SSL VPN Basics
SSL VPNs offer remote access for enterprises, and they're less complicated than IPsec VPNs. But SSL VPNs have their own problems.
Secure Sockets Layer (SSL) for remote access is based on a simple concept: use the encryption and authentication capabilities built into every Web browser to provide secure remote access to corporate applications.
- Aligning IT with strategic business goals: A proactive approach to managing IT risk to your business
- Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment
- Strategy: Building and Maintaining Database Access Control Permissions
- Strategy: How to Conduct an Effective IT Security Risk Assessment
By combining SSL-enabled Web brow- sers with a secure gateway to terminate connections and provide policy enforcement and access control, so-called SSL VPNs provide access to Web-based, legacy client/server, and terminal applications from anywhere-home PCs, hotel business centers, Internet cafes, or a business partner's LAN-without an IPSec VPN client. It's one of those ideas that make you say "Why didn't I think of that?"
The companies that did think of it are now working very hard to turn that idea into market share. Regardless of which brand wins the biggest piece of the pie graph, here's why the idea is a good one:
First and foremost, SSL is everywhere there's a Web browser. The result is millions and millions of preinstalled clients ready for use. This introduces remote access to a broader user population than is typically feasible with IPSec VPNs.
"Smaller companies don't have the resources to support IPSec clients," says Jason Matlof, vice president of marketing and business development at Neoteris, maker of an SSL remote access appliance. "Larger companies have the budgets to support 10 or 20 percent of elite users with IPSec."
"The real catalyst in this market is addressing constituencies that haven't been addressable," he says. "Eighty to 90 percent of users and business partners can get controlled access to certain resources without compromising security."
Second, SSL isn't a brand new technology that must win over skeptics. Its public key encryption system has been poked and prodded by security experts. Banks, governments, and major retailers entrust billions of dollars in transactions to it. Invented by Netscape, SSL has graduated into an IETF standard under the moniker of Transport Layer Security (TLS). Thus, the move to remote access is merely a new application of a well-established technology, not a new technology seeking a useful application.
Third, SSL remote access enjoys the supreme advantage that all new products have: the ability to attack an incumbent's weaknesses. In this case, the incumbent is the IPSec VPN, and SSL marketing literature invariably aims its spear at IPSec's jugular-the client.
CLIENTS? WE DON'T NEED NO STINKING CLIENTS
The IPSec VPN client has three strikes against it. First, the client restricts users to a single machine, which isn't as flexible as browser-based remote access. "You can go from mobile phone to a Wi-Fi connection to your corporate broadband connection very easily with SSL," says Jude O'Reilley, senior product marketing manager at Aventail, an SSL remote access vendor.
"With IPSec, each one of those networks requires work from the IT staff," says O'Reilley. "Every new network causes pain for IPSec managers."
Second, the IPSec client software can be difficult to manage. "IPSec clients modify the network drivers and the network stack, and if you don't have tight control over the OS on those machines, it's going to get complex," says David Thompson, senior research analyst for technology research services at the META Group (www.metagroup.com). "IPSec works well on company laptops, but for home machines there are conflicts and support calls, and that's universal for all the IPSec vendors."
Thompson says those conflicts and support calls mean added costs for IPSec remote access. "The main cost difference between SSL and IPSec is the support of the client software required for IPSec connections," he says.
Peter Ridgley, principal network engineer for information management solutions provider Iron Mountain (www.ironmountain.com), supports both an SSL remote access solution from Neoteris and an IPSec VPN. He says the Neoteris product has been easier to manage.
"Neoteris doesn't need much babysitting, just occasional code upgrades and compliance reviews. We use Nortel Contivity for IPSec remote access and it's stable, but it requires more maintenance." That maintenance includes help desk costs, software upgrades, and new user adds, he notes.
The third strike is end-user complexity. "SSL is fabulous from a corporate standpoint because you don't have to teach people a new procedure," says Yankee Group (www.yankeegroup.com) analyst Eric Ogren. "Everybody knows how to use a browser."
DOWNSIDES OF THE BROWSER
An irony of SSL VPNs is that their greatest asset-browser-based access-is also their most problematic feature. The freedom and mobility of the browser means that your users can run applications and access network resources from just about anywhere-a partner site, an airport kiosk, an Internet cafe, even a friend's house.
While that freedom may boost productivity, it also exposes your network to an unlimited number of computers whose security state is unknown (and in some cases unknowable). Your network may experience increased risk from viruses, Trojans, and other malicious code, such as keystroke loggers.
Browser-based access has other complications as well. Default user authentication is limited to a username and password, which is notoriously insecure. In addition, most SSL solutions also require an ActiveX or Java download to provide the most complete access, but remote machines may not allow those applets to run, thus denying access. Finally, browsers may cache documents or screens at the remote machine, potentially exposing sensitive information. Users who forget to log out of browser sessions also present the same risk.
