Q&A: SSL VPN Security

Max Huang is the founder and Executive Vice President of O2Micro and President for O2Security, a subsidiary company of O2Micro. In this interview he discusses the importance of SSL VPNs in the overall security architecture, the difference between IPSec and SSL VPNs as well as the future of SSL VPNs.

In your opinion, how important are SSL VPN appliances in the overall security architecture?
As remote access facilitators, SSL VPN appliances are an essential ingredient to implementing network security. Today’s businesses with operations (whether in-house or out-sourced) worldwide must enable increased productivity among its employees by providing access to the corporate data and tools for its mobile workforce, including the sales force and field service personnel, and the increasing numbers of employees who telecommute or require after-hours access to communicate with geographically dispersed operations.

SSL VPN appliances are also important to disaster-recovery planning and business continuity. Very often, natural calamities cause increased demands on IT infrastructure by affected and concerned customers – precisely when the companies’ employees are unable to respond. Businesses must quickly relocate critical functions to alternate locations (including employees working from home) and must expand IT capacity while ensuring security.

Secure remote access can be achieved both with IPSec and SSL VPNs. What are the benefits of using SSL VPNs over IPSec?
To connect to an IPsec VPN, an individual user must install corresponding IPsec client software. This places a major burden on the IT department during initial deployment, as well as for upgrades. Furthermore, IPsec technology cannot handle “NAT Traversal’; frequently end-users cannot connect easily using IPsec VPN from hotel rooms, or public locations such as airports and cafes. Similar problems exist when providing secure access to business partners (suppliers, resellers, customers, professional services like lawyers and auditors).

IPsec VPNs are particularly suitable when connecting two office locations, such as a branch office to the corporate office. All the users at a branch office can use the IPsec VPN tunnel to access the corporate location. SSL VPNs provide the following benefits:

• No client software needed. Only a standard browser (Internet Explorer, Firefox, Safari, etc.) is required. Makes it easy-to-use for end-users.
• Fine-grained access control. Access can be granted to each user to only specific applications. For example, access by finance employees can be restricted to financial applications and data. Granularity includes by time of day, day of week, user group, by application or resource group.
• Capacity expansion as needed, including instantaneous increase for business continuity during disaster-recovery periods.
• Integration with authentication infrastructure, such as Active Directory, LDAP, RADIUS, and multi-factor authentication, such as smart cards and RSA tokens. For example, can integrate with User Groups and Group Policy Objects in Active Directory.
• Dramatically reduced deployment and upgrade costs. Administrators install and update/upgrade at only the central location.
• Much improved security with “host checks’ for required security posture of both managed and extranet end-points. A vendor’s computer, for example, must have up-to-date anti-virus signatures before it will be permitted access to the approved applications for that vendor.
• Ease-of-installation, typically in a couple of hours or less, and ease-of-administration, changing access policies and installing or modifying services (ie, access to applications).
• Lower capital cost, since only once appliance is needed. Where needed, full site-to-site connectivity can be implemented using two appliances, in addition to providing secure remote access for individuals using the same appliances.
• Secure encrypted communications from public locations such as wireless hotspots at cafes, hotels and airports. All data is encrypted by the browser on the host computer, precluding eaves-dropping at wireless hotspots, and even by (god forbid) spyware on the host computer!

What do you think is going to be next milestone in the development of SSL VPN products?
SSL VPNs will evolve with expanded host checks and more granular application of access policies depending on the security posture of each end-point. SSL VPNs are deployed today as “proxy appliances’, not at the gateway. They will incorporate more gateway like features, including firewall and anti-malware scanning. Perhaps the most important technology that will be integrated into SSL VPNs is bandwidth acceleration to provide seemingly higher capacity and response times. Already easy to deploy and administer, we expect SSL VPNs will further improve on their ease-of-use and ease-of-administration.