The two clientless remote access methods described above meet the access needs of most remote users. However, some end-users may need to use local client/server applications, such as email or CRM programs, already installed on their computers. These are typically local applications that exchange data with with backend host servers, while also supporting offline usage (an example is Microsoft’s Outlook client and Exchange server for email). These applications often reside on company-owned computers that are managed by MIS staff. In these case, a network-layer type access somewhat similar to IPSec VPNs is appropriate. This can be provided via SSL tunneling technology.
SSL Tunneling: The Technology and its Benefits
Typically, desktop application access via an SSL tunnel is supported through a VPN adapter that is downloaded and installed the first time a user logs into the remote-access system for client/server access. The virtual adapter negotiates the secure SSL tunnel via the user’s Web browser. No changes to the client/server application itself are required; if the network administrator has authorized an application for a user, that application can be used over the SSL tunnel, without needing special configuration or help-desk intervention.
Leading SSL VPN gateways are well-suited for these desktop client/server arrangements – and provide key benefits over an IPSec approach:
|Network-layer IPSec VPNs create a peer-to-network connection between remote users and the corporate network, without easy application authentication and authorization.||An integrated dynamic firewall limits access to the client/server applications on a per-user basis.|
|Require multiple firewall ports opened on the corporate network||All traffic is multiplexed over a single port, 443, which is already open to secure Web traffic. The result is no firewall configuration and less complexity.|
|Do not work well with NAT-enabled devices||A secure SSL tunnel communicates over Network Address Translation (NAT) connections easily, without requiring router re-configuration.|
|Require that the client’s private key/shared secret or certificate be installed and maintained on the PC.||A successful login creates a secure token for authenticating the SSL tunnel via the user’s browser on a per-session basis, simplifying security management.|
Policy and Network Security: The Application Layer Proxy
When supporting clientless access to legacy applications and operating as an HTTP reverse proxy for Web applications, SSL VPN gateways can deliver their rich set of application-access modes as a true application-layer proxy. SSL VPNs are so-called because they operate at layer seven – the application layer – of the Open Systems Interconnection (OSI) model. IPSec VPNs, by comparison, operate at the network layer.
Operating at the application layer provides visibility into application data, affording network administrators new opportunities to enforce security policy before the user’s traffic reaches the application server at the data center. In this way, certain SSL VPN solutions can implement dynamic policy-based access to application resources from a single point of administration.