subscribe: Daily Newsletter


Making a mature SSL-VPN choice


A few years ago, SSL-VPNs were a relatively obscure technology promoted by a few 'specialist' InfoSec vendors writes Martin Tassev, MD of Loophold Security Distribution.

Easy to use and deploy, clientless and cheaper to manage than IPSec VPNs, SSL-VPNs quickly gained ground. Opportunity attracts crowds, however, and many vendors have jumped onto this bandwagon, claiming they can deliver comprehensive SSL-VPN products. The reality is very different.
SSL-VPN technology enables organisations to support new workplace trends such as mobility, self-service and third-party connectivity in their business models. It uses the ubiquitous SSL protocol and proxy technology to authenticate and authorise internal and external users, providing secure and granular access to all authorised organisational IT resources.
Only a few established players have SSL-VPN platforms that can be defined as 'mature', however, according to market research reports from Gartner, Forrester and others.
The truth is that with the exception of performance (handling SSL-VPN sessions requires a lot of processing power), implementing basic SSL-VPN functionality in a product is relatively easy. This allows pretty much any existing InfoSec or telecommunications equipment vendor to bring relatively inexpensive products to market.
In its search for an effective, economical and mature SSL-VPN solution for its clients in the SME and enterprise markets, LOOPHOLD Security Distribution has done considerable market research. We believe that there are some key features that must be present in this technology if it is to be a true and 'complete' business enabler.
These features are generally only found in products from established SSL-VPN vendors. They include:
* Granular access control;
* Comprehensive end-point (such as PC or mobile phone) interrogation and control;
* Comprehensive authentication; and
* Comprehensive support for all client devices (including mobile device).
The first and foremost requirement of any SSL-VPN is that it should be able to control access by different users and devices. Highly flexible and granular access control policies are essential. Control cannot be sacrificed when using different access methods.
Instead, the policy must provide secure control of all traffic (including bidirectional control) through the VPN down to the applications themselves.
However, policy also needs to be easy for the administrator to implement and use. Providing just one access control rule set for Web, client/server and file share resources ensures that the administrator will have simplified, yet secure access control.
Comprehensive End-Point Control minimises the risk that enterprises are exposed to when they allow access from environments that they do not manage. The SSL-VPN should be able to ensure that an end-point is free of any malicious threats by checking the integrity of the end-point before the user enters authentication credentials; uniquely identify devices as well as determine overall device integrity; confirm the identity of the user by thorough and robust authentication of log-in credentials; and provide data protection features that ensure that confidential corporate and user information is not left behind at the end of the session (e.g., on home PCs or public kiosks).
SSL-VPNs also need to easily and efficiently work with the authentication and single sign-on infrastructure within the organisation, ensuring that only the appropriate users receive authenticated access. The best solutions provide flexible support for any type of authentication repository (like Active Directory, LDAP, RADIUS etc.) and method of authentication (such as Username/Password, SecureID Tokens, Digital Certificates etc.), with flexible options available for common single sign-on methodologies such as basic authentication forwarding, forms-based authentication, NTLM authentication forwarding and Netegrity Siteminder Support.
Complete support for secure remote access is critical if the organisation needs to support different sets of users and resources, enabling convenient and secure access from a variety of end-points.
This flexibility is exhibited in SSL-VPN solutions that offer:
* Intelligent clientless access: access to Web and client/server resources through a standard Web browser as a basic criterion but the best SSL-VPN solutions will offer smart communication with the end-point to automatically determine and initiate the most appropriate method of access for the end user.
* Agent-based access – for end users that must access client/server applications such as Microsoft Outlook/Exchange, SAP or Siebel, the SSL-VPN must provide a mix of clientless and agent-based access methods.
* Cross-platform support – users access resources using all kinds of Internet-enabled devices and browsers, so it's essential that the SSL-VPN solution support as many platforms as possible, including a Macintosh desktop, a Linux-based device, a Microsoft Windows Mobile (Pocket PC) device or other mobile personal digital assistant (PDA), an airport kiosk, or a traditional Windows device – even if the user is using a Firefox browser or running Java applications.
* Extranet support – enhanced security that protects the integrity of the internal network and granular access control that ensures customers and partners only access the information necessary to perform their tasks. Complete application access – many solutions offer support for network layer (Layer 3) tunnel access but mature solutions will offer total bidirectional control over all traffic flowing through the tunnel, with access that adapts dynamically to the network used for access, ensuring that IP address conflicts, proxy traversal, firewall traversal, and NAT are fully supported.
* Comprehensive support for all client devices is a key criteria for an SSL-VPN. Since smart phones, PDAs and other mobile devices are now mainstream components of modern enterprise networks and mobile workers expect to access resources over intranet, extranet, WiFi and cellular networks, SSL-VPNs need to be able to provide secure remote access solution for a broad range of mobile devices, platforms and network scenarios,
including Microsoft Windows Mobile 5.0.