Secure Sockets Layer virtual private network

From Wikipedia, the free encyclopedia

This article is written like an advertisement. Please help rewrite this article from a neutral point of view. For blatant advertising that would require a fundamental rewrite to become encyclopedic, use {{db-spam}} to mark for speedy deletion.

Secure Sockets Layer virtual private network (SSL VPN) is a kind of VPN that runs on Secure Socket Layers technology and is accessible via https over web browsers.^[1] It permits users to establish safe and secure remote access sessions from virtually any Internet connected browser. SSL functions between the Transmission Control Protocol (TCP) layer and Application Layer protocols.^[2] Traditional VPN requires the installation of IPsec client software on a client machine before a connection is established whereas SSL VPN has no such requirement.^[2] Corporate users are able to access confidential applications or shared files on standard web browsers. The main benefit of SSL VPN technology is that because it is user-based, not device-based, any authorized user can login from web-enabled PCs for secure, remote access of confidential files. ^[3] The safety issues are similar to SSL-based credit card online transactions.^[4]

For businesses, SSL VPN offers versatility, ease of use and secure, remote access to road warriors, telecommuters, partners and customers who can access the corporate network from multiple locations including home, client networks, public kiosks, and hotspots over varied devices like laptops, mobile devices and home and public desktops. This makes SSL VPN unique in providing anywhere, any device remote access which is not possible with other VPN solutions.^[5]

Contents 1 History and development 1.1 Limitations of IPsec 1.2 First-generation SSL VPNs 1.3 Second-generation SSL VPNs 2 Operational overview 2.1 Client-side security 2.2 Different levels of access 3 Business advantages 4 SSL VPN over UTM appliance 5 Limitations 6 See also 7 References

[edit] History and development

The concept of remote working originally grew out of the need to save an enterprise significant time, money and resources for an employee to work regularly from home rather than travel to a distant office.^[3] Also, their competitiveness thrived on the efficiency with which they could support and dispense their service offerings to customers, partners and suppliers.^[6] Customers and employees traveling to do business between national or international sites were becoming an important focus for improving productivity. These traditionally outside entities were now required to be given access to corporate resources, such as partner and customer portals, internal knowledgebase’s, and extranets.^[2].

A number of limitations observed in IPsec facilitated the arrival of SSL as an alternative technology for secure, remote access.^[6]

[edit] Limitations of IPsec

• IPsec VPNs required expensive, time consuming client installations, lacking the flexibility needed to deliver secure, remote access to employees, customers and partners.^[6]
• For remote users trying to connect to corporate resources, IPsec VPNs posed difficulties in being allowed to cross certain corporate firewalls ^[2]
• IPsec VPNs were full programs and thus, generally 0.1 to 8 Megabytes. This means they download more slowly and aren't well suited to smaller devices such as PDAs and Blackberries.^[2]

SSL VPN technology was born in the light of above problems and limitations.^[7] The introduction of SSL VPN brought a big change in delivering transparency towards remote access solutions.^[6]

A newer way of providing mobility, extranet and complex business relationships implied a departure from the traditional notion of insiders versus outsiders in an organization– Trusted users rather than Trusted connections became the norm to be followed in granting any user internet access privileges. Security in SSL VPN was based on the premise that every user connection has to be viewed as external; and every user untrustworthy initially, until the users and not the devices, were authenticated and their location privileges identified.^[6]

[edit] First-generation SSL VPNs

SSL VPNs were introduced to solve a problem which covered the complexity in providing employees remote access to corporate hosted applications.^[7] The initial goals of first generation SSL VPN were to provide seamless access through firewalls, a remote access solution that would work from anywhere regardless of NAT devices and a “clientless” solution that would do away with the need to install separate VPN Client software.^[8] It allowed network access only to web based application such as Intranet websites. End users were authenticated and connected through a proxy-like SSL-enabled web server through which Enterprise Web applications could be accessed. Only limited resources were available and access was slow but end-users could connect from anywhere.^[9]

[edit] Second-generation SSL VPNs

As SSL VPNs began to mature, more types of secure access solutions were needed in the VPN platform. Initially, simple reverse proxy devices supporting pre-authentication and URL rewriting were introduced, which turned out to be more secure than reverse NAT first-generation devices. Next to be followed were Socket or Port forwarding devices that installed client software to listen for calls on specific port or socket, intercept those calls, and forward them to the SSL VPN gateway over an SSL link for detunneling.^[8]

Above technological developments finally led to the emergence of True SSL VPN solutions. These True SSL VPN solutions provided the same user experience as traditional IPsec level VPN servers and protocols. It added application support and features like granular access controls and endpoint security.^[8] Application support for all IP protocols was implemented through web-installed full access client software (FAT/PHAT).^[10] SSL VPN popularity in recent years has soared with the development of high speed internet connections from home, hotels, and conference centers.

