SSL VPNs

SSL for remote access

Many enterprises extend remote access of corporate resources to their employees and business partners. By extending the enterprise, networks become vulnerable and require a secure means of remote VPN access like Secure Socket Layer (SSL). Chris Hopen, Chief Technology Officer, Aventail Corporation, lists the shortfalls of IPsec and explains why enterprises should start using SSL VPNs. by Akhtar Pasha

What are SSL VPN's advantages over IPsec?

If you look at online shopping and online banking applications, all of them use SSL. SSL has become the ubiquitous security solution on the Web. As applications become decentralized and shift to the Web, the use of SSL authentication and encryption continue to grow.

SSL-based VPNs allow remote access to Web-based applications and network resources without the need for additional client software and the associated overheads. As enterprises extend corporate network access to their mobile workforce, employees, and business partners, the need for secure remote access becomes very important.

But IPsec VPNs cannot provide secure remote access. IPsec does not work in an extended enterprise network, and is only good for site-to-site VPNs. Enterprise-ready SSL VPN technology is becoming the de facto standard for secure anywhere remote access.

Why is the use of an IPsec VPN unsafe for remote access?

IPsec is typically used in conjunction with Internet Key Exchange (IKE) for key management. It supports multiple encryption algorithms like AES, DES, 3DES, and RC4, and multiple integrity mechanisms like MD5, and SHA-1. It also supports authentication via X.509 certificates for network and applications. IPsec works at the OSI Layer 3 to encapsulate normal IP packets.

IPsec VPNs can increase security risks because they create a tunnel between two points, providing direct, non-proxied access, and full visibility to the entire network. Once the tunnel is created, the user's PC is as good as being physically on the corporate LAN, and the user can directly access corporate applications. The user may even have access rights to each server, which magnifies security risks.

Additionally, mobile workers and business partners can use devices like laptop PCs and PDAs to access corporate data, raising the chances of viruses to enter the corporate network.

How can SSL VPNs make things better?

SSL is the authentication and encryption mechanism for e-commerce. It works at the OSI Layer 4. When a client establishes an SSL connection handshake with a server, the server is authenticated to the client, verifying that a server's certificate and public ID are valid and have been issued by a trusted certificate authority.

Then the client and server negotiate and select cryptographic algorithms they both support. The client may then be authenticated to the server, and an encrypted SSL connection can be established.

An SSL VPN provides strong security for remote access. It provides a secure, proxied connection only to authorized resources. As a result, users never have a direct network connection, which is safer. Split tunneling—the ability for an end-user to have access to the Internet and internal corporate resources simultaneously—is controlled with SSL VPNs.

In addition, an SSL VPN provides detailed access control, making it easy to give different access privileges to different users. This kind of precise access control is very difficult to enable, and scales poorly with a remote access IPsec VPN.

SSL VPNs do not require complex, intrusive clients. This makes them easier to install and support, which leads to cost savings. SSL is pre-installed on every major browser, making SSL VPNs a client-less solution. An IPsec VPN requires a device-specific client installation on the remote end-user side of the secure tunnel. Keeping these clients updated is an ongoing burden.

An SSL VPN can extend remote access to a larger range of locations and network resources. These communications ride on top of standard TCP/UDP transports, enabling SSL VPNs to traverse NAT devices and proxy-based firewalls.

IPsec VPNs usually can't support complex networks because they struggle with firewalls, IP address conflicts and NAT. In addition, an SSL VPN provides access from corporate-managed devices and unmanaged devices like home PCs.

Does this mean the death of IPsec?

IPsec is well suited for site-to-site VPNs, because it can be implemented in network devices without any client OSs or applications having to be modified.

But the necessary deployment of software on individual client PCs is an ongoing IT responsibility, and can be costly. An SSL VPN will be useful in an extended enterprise where business partners, mobile workers, and employees need remote access to the corporate network.

It is too early to say that IPsec is dead. But there are definitely very aggressive movements away from IPsec in the remote access space. SSL VPNs are making so much headway that 2003 will continue to see many IPsec VPN vendors announcing plans for SSL-based products.

Vendors like Nokia and Cisco are already considering SSL VPNs.

Is there a substantial market opportunity for SSL VPNs?

SSL VPNs will be a dominant trend in 2004-05.

A report from Infonetics Research says, SSL-based solutions will be the dominant method for remote access, with 80 percent of the users utilizing SSL. However, IPsec will continue to be used for specialized applications.

An SSL VPN gives businesses the flexibility to provide their end-users with different levels of access. So the bulk of users might get Web access to basic resources like e-mail and the corporate Intranet. Mobile workers might get client-server access to applications that are necessary for their work. A few users who may need access to all applications on the network can be provided network-layer access.

There is clear market opportunity in enterprise portals which can be accessed from any number of endpoints and that serve as the entry point for enterprise applications. Besides our company, Neoteris, uRoam and Nortel Networks are already working on this technology. And it is reasonable to expect other companies like Cisco and Nokia to follow suit. We are setting up a development center in Bangalore, which will help development in SSL authentication and single sign-on technologies.

Akhtar Pasha can be reached at : akhtar@expresscomputeronline.com