SSL VPN Gateways: A New Approach to Secure Remote Access
by Ken Araujo - CTO Netilla Networks - Wednesday, 5 November 2003.
While the number of Web-based intranet applications is certainly growing within the enterprise, non-Web-enabled, legacy applications – those residing on centralized Windows, UNIX/Linux, mainframes and AS/400 machines – still form the vital core of enterprise applications in use today. For IT managers seeking to provide secure remote access, the challenge is to leverage these crucial legacy applications in a simple way that provides the same on-demand access to centralized information as their Web-enabled counterparts.

Some SSL VPN appliances solve this dilemma by providing clientless, remote access to legacy applications through the incorporation of Web-enabling technology directly within the platform. This integrated approach eliminates the need for enterprises to deploy and maintain server-based “middleware” and associated remote-access clients. In this model, both the client and server portions of an application are centrally hosted in the corporate data center. The advantage of this approach is that end users need only a browser to access these remotely located applications; no additional software or configuration of the remote computer is needed.

An SSL VPN appliance makes client/server applications available to remote users through the Web, allowing companies to leverage their existing legacy application infrastructure without costly application re-development or installing and configuring remote PCs. Any program, running on any platform – Windows, UNIX and LINUX, or 3270 mainframe and 5250 AS/400 – can thus be made easily available to remote users.

In this application-layer access model, the SSL VPN gateway uses a built-in screen-scraping protocol that splits the emulation and display processing so that only the application’s display is sent to the remote user’s Web browser. The gateway supports this capability through a browser enhancement (a small Java applet) that is downloaded to the user’s browser upon the first login. As a result, the user experiences the application with optimal performance over any connection, just as if the application was installed and running on the user’s local machine.

Secure Intranet Access to Web-based Applications and Portals

Even as they continue to rely on legacy applications as part of their application strategy, enterprises are also developing applications intended for direct Web browser access. These may be “Webified” versions of legacy applications such as Microsoft Outlook or proprietary intranet applications. However, sharing such information over the Web can lead to security risks that must be carefully addressed. IT departments given the task of extending Web-based applications to remote users and business partners face significant challenges. For example, Web-enabled resources typically reside on a company's secure intranet, and use internal Domain Name System (DNS) that cannot be resolved by the public Internet.

Leading SSL VPN appliances, however, overcome these obstacles and can safely extend these intranet resources to authorized users. This is accomplished by providing clientless, browser-based access to Web-based resources using HyperText Transfer Protocol (HTTP) reverse-proxy technology. Unlike a forward proxy, which operates between a corporate intranet user and an Internet Web site, a reverse proxy operates between a remote user on the Internet and an enterprise Web site. With this approach, a single point of entry over the Internet – the SSL VPN gateway – lets remote users access back-end Web servers securely through a Web browser.

This approach delivers fast, secure, on-demand access to Web-based information, with a highly scalable solution that can easily grow to authorize users on a global scale. The security benefits are clear: corporate Web servers remain safe behind the firewall, in a highly secure portion of the private network, without the cost and maintenance of locking each server down for public access. Additionally, administrators gain granular access control to directories, servers, and paths on a user or group basis.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th