[edit] Operational overview

SSL VPNs essentially leverage the ubiquity of Security Sockets Layer (SSL) encryption technology, which is built into almost every web or WAP browser. In comparison to IPsec which works at the IP layer, SSL sits on top of a transport protocol, such as TCP.^[7]

The VPN gateway identifies itself by means of a digital certificate that includes information such as the name of the trusted authority that issued the certificate, which the client can contact for verification, and the server’s public encryption key.^[7] The gateway then proceeds to send an encrypted session cookie to the browser to start the communications.

To generate the encryption key used for the session, the client encrypts an arbitrary number with the server’s public key, and sends the result to the server, which decrypts it with a confidential key.^[7] Once the user’s identity is authenticated, SSL VPN, like the IPsec VPN, allows user-specific level of access granted by company policies for different employees based on their work profile. Thus, for example, the Head of Human Resources would have access to employee payroll information while most other employees would not have access to it.^[2]

[edit] Client-side security

An important feature of SSL VPN is client side security.^[11] It offers a mechanism that provides additional security to the end user's system. First, the secure access product offers a host-checker facility which performs client side checks on specific options. It also checks to ensure the existence and validity of files on the client's system such as an anti-virus scanner or a personal firewall. It can check for specific Windows Registry settings as well.^[11] Finally, the host checker can tie into other third party products and talk to the applications running on the client's system. It ensures that the client meets or exceeds the organization's defined standard for a remote software load. Based on the options that pass or fail, one can give the end user various levels of access.^[11]

If users have an anti-virus program running on their systems, SSL VPN gives them access to network file shares, as well as basic access of webmail.^[11] If users also have a personal firewall running, they could safely be allowed to access main servers.^[11]

Another client side security feature run is called cache cleaner. It identifies all files cached by the web browser and deletes them after the client's session is over, therefore ensuring no trace of the client's session on the remote system.^[11]

[edit] Different levels of access

There are three levels of application access available through an SSL VPN device.

1. Tier 1: The first tier of access allows the remote worker to access web-based and file-based resources. While accessing websites or web-based applications, all HTML, JavaScript and Java are rewritten to direct access through the SSL VPN gateway. This ensures that access to all resources can be secured, and not directed to another location without the administrator's direct permission. In the first level of access, one may also access Microsoft file shares as well as UNIX standard networks file system (NFS) shares. Also, included is a Java-based component that allows one to access systems via either Telnet or Secure Shell (SSH).^[11]
2. Tier 2: The second tier of access uses a component called secure application manager. This runs either as a browser-based JAVA component or an Active X component. The objective is to access various popular applications such as Microsoft Exchange, Citrix and Microsoft Terminal Services.^[11]
3. Tier 3: The third tier of access allows full network connectivity, allowing the client to connect into the network as if they were directly on it.^[11] This is the highest level of access and realizes the true aims of secure, remote access.

[edit] Business advantages

• SSL VPNs are often much less costly to deploy than IPsec VPNs. This is because, with clientless SSL VPNs, there is no cost for proprietary client software licenses, no administrative overhead involved in installing client software, and less time required for client technical support due to the ease of use.^[2]
• SSL VPN allows organizations to create user identity-based access policies, offering granular network access to employees, partners and customers based on user identity and work profile.^[2]
• SSL uses TCP port 443, which is normally opened on the firewall as well as behind other company’s firewall too which helps remote users. SSL (which uses port 443) will work through firewalls without any special configuration. IPSEC uses specific UDP ports; If not in use, these ports are blocked by the firewall.^[2]
• SSL VPNs can also provide a security advantage. When access is restricted to specific applications, the chances of unauthorized access are reduced^[2]

[edit] SSL VPN over UTM appliance

UTMs are total security appliances which are comprehensive, turn-key solutions that include the key security features one needs to secure the entire corporate network, including firewall, VPN, Gateway anti-virus and Gateway anti-spam, content filtering, bandwidth management, multiple link management and On-appliance reporting. Compared to dedicated SSL VPN appliances, providing SSL VPN solution on a UTM appliance itself has several business benefits.^[12]

