SSL for remote access
enterprises extend remote access of corporate resources to their employees and
business partners. By extending the enterprise, networks become vulnerable and
require a secure means of remote VPN access like Secure Socket Layer (SSL).
Chris Hopen, Chief Technology Officer, Aventail Corporation, lists the
shortfalls of IPsec and explains why enterprises should start using SSL VPNs.
by Akhtar Pasha
What are SSL VPN's advantages over IPsec?
If you look at online shopping and online banking applications,
all of them use SSL. SSL has become the ubiquitous security solution on the
Web. As applications become decentralized and shift to the Web, the use of SSL
authentication and encryption continue to grow.
SSL-based VPNs allow remote access to Web-based applications
and network resources without the need for additional client software and the
associated overheads. As enterprises extend corporate network access to their
mobile workforce, employees, and business partners, the need for secure remote
access becomes very important.
But IPsec VPNs cannot provide secure remote access.
IPsec does not work in an extended enterprise network, and is only good for
site-to-site VPNs. Enterprise-ready SSL VPN technology is becoming the de facto
standard for secure anywhere remote access.
Why is the use of an IPsec VPN unsafe for remote access?
IPsec is typically used in conjunction with Internet
Key Exchange (IKE) for key management. It supports multiple encryption algorithms
like AES, DES, 3DES, and RC4, and multiple integrity mechanisms like MD5, and
SHA-1. It also supports authentication via X.509 certificates for network and
applications. IPsec works at the OSI Layer 3 to encapsulate normal IP packets.
IPsec VPNs can increase security risks because they
create a tunnel between two points, providing direct, non-proxied access, and
full visibility to the entire network. Once the tunnel is created, the user's
PC is as good as being physically on the corporate LAN, and the user can directly
access corporate applications. The user may even have access rights to each
server, which magnifies security risks.
Additionally, mobile workers and business partners
can use devices like laptop PCs and PDAs to access corporate data, raising the
chances of viruses to enter the corporate network.
How can SSL VPNs make things better?
SSL is the authentication and encryption mechanism
for e-commerce. It works at the OSI Layer 4. When a client establishes an SSL
connection handshake with a server, the server is authenticated to the client,
verifying that a server's certificate and public ID are valid and have been
issued by a trusted certificate authority.
Then the client and server negotiate and select cryptographic
algorithms they both support. The client may then be authenticated to the server,
and an encrypted SSL connection can be established.
An SSL VPN provides strong security for remote access.
It provides a secure, proxied connection only to authorized resources. As a
result, users never have a direct network connection, which is safer. Split
tunnelingthe ability for an end-user to have access to the Internet and
internal corporate resources simultaneouslyis controlled with SSL VPNs.
In addition, an SSL VPN provides detailed access control,
making it easy to give different access privileges to different users. This
kind of precise access control is very difficult to enable, and scales poorly
with a remote access IPsec VPN.
SSL VPNs do not require complex, intrusive clients.
This makes them easier to install and support, which leads to cost savings.
SSL is pre-installed on every major browser, making SSL VPNs a client-less solution.
An IPsec VPN requires a device-specific client installation on the remote end-user
side of the secure tunnel. Keeping these clients updated is an ongoing burden.
An SSL VPN can extend remote access to a larger range
of locations and network resources. These communications ride on top of standard
TCP/UDP transports, enabling SSL VPNs to traverse NAT devices and proxy-based
IPsec VPNs usually can't support complex networks because
they struggle with firewalls, IP address conflicts and NAT. In addition, an
SSL VPN provides access from corporate-managed devices and unmanaged devices
like home PCs.
Does this mean the death of IPsec?
IPsec is well suited for site-to-site VPNs, because
it can be implemented in network devices without any client OSs or applications
having to be modified.
But the necessary deployment of software on individual
client PCs is an ongoing IT responsibility, and can be costly. An SSL VPN will
be useful in an extended enterprise where business partners, mobile workers,
and employees need remote access to the corporate network.
It is too early to say that IPsec is dead. But there
are definitely very aggressive movements away from IPsec in the remote access
space. SSL VPNs are making so much headway that 2003 will continue to see many
IPsec VPN vendors announcing plans for SSL-based products.
Vendors like Nokia and Cisco are already considering
Is there a substantial market opportunity for SSL VPNs?
SSL VPNs will be a dominant trend in 2004-05.
A report from Infonetics Research says, SSL-based solutions
will be the dominant method for remote access, with 80 percent of the users
utilizing SSL. However, IPsec will continue to be used for specialized applications.
An SSL VPN gives businesses the flexibility to provide
their end-users with different levels of access. So the bulk of users might
get Web access to basic resources like e-mail and the corporate Intranet. Mobile
workers might get client-server access to applications that are necessary for
their work. A few users who may need access to all applications on the network
can be provided network-layer access.
There is clear market opportunity in enterprise portals
which can be accessed from any number of endpoints and that serve as the entry
point for enterprise applications. Besides our company, Neoteris, uRoam and
Nortel Networks are already working on this technology. And it is reasonable
to expect other companies like Cisco and Nokia to follow suit. We are setting
up a development center in Bangalore, which will help development in SSL authentication
and single sign-on technologies.
Akhtar Pasha can be reached at : firstname.lastname@example.org