Guide to SSL VPN
SSL VPNs means remote access made easy
Primer on how SSL VPN technology works
By Tim Greene
SSL VPNs connect remote computers to networks securely by invoking the SSL protocol that authenticates machines and encrypting communications.
There is no SSL VPN standard, so individual vendors can implement these VPNs in slightly different ways, but here is a description of how they work in general.
The first step is for the browser on the remote computer to connect with the SSL VPN gateway. That is a device that typically sits inside the corporate firewall and acts as a go-between with servers. The user authenticates to the gateway using any of a variety of methods and is granted access.
As part of the authentication process, the gateway can assess the remote machine to determine whether it is a managed device. If it is managed, the gateway can scan it to determine whether it is compliant with network-security policies. These checks can look for whether the device has a personal firewall properly configured and turned on, or whether updated antivirus software that is turned on.
Unmanaged machines may not allow such scans and are classified as having an unknown compliance state.
The gateway also can determine how the device is attempting to connect to the network, whether over the Internet, from the LAN or via a Wi-Fi access point.
The gateway digests all these factors to determine the combined security status of the user, the machine used and the access method. Based on the authentication results, preset policies dictate whether the user gets access and, if so, how much.
For instance, a company employee using a properly configured managed machine connecting over the Internet might gain full network access. That same employee using a borrowed machine and accessing via the Internet might get only e-mail access.
To gain full network access via SSL VPN requires an agent running on the remote device. This is typically a download that is made during the connection process, and it dissolves at the end of the session. Some vendors offer agents that persist, so the next time the same device tries to connect to the VPN, the agent download is unnecessary.
Because SSL is an application-layer technology, policies can be set in a detailed way to restrict the access a remote user gets, application by application.
SSL VPNs use Port 443, which most corporate firewalls typically leave open. This makes it possible to use SSL VPNs without making policy changes to the firewalls.