Savvy vendors are addressing these issues, but their methods complicate the original simplicity of the solution. These complications don't invalidate SSL remote access-even with extras such as tokens or digital certificates, SSL may still be easier and less costly than IPSec VPNs. (For a comparison of SSL and IPSec, see the table.) However, it's important to know that nothing is as simple as marketing literature would have you believe. Thus, we've detailed the top four concerns regarding SSL here:
See Chart: Pros and Cons of SSL vs. IPsec VPNs
- Users will access corporate resourc-es from untrusted (and untrustworthy) computers. IT administrators know it's difficult enough securing the PCs under their control. Machines outside their control should be treated with suspicion. In August 2003, for example, The New York Times reported a story about a man who had installed keystroke logging software on Internet terminals at Kinko's copy stores around New York City. According to the report, the man harvested personal information on 450 people who had used the kiosks. The crime was only uncovered when one of the victims actually saw his computer being controlled by a remote user.
IPSec VPNs don't suffer from this level of exposure because it's common practice to install anti-virus signatures, personal firewalls, and policy enforcement programs from companies such as Zone Labs, Sygate, and InfoExpress along with the client. Not so for SSL remote access.
"It's a bit of a nightmare from a security perspective," says META's Thompson. "SSL vendors are struggling with authorization with different endpoints. You may trust the user but not the computer, and it's hard to figure that out if you don't have a client."
Several SSL vendors, such as Aventail, Neoteris, and Netilla, support personal firewalls. This is a good step, but there's no guarantee that users will be coming from a machine that has a firewall or anti-virus software installed. In such cases, many vendors will limit application access.
"We can detect a personal firewall and make a policy decision based on that," says Aventail's O'Reilley. Aventail also plans to roll out a security feature it calls Desktop Watermarking, in which a specific machine, such as an employee's home PC with anti-virus software and a personal firewall, is identified and registered by the SSL remote access server.
"A watermark is a combination of factors," says O'Reilley. "It will combine an encrypted cookie with an MD5 checksum done on a section of the hard drive that's unlikely to change, and maybe a digital certificate."
The idea is that watermarked PCs will be given deeper access to network resources than other machines. "We'll provide control to let an IT person say if a user comes from a corporate laptop, he gets everything," says O'Reilley. "When he's accessing from an airport kiosk, he gets an internal home page. You can tailor access based on the environment and what you've done to protect that environment."
Other vendors are also devising methods for restricting access based on the condition of the remote machine. Many support digital certificates that identify a trusted computer; others will scan the computer. For instance, Nokia's Secure Access System, an SSL remote access appliance, employs a client integrity scan. This scan checks the user's device for anti-virus software, a personal firewall, and open ports that may indicate the presence of a Trojan. Once the appliance establishes a trust level, it adjusts access privileges accordingly.
- Strong user authentication requires add-ons. If you're investigating SSL remote access as a low-cost alternative to IPSec VPNs, be aware that while the sticker price for such a solution may be agreeable, add-ons are going to up your costs.
A case in point is user authentication. The default method is via a username and password, but while this might be adequate for remote e-mail, experts say it's not enough for other resources.
"If you offer SSL access into deep-end applications, a higher form of authentication is called for," says Yankee's Ogren. "A token is the obvious first choice, and a biometric is the obvious last choice," he notes.
SSL vendors also agree that in many cases, usernames and passwords aren't sufficient. "Most of our customers require some form of two-factor authentication," says Reggie Best, president and CEO of Netilla. "Generally it's tokens, but some are using smart-card solutions."
These solutions will add to both your equipment and support costs, and should be considered carefully. Dual-factor authentication also puts more of a burden on end users, who have to be trained to use the token or the smart card and then remember to keep it with them (along with any additional devices, such as a USB-connectable card reader).
While other SSL vendors support dual-factor authentication, Rainbow Technologies (www.rainbow.com) goes a step further by offering authentication hardware as part of its remote access package. Rainbow's NetSwift iGate appliance, which provides SSL-based access to Web and client/server applications, also includes 100 USB keys and management software in its starting price.
- Remote machines may block applets required for sophisticated SSL remote access. While it's true that browser-based remote access is "clientless" in the sense that the browser (the de facto client) is preinstalled, many SSL VPNs rely on downloadable applets to provide access to sophisticated applications.
For instance, Neoteris, Aventail, and Netilla, among others, offer a form of SSL "tunneling" that mimics an IPSec VPN and lets users run "fat client" applications such as ACT and Microsoft Outlook. However, the tunneling feature requires an applet, usually ActiveX, to be downloaded to the remote machine.
The catch is that many of the systems employed for remote access (such as airport kiosks) may not allow those applets to install, thus locking out the user.
Craig Lockwood, CIO and corporate client manager at Fujitsu, uses Aventail's SSL VPN service for 4,000 employees. He says his users have experienced just this problem with SSL remote access, particularly when Fujitsu consultants go to customer sites.
"Very few clients allow us to download the tunneling applet," he says. "It shuts you out of access to file servers." However, he does note that client customers haven't had a problem with Fujitsu consultants using SSL remote access for e-mail and Oracle applications. "Most do allow you to come in through the browser where there's nothing installed," he says.
Vendors admit that the tunneling feature begins to move away from SSL's main benefit of anywhere access from any machine.
"This is for a corporate-supplied PC," says Netilla's Best. "Most organizations wouldn't allow tunneling from a kiosk."