High Return on Investment: Compared to dedicated SSL VPN appliances, a UTM’s SSL VPN functionality provides enhanced functionality at much reasonable investment.^[12]

Granular Network Access: UTMs ensure that all enterprise applications are duly supported for core business functions– full applications, Web applications, thin clients, fat-clients and legacy applications - hence only a single remote access solution is required.^[12]

Total Remote Connectivity: UTM appliances can provide both site to site IPsec VPN as well as remote-access SSL VPN connectivity for road warriors.^[12]

Enterprises need to provide secure, anywhere access to their remote or mobile workforce for all types of applications and end clients viz. PDA, smart phones, and more, leading to security concerns. Information leakage can result in financial loss, loss of customer trust and negative brand image for these enterprises. SSL VPN solution over UTM is the perfect solution for road warriors, tele-commuters and customers/partners. Location, platform and device-independent SSL VPN on UTM delivers high levels of secure remote access while supporting full business flexibility by allowing web as well as client-based VPN. SSL VPN allows the best protection for remote access use in corporate networks.

[edit] Limitations

Among the dilemma on whether IPsec or SSL VPN is the better solution, there are a few limitations on their perceived ability to deliver secure, remote access:

• Most SSL VPN applications are concerned with end applications in the network. It is difficult to ensure integrity of the tunnel through clean traffic technologies.^[13]
• SSL VPN depends on application translation for interfacing between a web server and a web browser.
• SSL VPN vendors often talk of network extension clients which connect an end user's system to the corporate network with access controls only based on destination IP address and port number. This removes operating system independence and requires administrative access to every local system to install the client.

[edit] See also

• L2F Layer 2 Forwarding Protocol
• L2TP Layer 2 Tunneling Protocol
• PLIP Parallel Line Internet Protocol
• PPTP Point-to-Point Tunneling Protocol

[edit] References

1. ^ Techtarget (19 Jan, 2009), “What is SSL VPN”, Retrieved on 12 March, 2009 http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1201867,00.html#
2. ^ ^{a b c d e f g h i j} Heyman, Karen (December, 2007), “A New Virtual Private Network for Today’s Mobile World”, IEEE Computer Society, pp.17-19.
3. ^ ^{a b} AEP Networks (2008), "Secure Remote Working: Are We Virtually there Yet? An AEP Networks White Paper", AEP Networks
4. ^ VPN Tools, SSL VPN Gaining Popularity (2009) "www.vpntools.com/vpntools_articles/ssl-vpn.htm"
5. ^ Cyberoam (3 March, 2009), “Cyberoam UTM introduces on-appliance SSL VPN”, Retrieved on 12 March, 2009 http://www.cyberoam.com/pressrelease_sslvpn.html
6. ^ ^{a b c d e} Piscitello, David (July, 2005), “Completing the Secure Application Access Puzzle: SSL VPNs offer the Greatest Promise, but their Capabilities Still need some Enhancement”, Business Communications Review. Vol. 35, Issue 7.
7. ^ ^{a b c d e} Jenner, Simon & Speed, T. (2004), "SSL VPN:Understanding, Evaluating and Planning Secure, Web-based Remote Access", Packt Publishing
8. ^ ^{a b c} Shrinder, Thomas (April 10, 2007), “The History of SSL VPNs”, Retrieved 12 March, 2009 http://www.isaserver.org/tutorials/Microsoft-Intelligent-Application-Gateway-2007-Part1.html
9. ^ NeoAccel (2008), NeoAccel SSL VPN+ Overview, Retrieved 12 March, 2009 http://www.neoaccel.com/sv-index.php
10. ^ Hernandez, Pedro (June 4, 2007), “Neo Accel Steers SSL VPNs into the Fast Lane”, Enterprise IT Planet Magazine, Retrieved 12 March 2009 http://www.enterpriseitplanet.com/networking/news/article.php/3681301
11. ^ ^{a b c d e f g h i} Cameron, Rob, "Configuring Juniper Networks Netscreen & SSG Firewalls", http://www.juniper.net/us/en/
12. ^ ^{a b c d} Sonicwall/Aventail White paper, 2008, "Sonicwall Clean VPN", http://www.sonicwall.com/us/products/resources/188.html
13. ^ Calum, Macleod, 10 Feb 2004, "SSL VPNs: You Cannot Afford to Ignore them", Retrieved 18 Aug, 2009 http://www.net-security.org/article.php?id=638&p=3