VPN technology began as a complex replacement for dedicated private data circuits between distant networks. The idea was to eliminate expensive monthly telecom fees by sending private data through virtual tunnels across the Internet. The tunnels are encrypted for security, making them nearly as secure as private links at practically zero recurring cost. These savings offset the considerable one-time effort necessary to set up a VPN, which requires dedicated hardware, tedious configuration, and arranging transit for VPN-specific IP protocols across the enterprise firewall.
Today, VPNs are the de facto standard for interconnecting private networks. They work very well for network-to-network interconnections. Alas, the complexity of traditional VPN technology has only increased, as VPN products try to serve other applications, including dial-up users, broadband, and wireless. The number of configurable options has exploded, making VPN configuration an ordeal even for experienced network engineers. Individual remote users must install special client software that can interfere with normal network operation and is itself complicated to configure and operate. Worse, some ISPs block VPN protocols, such as Cisco Generic Routing Encapsulation (GRE) and Layer 2 Tunneling Protocol (L2TP), charging an additional “business class” fee to use them.
VPN vendors eventually devised an ingenious workaround: the SSL-based VPN. At its most basic level, an SSL VPN connection requires that the user have nothing more than a web browser to get connected. The VPN operates over the standard SSL port 443, which is readily passed by firewalls and ISPs alike, without specific configuration or additional fees. Yet sophisticated SSL VPN products can provide nearly all the functionality of an IPSec VPN and even more fine-grained policy control. And all SSL VPN products have one hallmark advantage — ease of setup and support — that your Help desk staff will thank you for.
To understand how you can use SSL VPNs in place of their IPSec brethren, you need to know the spectrum of products and the various feature sets that they support. (Check out the "Major SSL VPN Players" sidebar on page 4 for a listing of products in this area.) Some SSL VPN products are truly clientless, whereas others use lightweight Java or ActiveX applets downloaded automatically from the Web. Some employ simple user ID/password authentication; others can use highly secure digital certificates and/or two-factor authentication. Some give users complete access to the network when connected; others let you restrict access to just the resources that you enable through policy controls. Here’s what the market looks like.
How They Work
To appreciate how SSL VPNs work, first review the underpinnings of IPsec for individual remote users, which makes a host computer appear to be directly connected to your private network behind your enterprise firewall. IPsec does this by creating a virtual network interface directly inside the end-user’s computer that tunnels to the IPsec gateway — either a standalone device or one embedded in the enterprise firewall. This virtual interface looks and behaves like any other LAN or WAN network adapter; in fact, most IPSec VPNs look just like Ethernet cards, complete with their own IP address and route table entries. Once the IPSec tunnel is established, remote users can freely access all network resources at the host end using their private IP addresses, just as if they were “back at the ranch.”
Unlike traditional VPNs, SSL VPNs don’t necessarily create a virtual network interface. The remote user initiates an SSL VPN connection by pointing the web browser at an SSL VPN gateway device, which could be a dedicated appliance or a server running SSL VPN software, such as Microsoft’s Forefront Unified Access Gateway (UAG) 2010. The connection is encrypted with the SSL/TLS protocol, and it can thus exploit the variety of authentication mechanisms that SSL supports. The SSL VPN can also authenticate users via the existing directory infrastructure, whether it’s Active Directory (AD) or the open Lightweight Directory Access Protocol (LDAP) standard. This capability eliminates one more password for users to memorize and means one less ingress point to track for add/drop maintenance.
After a user establishes the SSL VPN browser session, the SSL VPN gateway acts as a proxy for HTTP and HTTP Secure (HTTPS) traffic into your enterprise network. If you’re used to traditional web server SSL, the power of SSL VPN Web access will surprise you. Instead of simply connecting users to a single SSL-enabled Web server, an SSL VPN gateway can route users to any of your web-enabled intranet applications, even if those applications themselves aren’t SSL-enabled. For many users, this is all the remote access they need.
If that were all that an SSL VPN delivered, it would be enough. But there’s more. Unlike basic IPsec VPNs, which attach remote users directly to your enterprise LAN with few to no restrictions, an SSL VPN gateway lets you control precisely which internal servers each user can access. Some gateways even let you control access down to the URL level, limiting which parts of an application remote users can access. This level of control is completely unavailable with IPsec VPNs at any price.
If users need full network-level remote access, using a virtual network interface like the one created by a traditional VPN and enterprise-local IP addresses, you can achieve that via a product-specific “virtual IPsec” connector applet. These applets hook into the user’s OS in the same way that IPsec does, by creating a virtual network interface. But unlike IPsec, these applets require no complex configuration, because the user has no options to choose from. The SSL VPN gateway administrator makes all the choices when configuring the various gateway access policies. Thus, you could let Sam have FTP access to the finance department server, give Alice the ability to send SMTP mail, and prevent Fred from doing either of these things.
These advanced SSL VPN capabilities are all proprietary, but because users have no software to install, there are no compatibility issues to worry about—other than whether the vendor supports your users’ desktop OSs. Not all products support all OSs, but they do all support Windows and Internet Explorer (IE), which, not surprisingly, is where most of the SSL VPN demand is. Beyond OS support, though, you need to understand the main categories that SSL VPN products fall into: simple, hybrid, multifunction, and multifunction hybrid.