The ultimate goal of SSL VPN technology is to allow controlled, secure and managed access to any application, from any device and from any location. Early implementations had some limitations such as user account information not being cleared down from the browser after user sessions, no support for dynamic port assignment, support only for web-enabled applications, and no strong authentication of the user or the access device.
All of these, and other concerns, have been addressed as SSL technology has matured. Recent enhancements, for example, include the integration of user authentication. Many SSL VPN vendors offer, or are planning to offer, integrated third party strong authentication products such as those from VASCO and RSA. Netilla, from AEP Networks, and FirePass, from F5, both natively embed VASCO user authentication with their SSL VPN offerings.
The addition of 'client integrity' is another significant step forward for SSL VPNs. Client integrity involves the scanning of the client access device to check for trojans, viruses, etc. and scanning to check if the device has the latest Microsoft security patches installed. This checking ensures that the device is 'safe' and traffic from the device can be passed to the server side. Aventail, through their integration with Check Point's Zonelabs personal firewall, and Array Networks are two SSL VPNs which have implemented this feature.
An SSL appliance would normally sit behind the firewall taking all traffic from Port 443. Some SSL appliances have built-in firewalls that specifically protect the SSL device and can therefore sit in front of the firewall. Putting an SSL appliance in front of the firewall, without its own protection, leaves it open to potential hackers. As no client-side software is required, user security issues relate primarily to authentication and access security.
As a result of the growth in popularity of SSL VPNs, many manufacturers are jumping on the bandwagon and releasing their own products. Early technology evangelists were Netilla from AEP Networks, Neoteris from Juniper, and Aventail. These were followed by many other vendors including Check Point, Whale Communications, NetScaler, Array Networks and Nokia, who all offer SSL solutions. To date, there are some 70 different vendors providing an SSL product, with many more in the pipeline.
Benefits of SSL VPNs
1. No client software required for accessing web-enabled applications.
Benefit: deployment, management and administration extremely simple and effective.
2. SSL is a de-facto standard.
Benefit: interoperability between different vendors and applications.
3. Included as default in a number of web browsers.
Benefit: no client software costs.
4. As commonly deployed, only servers require digital certificates to establish the encrypted session.
Benefit: enormous reduction in the requirement to manage certificates.
SSL VPN Disadvantages
1. Optional (as opposed to in-built) user authentication. This is a major security weakness.
Answer: integration with 3rd party strong authentication products such as VASCO.
2. Requires Java or ActiveX downloads to facilitate access to non-web enabled applications.
Answer: download is transparent to user. Depending on implementation and network topology, this may cause a problem if the firewall (whether on the server side or on a personal firewall) is set to block Java or ActiveX controls.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.