Guide to SSL VPN
How to buy and SSL VPN
Tester outlines indicators for choosing the right product
By Joel Snyder
The following considerations can help determine when SSL VPN is the best option for secure remote access:
• Connections originate from a Web browser.
• The IT department has limited or no control over the remote system or the client software, as in the case of a partner or customer.
• A business needs to provide occasional, short-duration access from unmanaged or home computers, airport or library kiosks, or Internet cafés.
• Remote-access requirements include access to limited company network resources, not full network access.
When considering any SSL VPN implementation, consider these questions first:
• Does it have low training overhead? Most SSL VPNs enjoy broad support in commercial Web browsers.
• Does it support existing and planned authentication methods? Server plug-in software and SSL appliances support existing authentication methods, as well as mutual authentication using digital certificates.
• Does it provide anywhere access? SSL can be invoked via a Web browser from any PC at any location -- a trade-show kiosk, an Internet café, Wi-Fi hot spots, another company's network and any other computer with Internet access. However, it is important to note that due care must be taken to make sure public endpoints are not compromised with malicious software, such as malware, spyware or key loggers, rendering the public endpoints insecure.
• How does it reduce network interoperability issues? Because the underlying protocol is the same one used for secure Web transactions, an SSL VPN functions from any location with a Web browser, including business-to-partners environments and through proxy servers, without changes to the underlying security infrastructure.
• Does it offer client ubiquity? Client software is built in to the Web browsers installed on almost all user devices, eliminating the need to install new VPN client software.
• Is it transparent to wireless roaming? SSL sessions are not locked to an IP address.
Certain deployment options of SSL demand certain precautions to help protect the remote user's security credentials. At a public Internet connection, for example, when an end user carries out banking activities over the Internet, all the residual user data must be cleaned up properly after the SSL session finishes. Otherwise, there are opportunities for malicious attempts to harvest data after a user has finished a banking transaction.
Not needing to install a VPN client is an advantage for SSL VPN, but at the same time only Web-browser accessible applications can use SSL as a security protocol. There has been development in this area to allow users an "inside the main office" experience over SSL by making more than just Web-browsing applications secure.
Compromised endpoints on the Internet can receive SSL-encrypted signals from the Internet to initiate unethical activity, such as a distributed denial-of-service attack.
SSL-based VPN is a comparatively new technology that provides remote-access connectivity from almost any Internet-enabled location using a Web browser and its native SSL encryption. Although application accessibility is constrained relative to IPSec VPNs, SSL-based VPNs allow for access to a growing set of common software applications.
SSL-based VPN requires slight changes to user workflow, because some applications are presented through a Web-browser interface, not through their native GUI. Client/server application support generally requires specific and sometimes browser-dependent applets to be dynamically downloaded to the remote system.
Using Web technology for connectivity allows accessibility from almost any Internet-connected system without needing to install additional desktop software. Because SSL-based VPN can provide network access to users from almost any Internet-connected system, it is an emerging option for extending remote access to users who require access to specific applications.