Do You Need an SSL VPN?
Microsoft's recent acquisition of SSL VPN provider Whale could be a good catch for remote access.
The first time I heard about SSL VPN technology, I imagined full access to
all my network's resources, unimpeded by the inconvenience of protocols like
PPTP or IPsec. Hotel firewalls usually block these anyway. The term SSL VPN
(Secure Sockets Layer Virtual Private Network) conjures up images of remote
network access that's as easy as secure Web browsing. In reality, SSL VPNs offer
much less -- but that's the best part.
Most SSL VPN products offer limited access to corporate networks. Consequently,
they're a much more secure solution for remote access. Microsoft is obviously
excited about the potential, having recently purchased Whale Communications,
a leading SSL VPN provider.
When a VPN Is Not a VPN
Traditional VPNs simply extend the corporate network out to a remote computer.
Once you've established a VPN connection, you can access files and other network
resources as if you were connected to your local network. VPNs do this by encapsulating
standard network transport protocols, like IP, and sending them across an encrypted
connection. From your computer's perspective, this connection functions like
a regular network cable (see Figure 1).
An SSL VPN is more of an application gateway. It handles specific protocols
required for your applications, such as HTTP for Outlook Web Access or Remote
Desktop Protocol for a Terminal Services connection, and encrypts them using
SSL. While SSL is typically used for HTTP traffic server authentication, it's
also an effective application-layer protocol. SSL VPNs take full advantage of
|Figure 1. A traditional VPN
is really just a straight pipe from the home network out to remote systems.
The gateway performs the authentication, enforces protocol rules and determines
which applications you can access. To support non-Web protocols, most SSL VPN
solutions need to have a local component installed, like an ActiveX application
that runs in your browser.
What Can SSL Do for You?
Using an old-fashioned PPTP or IPsec VPN, you'd connect to your corporate network
with your laptop. You would use applications on your computer and access back-end
data on the corporate servers. You could run Outlook or use Internet Explorer
to connect to a SharePoint server. This is comparable to local access, but such
broad remote access is rarely necessary.
This approach also creates a multitude of security concerns. Corporate data is copied to your laptop, which you could possibly leave behind in a taxi.
An SSL VPN connection, on the other hand, typically starts with a logon Web
page (see Figure 2). After you authenticate with a user name and password --
or some form of two-factor authentication -- you'll be directed to the application
you need or presented with a list of applications for which you have permission.
Since you've already authenticated, the SSL VPN gateway may let an Exchange
administrator establish a remote desktop connection to an Exchange cluster.
[Click on image for larger view.]
|Figure 2. An SSL VPN, like
Whale Communications' appliance, provides selective application access after
If you're only using Web applications, an SSL VPN doesn't appear all that different
from an HTTP gateway like Internet Security and Acceleration (ISA) Server or
a direct Web connection. However, you can also use it to run non-Web applications
with a plug-in that runs inside a browser. Besides controlling the application's
behavior, this lets you get at application data without having to install the
actual application. If you need to run the application locally, the vendor can
probably provide a client component to intercept network requests from the application
and forward them across the authenticated SSL connection you established with
Worth the Price?
A good SSL VPN provides seamless remote access to selected applications. Log
on, choose from a list of authorized applications and you're ready to start
working. If your needs are fairly simple, you can find affordable entry-level
solutions or even an SSL VPN add-on for your existing server. At the higher
end of the market, the leading SSL VPN vendors package their solutions as appliances
that can start at tens of thousands of dollars.
While most vendors insist their appliance supports almost any application ever developed, the reality is often quite different. Some applications can be tricky to support, and the extent to which a user is shielded from application quirkiness can make all the difference. After all, you don't want to face the wrath of users who have to re-authenticate every time they switch between their Inbox and Calendar in Lotus Notes.
Application support also means restricting access to certain features at the gateway. SSL VPNs are all about allowing only the required level of remote access. You don't want to grant access to the entire customer database when traveling salespeople only need to look up customer addresses.
Every company will use at least one application that the SSL VPN doesn't support out of the box. A good solution will distinguish itself by having all the tools you need to support the application yourself, without spending months of coding. When it comes to the full extent of application support, the only way to avoid a costly mistake is to insist that the vendor demonstrate how they support all the applications you need to use.
Bells and Whistles
There is a wide variety of additional functionality offered by SSL VPN vendors.
For example, Whale lets you scan client computers for compliance with corporate
security standards and can refuse a connection if the client doesn't meet these
requirements. Juniper Networks includes integrated intrusion detection and prevention
mechanisms. Citrix stresses the integration of its SSL VPN with its thin client
solutions. F5 Networks and others stress their products' network throughput.
These are all important factors, but don't be fooled by numbers. A huge number of concurrent connections may look impressive, but if you have limited Internet bandwidth, each of these connections will be painfully slow.
The future of remote access will include more application gateways and fewer traditional
VPNs. If Microsoft's strategy with other recent acquisitions is any indication,
we'll see some of Whale's functionality appear in other Microsoft products. The
result could be that SSL VPNs and sophisticated application publishing will be
the new standard for remote access.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.