SSL VPN

SSL VPN (Secure Sockets Layer virtual private network) is a type of VPN that runs on Secure Socket Layers technology and is accessible via https over web browsers. It permits users to establish safe and secure remote access sessions from virtually any Internet connected browser. SSL functions between the TCP layer and application layer protocols. SSL VPN solutions allow organizations to deliver the level of corporate network access required for each connecting person as well as the location from which they access it. In short, it provides a secure connection between remote users and internal network resources.

Traditional IP Security (IPSec) remote-access VPN technology requires the installation of IPSec client software on a client machine before a connection can be established whereas SSL VPN needs no such client installation and delivers the functionality of a “clientless VPN” or “Web VPN”. Unlike IPSec, users are able to access corporate applications or shared files with just standard web browsers since no pre-installed or pre-configured VPN software is needed with SSL VPN.

For businesses, SSL VPN offers versatility, ease of use and secure, remote access to road warriors, telecommuters, partners and customers who can access the corporate network from multiple locations including home, client networks, public kiosks, and hotspots over varied devices like laptops, mobile devices and home and public desktops. This allows SSL VPN the flexibility to provide anywhere, any device remote access which is not possible in other VPN solutions.

History and development

As organizations grew in size and business complexity, secure remote access to network resources became necessary for day-to-day functioning. Also, their competitiveness thrived on the efficiency with which they could support and dispense their service offerings to customers, partners and suppliers. These traditionally outside entities were now required to be given access to corporate resources, such as partner and customer portals, internal knowledgebase’s via extranets. Customers and employees traveling to do business between national or international sites became an important focus for productivity gains.

Limitations of IPSec

While IPSec VPNs could achieve secure, remote connectivity for site-to-site networking, they proved to be inadequate in a highly mobile and open business environment, mainly due to the following limitations:

1. IPSec VPNs required expensive, time consuming client installations, lacking the flexibility needed to deliver secure, remote access to employees, customers and partners.
2. For remote users trying to connect to corporate resources, IPSec VPNs can pose difficulties in being allowed to crossing certain corporate firewalls. This isn't a problem only when most companies have their same basic ports open, inbound and outbound, which may not be always the case.
3. IPSec VPNs are full programs and thus, are large, generally 0.1 to 8 Megabytes. This means they download more slowly and don't work that well on smaller devices such as PDAs and Blackberries.
4. Standard IPSec provides mutual authentication of tunnel endpoint devices using digital certificates or shared secrets (passwords). Neither is very practical for authenticating remote access users. Passwords provide weak authentication at best, and are difficult to manage in large scale. Client certificates have failed largely due to complexity of the Public Key Infrastructure needed to support them. Many organizations prefer two-factor authentication methods, but IPSec solutions for token- or challenge-response based authentication are proprietary, complicated and actually increase IPSec's vulnerabilities when the popular "aggressive-mode IKE with group shared secrets" is used.

Introduction

SSL VPN technology was born out of business needs arising due to above problems and limitations. This signified a paradigm shift in the very perception of secure, remote access –the goal of a remote access VPN was no longer just to build secure access tunnels between remote devices and trusted networks, but to provide authenticated users with authorized and confidential access to information. The introduction of SSL VPN brought a revolution in delivering transparency towards remote access solutions.

A newer way of providing mobility, extranet and complex business relationships implied a departure from the traditional notion of insiders versus, outsiders in an organization– Trusted users rather than Trusted connections became the norm to be followed in granting any internet access privileges. Security in SSL VPN hinged on the premise that every user connection should be viewed external; and every user untrustworthy initially, until the users and not the devices, have been authenticated and their location privileges identified.

First Generation SSL VPNs

SSL VPNs were introduced to solve a problem which covered the complexity in providing employees remote access to corporate hosted applications. The initial goals of first generation SSL VPN were to provide seamless access through firewalls, a remote access solution that would work from anywhere regardless of NAT devices and a “clientless” solution that would do away with the need to install separate VPN Client software. It allowed network access only to web based application such as Intranet websites. End users were authenticated and connected through a proxy-like SSL-enabled web server through which Enterprise Web applications could be accessed. Only limited resources were available and access was slow but end-users could connect from anywhere.

Second Generation SSL VPNs

As SSL VPNs began to mature, more types of secure access solutions were needed in the VPN platform. Initially, simple reverse proxy devices supporting pre-authentication and URL rewriting were introduced, which turned out to be more secure than reverse NAT first-generation devices. Next to be followed were Socket or Port forwarding devices that installed client software to listen for calls on specific port or socket, intercept those calls, and forward them to the SSL VPN gateway over an SSL link for detunneling.

Above technological developments finally led to the emergence of True SSL VPN solutions. These True SSL VPN solutions provided the same user experience as traditional IPSec level VPN servers and protocols. It added application support and features like granular access controls and endpoint security. Application support for all IP protocols was implemented through web-installed full access client software (FAT/PHAT).

