Best Practices for deploying SSL VPNs
Wide client support, authentication support are crucialBy Tim Green
• Part of the reason for using SSL VPNs is to allow users to connect using something other than a company-issued machine. If that is an important goal, check whether the product under consideration supports Windows, Linux, Mac and even the operating systems for handhelds and smart phones equipped with browsers.
• Check out the management platform and its ability to support multiple policies per user and user group. Because the technology can support such granular access, it may become desirable to issue more than one policy per person or group. For instance, a single user may require access rights that differ depending on what machine and what access method are used and what the security posture of the devices is.
• To tighten up security, use two-factor authentication to log into the VPN.
• Use options that delete from the remote machine any traces of transactions performed during the SSL VPN session. This is especially important if the corporation does not own the remote device and is readily accessible to others, such as a computer at an Internet kiosk.
• Use options that force sessions to time-out and demand reauthentication to prevent unauthorized access should the remote user walk away from the machine, leaving it vulnerable to someone else using it while it is logged into the VPN.
• Weigh how important SSL VPN access is to doing business. If it's essential, install gateways in high-availability mode, so if one gateway fails, the other can kick in.
• If SSL VPNs are to be used for network access in case of a disaster, build in capacity to handle the extra load. If the gateway is not sized to support all the additional users, it will become yet another problem after disaster strikes.
• Run penetration testing against the VPN. It allows access to corporate resources and is supposed to be secure, but it pays to check.