Q&A: SSL VPN Security
by Mirko Zorz - Monday, 28 July 2008.
IPsec VPNs are particularly suitable when connecting two office locations, such as a branch office to the corporate office. All the users at a branch office can use the IPsec VPN tunnel to access the corporate location. SSL VPNs provide the following benefits:
  • No client software needed. Only a standard browser (Internet Explorer, Firefox, Safari, etc.) is required. Makes it easy-to-use for end-users.
  • Fine-grained access control. Access can be granted to each user to only specific applications. For example, access by finance employees can be restricted to financial applications and data. Granularity includes by time of day, day of week, user group, by application or resource group.
  • Capacity expansion as needed, including instantaneous increase for business continuity during disaster-recovery periods.
  • Integration with authentication infrastructure, such as Active Directory, LDAP, RADIUS, and multi-factor authentication, such as smart cards and RSA tokens. For example, can integrate with User Groups and Group Policy Objects in Active Directory.
  • Dramatically reduced deployment and upgrade costs. Administrators install and update/upgrade at only the central location.
  • Much improved security with ‘host checks’ for required security posture of both managed and extranet end-points. A vendor’s computer, for example, must have up-to-date anti-virus signatures before it will be permitted access to the approved applications for that vendor.
  • Ease-of-installation, typically in a couple of hours or less, and ease-of-administration, changing access policies and installing or modifying services (ie, access to applications).
  • Lower capital cost, since only once appliance is needed. Where needed, full site-to-site connectivity can be implemented using two appliances, in addition to providing secure remote access for individuals using the same appliances.
  • Secure encrypted communications from public locations such as wireless hotspots at cafes, hotels and airports. All data is encrypted by the browser on the host computer, precluding eaves-dropping at wireless hotspots, and even by (god forbid) spyware on the host computer!

What do you think is going to be next milestone in the development of SSL VPN products?

SSL VPNs will evolve with expanded host checks and more granular application of access policies depending on the security posture of each end-point. SSL VPNs are deployed today as ‘proxy appliances’, not at the gateway. They will incorporate more gateway like features, including firewall and anti-malware scanning. Perhaps the most important technology that will be integrated into SSL VPNs is bandwidth acceleration to provide seemingly higher capacity and response times. Already easy to deploy and administer, we expect SSL VPNs will further improve on their ease-of-use and ease-of-administration.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th