SSL VPN popularity in recent years has soared with the development of high speed internet connections from home, hotels, and conference centers.

Operational overview

SSL VPNs essentially leverage the ubiquity of Security Sockets Layer (SSL) encryption technology, which is built into almost every web or WAP browser. In comparison to IPSec which works at the IP layer, SSL sits on top of a transport protocol, such as TCP.

The VPN gateway identifies itself by means of a digital certificate that includes information such as the name of the trusted authority that issued the certificate, which the client can contact for verification, and the server’s public encryption key. The gateway then proceeds to send an encrypted session cookie to the browser to start the communications. To generate the encryption key used for the session, the client encrypts an arbitrary number with the server’s public key, and sends the result to the server, which decrypts it with a confidential key.

Once the user’s identity is authenticated, SSL VPN, like the IPsec VPN, allows user-specific level of access granted by company policies for different employees based on their work profile. Thus, for example, the Head of Human Resources would have access to employee payroll information while most other employees would not have access to it.

Advantages over IPsec

1. SSL VPNs are often much less costly to deploy than IPSec VPNs. This is because, with clientless SSL VPNs, there is no cost for proprietary client software licenses, no administrative overhead involved in installing client software, and less time required for client technical support due to the ease of use.
2. SSL VPN allows organizations to create user identity-based access policies, offering granular network access to employees, partners and customers based on user identity and work profile.
3. SSL uses TCP port 443, which is normally opened on the firewall as well as behind other company’s firewall too which helps remote users. SSL (which uses port 443) will work through firewalls without any special configuration. IPSEC uses specific UDP ports; If not in use, these ports are blocked by the firewall.
4. SSL VPNs can also provide a security advantage. When access is restricted to specific applications, the chances of unauthorized access are reduced
5. By leveraging the web browser and operating above the network layer, SSL VPNs eliminate all IP address management issues associated with IPSec VPNs.
6. SSL VPNs support user authentication. By basing access on application proxy technology, an SSL VPN inherently offers a convenient and expedient gateway for extending the user challenge response authentication methods most widely in use today, from Windows Logon and one-time password systems to token-based authentication methods and certificates. Organizations can be more confident in authorizing access to sensitive or regulated information because the user, rather than the device, is authenticated.
7. SSL VPNs support more granular authorization policies than IPSec. Application proxies by definition examine application data payload: access policies can be applied to individual data objects, as a way of narrowing authenticated user access down to a specific set of servers, applications and data objects. Policies can also be refined to permit the creation of different access levels, depending on authentication method, endpoint device and location.
8. SSL VPNs remove several barriers that prevent organizations from offering an "anywhere, everywhere" solution via IPsec.
9. Nowadays, SSL VPN also offers browser data protection, which attempts, after the user logs off, to eliminate sensitive information that may have been used during the course of a secure access session. This includes removal of any cached user credentials and removal of temporary spooled or cached files. Some SSL VPNs can be configured to prevent a user from creating local copies of company-sensitive information on a non-work computer.

SSL VPN over UTM appliance

UTMs are total security appliances which are comprehensive, turn-key solutions that include the key security features one needs to secure the entire corporate network, including firewall, VPN, Gateway anti-virus and Gateway anti-spam, content filtering, bandwidth management, multiple link management and On-appliance reporting. Compared to dedicated SSL VPN appliances, providing SSL VPN solution on a UTM appliance itself has several business benefits.

High Return on Investment: Compared to dedicated SSL VPN appliances, a UTM’s SSL VPN functionality provides enhanced functionality at much reasonable investment.

Granular Network Access: UTMs ensure that all enterprise applications are duly supported for core business functions– full applications, Web applications, thin clients, fat-clients and legacy applications - hence only a single remote access solution is required.

Total Remote Connectivity: UTM appliances can provide both site to site IPSec VPN as well as remote-access SSL VPN connectivity for road warriors.

Enterprises need to provide secure, anywhere access to their remote or mobile workforce for all types of applications and end clients viz. PDA, smart phones, and more, leading to security concerns. Information leakage can result in financial loss, loss of customer trust and negative brand image for these enterprises. SSL VPN solution over UTM is the perfect solution for road warriors, tele-commuters and customers/partners. Location, platform and device-independent SSL VPN on UTM delivers high levels of secure remote access while supporting full business flexibility by allowing web as well as client-based VPN. SSL VPN allows the best protection for remote access use in corporate networks.

See also

• L2F Layer 2 Forwarding Protocol
• L2TP Layer 2 Tunneling Protocol
• PLIP Parallel Line Internet Protocol
• PPTP Point-to-Point Tunneling Protocol

References

de:SSL-VPN fi:SSL VPN