Security Advisor

Do You Need an SSL VPN?

Microsoft's recent acquisition of SSL VPN provider Whale could be a good catch for remote access.

The first time I heard about SSL VPN technology, I imagined full access to all my network's resources, unimpeded by the inconvenience of protocols like PPTP or IPsec. Hotel firewalls usually block these anyway. The term SSL VPN (Secure Sockets Layer Virtual Private Network) conjures up images of remote network access that's as easy as secure Web browsing. In reality, SSL VPNs offer much less -- but that's the best part.

Most SSL VPN products offer limited access to corporate networks. Consequently, they're a much more secure solution for remote access. Microsoft is obviously excited about the potential, having recently purchased Whale Communications, a leading SSL VPN provider.

When a VPN Is Not a VPN
Traditional VPNs simply extend the corporate network out to a remote computer. Once you've established a VPN connection, you can access files and other network resources as if you were connected to your local network. VPNs do this by encapsulating standard network transport protocols, like IP, and sending them across an encrypted connection. From your computer's perspective, this connection functions like a regular network cable (see Figure 1).

An SSL VPN is more of an application gateway. It handles specific protocols required for your applications, such as HTTP for Outlook Web Access or Remote Desktop Protocol for a Terminal Services connection, and encrypts them using SSL. While SSL is typically used for HTTP traffic server authentication, it's also an effective application-layer protocol. SSL VPNs take full advantage of this.

Straight outta home network!
Figure 1. A traditional VPN is really just a straight pipe from the home network out to remote systems.

The gateway performs the authentication, enforces protocol rules and determines which applications you can access. To support non-Web protocols, most SSL VPN solutions need to have a local component installed, like an ActiveX application that runs in your browser.

What Can SSL Do for You?
Using an old-fashioned PPTP or IPsec VPN, you'd connect to your corporate network with your laptop. You would use applications on your computer and access back-end data on the corporate servers. You could run Outlook or use Internet Explorer to connect to a SharePoint server. This is comparable to local access, but such broad remote access is rarely necessary.

This approach also creates a multitude of security concerns. Corporate data is copied to your laptop, which you could possibly leave behind in a taxi.

An SSL VPN connection, on the other hand, typically starts with a logon Web page (see Figure 2). After you authenticate with a user name and password -- or some form of two-factor authentication -- you'll be directed to the application you need or presented with a list of applications for which you have permission. Since you've already authenticated, the SSL VPN gateway may let an Exchange administrator establish a remote desktop connection to an Exchange cluster.

One whale of an SSL VPN
[Click on image for larger view.]
Figure 2. An SSL VPN, like Whale Communications' appliance, provides selective application access after user authentication.

If you're only using Web applications, an SSL VPN doesn't appear all that different from an HTTP gateway like Internet Security and Acceleration (ISA) Server or a direct Web connection. However, you can also use it to run non-Web applications with a plug-in that runs inside a browser. Besides controlling the application's behavior, this lets you get at application data without having to install the actual application. If you need to run the application locally, the vendor can probably provide a client component to intercept network requests from the application and forward them across the authenticated SSL connection you established with your browser.

Worth the Price?
A good SSL VPN provides seamless remote access to selected applications. Log on, choose from a list of authorized applications and you're ready to start working. If your needs are fairly simple, you can find affordable entry-level solutions or even an SSL VPN add-on for your existing server. At the higher end of the market, the leading SSL VPN vendors package their solutions as appliances that can start at tens of thousands of dollars.

While most vendors insist their appliance supports almost any application ever developed, the reality is often quite different. Some applications can be tricky to support, and the extent to which a user is shielded from application quirkiness can make all the difference. After all, you don't want to face the wrath of users who have to re-authenticate every time they switch between their Inbox and Calendar in Lotus Notes.

Application support also means restricting access to certain features at the gateway. SSL VPNs are all about allowing only the required level of remote access. You don't want to grant access to the entire customer database when traveling salespeople only need to look up customer addresses.

Every company will use at least one application that the SSL VPN doesn't support out of the box. A good solution will distinguish itself by having all the tools you need to support the application yourself, without spending months of coding. When it comes to the full extent of application support, the only way to avoid a costly mistake is to insist that the vendor demonstrate how they support all the applications you need to use.

Bells and Whistles
There is a wide variety of additional functionality offered by SSL VPN vendors. For example, Whale lets you scan client computers for compliance with corporate security standards and can refuse a connection if the client doesn't meet these requirements. Juniper Networks includes integrated intrusion detection and prevention mechanisms. Citrix stresses the integration of its SSL VPN with its thin client solutions. F5 Networks and others stress their products' network throughput.

These are all important factors, but don't be fooled by numbers. A huge number of concurrent connections may look impressive, but if you have limited Internet bandwidth, each of these connections will be painfully slow.

Looking Forward
The future of remote access will include more application gateways and fewer traditional VPNs. If Microsoft's strategy with other recent acquisitions is any indication, we'll see some of Whale's functionality appear in other Microsoft products. The result could be that SSL VPNs and sophisticated application publishing will be the new standard for remote access.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


comments powered by Disqus

Subscribe on YouTube