote access include web clientless access without pre- installed VPN, protects against malware and hackers, be economical, without any hidden privilege of feature, deploying IPsec & SSL VPN on a device to Site-to-Site VPN access. Cisco ASA 5500 and Cisco routers has these characteristics.
Cisco ASA 5500 has most advanced security SSL VPN solution. It can manage 10-10000 simultaneous user session and 10000s session on each cluster by Load Balancing. There is a possibility of secure remote access to network and configuration.
Two factors Authentication
It is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also token.
With standard security procedures (especially online) only requiring a simple username and password it has become increasingly easy for criminals to gain access to a user's private data or lead to replay attack.
The most secure mode is Two-Factor Authentication.
Two factor authentication is based on the user providing two of the following three:
•Something user knows:  the password or pin for an account
•Something user has: hardware, mobile phone and token
•Something token is deployed: OTP
In this method sends the user a unique token and user should enter username and password and token
OTP One-Time Password is a security code which is generated from specific hardware and it is valid for only one login session or transaction and will no longer valid. The user can log by using username, password and OTP code. It can be a code that appears on the token or a security certificate that is installed on the token.

Advantages of token 2FA:
-Including RSA
-No need privilege
-Pay only for hardware token
-Easy replacing