SSL VPN Gateways: A New Approach to Secure Remote Access
by Ken Araujo - CTO Netilla Networks - Wednesday, 5 November 2003.
Desktop Application Access: Client/Server over SSL Tunneling

The two clientless remote access methods described above meet the access needs of most remote users. However, some end-users may need to use local client/server applications, such as email or CRM programs, already installed on their computers. These are typically local applications that exchange data with with backend host servers, while also supporting offline usage (an example is Microsoft’s Outlook client and Exchange server for email). These applications often reside on company-owned computers that are managed by MIS staff. In these case, a network-layer type access somewhat similar to IPSec VPNs is appropriate. This can be provided via SSL tunneling technology.

SSL Tunneling: The Technology and its Benefits

Typically, desktop application access via an SSL tunnel is supported through a VPN adapter that is downloaded and installed the first time a user logs into the remote-access system for client/server access. The virtual adapter negotiates the secure SSL tunnel via the user’s Web browser. No changes to the client/server application itself are required; if the network administrator has authorized an application for a user, that application can be used over the SSL tunnel, without needing special configuration or help-desk intervention.

Leading SSL VPN gateways are well-suited for these desktop client/server arrangements – and provide key benefits over an IPSec approach:

SSL VPN Tunneling
Network-layer IPSec VPNs create a peer-to-network connection between remote users and the corporate network, without easy application authentication and authorization.An integrated dynamic firewall limits access to the client/server applications on a per-user basis.
Require multiple firewall ports opened on the corporate networkAll traffic is multiplexed over a single port, 443, which is already open to secure Web traffic. The result is no firewall configuration and less complexity.
Do not work well with NAT-enabled devicesA secure SSL tunnel communicates over Network Address Translation (NAT) connections easily, without requiring router re-configuration.
Require that the client’s private key/shared secret or certificate be installed and maintained on the PC.A successful login creates a secure token for authenticating the SSL tunnel via the user’s browser on a per-session basis, simplifying security management.

Network Protection

Policy and Network Security: The Application Layer Proxy

When supporting clientless access to legacy applications and operating as an HTTP reverse proxy for Web applications, SSL VPN gateways can deliver their rich set of application-access modes as a true application-layer proxy. SSL VPNs are so-called because they operate at layer seven – the application layer – of the Open Systems Interconnection (OSI) model. IPSec VPNs, by comparison, operate at the network layer.

Operating at the application layer provides visibility into application data, affording network administrators new opportunities to enforce security policy before the user’s traffic reaches the application server at the data center. In this way, certain SSL VPN solutions can implement dynamic policy-based access to application resources from a single point of administration.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th