SSL VPNs: No Compromise?

The Promise: SSL VPNs offer full network access and provide more options for users than IPSec remote access VPNs. SSL VPNs can access applications from any Web browser, including non-Webified applications.

The Players: Market leaders include Juniper, Aventail, and Whale. F5, Cisco Systems, Check Point, Nortel Networks, Nokia, and Symantec are expanding their own solutions in a race for feature parity with the leaders. Other vendors are moving into niche markets and going after the SMBs.

The Prospects: SSL VPNs with network access capability are poised to supplant IPSec VPNs as the remote access method of choice. The flexibility of Web-based access lets enterprises provision more users with application access than would be feasible with IPSec.

Until recently, "compromise" was the operative word when it came to remote access. On the one hand, IPSec remote access placed a full range of applications at users' fingertips--as long as they had the IPSec client software. On the other hand, SSL VPNs granted users access from any PC in the world--but only to Webified applications.

Now, numerous SSL VPN vendors offer a class of remote access software that brings together the chief benefits of IPSec and SSL remote access technologies. Referred to here as Network Access, this technology lets users run any application from any Internet-connected PC (see table).

At least that's the official line. Unofficially, Network Access via SSL VPN does away with SSL's original premise of "clientless access." At a minimum, Network Access requires a Java or ActiveX download to operate, and in some cases a special Windows application has to be installed on the client computer. The problem is that the applets may be blocked by public terminals or rendered inaccessible from non-Windows computers.

Network Access packages also fail to answer the new wave of challenges facing SSL VPNs, including the ability to prevent Application-layer attacks and filter out malware. This capability will become crucial as enterprises open themselves to ever-larger numbers of encrypted sessions that pass unmonitored through the firewall. Network architects may need to invest in additional security products to protect the network from attacks that come through the SSL VPN gateway.

SSL's SUCCESSSSL VPNs are built around the Secure Sockets Layer protocol (now known as Transport Layer Security, or TLS, by the IETF). Basic SSL VPNs require two components: a Web browser and a gateway. When the Web browser establishes a connection with the gateway, the gateway's digital certificate is verified and the session traffic is encrypted, providing a secure connection. The SSL VPN gateway usually resides in the DMZ behind a corporate firewall, where it intercepts encrypted traffic passing through port 443. The SSL VPN gateway decrypts the traffic and, depending on the access method, provides the user with a portal that includes a menu of accessible applications, or a network connection that mimics the user's in-office experience.

By requiring only a Web browser for basic access, SSL VPNs have made the technology increasingly popular among IT professionals. (For a vendor pricing chart, see the table.)

THREE TIERS OF SSL VPN ACCESS

The popularity of SSL VPNs has spurred vendors to expand remote access to include applications that aren't Web-based. The result is three tiers of access, each with separate requirements. These tiers are described here as clientless, Browser-Plus, and Network Access.

With clientless SSL connections, users can only run Web-based applications in a Web browser. Browser-Plus SSL connections download a small ActiveX control or Java applet that lets the browser communicate with the application. This method is well-suited for terminal service and client-server applications.Network Access builds on Browser-Plus access by providing a complete network connection similar to IPSec. This connection includes access to file shares, applications, printers, and other services on the network. TCP-based applications that use dynamic ports and UDP applications such as VoIP are also enabled. However, streaming-based applications can still cause problems for SSL VPNs, particularly if another entity is attempting to initiate a streaming session with an SSL VPN user.

While all Network Access vendors require client software (whether an applet or a separate Windows application), there are significant differences between them. For instance, vendors such as Juniper Networks and F5 Networks require the SSL VPN gateway to maintain a pool of IP addresses, as well as assign an address to remote clients for the duration of the session. As mentioned, this traffic passes through the firewall completely encrypted.

This IP address approach gives users the benefit of complete network access, but administrators open themselves to more security risks. Users may become the means for bypassing the corporate gateway security infrastructure, giving malware such as worms and Trojans a free ride onto the corporate network, a situation called split-tunneling.

Administrators also give up some access control capabilities. Rather than filtering based on actual applications, administrators can only filter based on IP address, port, or subnet. If multiple applications reside on a particular subnet, the user will gain access to all those applications. Other vendors, namely Aventail and Whale Communications, provide network access without assigning client IP addresses. Aventail's SSL gateway appliance terminates the client's SSL session and passes application traffic to and from the LAN on behalf of the user. Incoming traffic is checked against application access polices predefined by the network architect. If the traffic passes the policy, the gateway forwards the traffic to the application's server component, which replies to the gateway and in turn directs the appropriate responses back to the user.

Whale adds software modules to its SSL VPN gateway. These modules let users access applications without the need to create a network connection. This level of application access sometimes requires an ActiveX download to the client machine to assist with port forwarding. Whale has approximately 100 modules covering the most popular applications. CLIENT AND GATEWAY SECURITY

While SSL VPNs can simplify remote access, they also complicate the security picture because users will often link to applications using untrusted computers. To that end, SSL vendors have put significant effort into their ability to check the integrity of client computers. These checks can be divided into three general categories: host scan, cache cleaning, and the creation of a secure sandbox on the client device.

Several vendors have also taken steps to add security features at the gateway itself. Gateway scanning can catch malware missed by host integrity checks, while application-aware firewalls can detect attacks such as SQL injections or buffer overflows that can be launched by a supposedly trusted end user.

Whale includes an application firewall in its SSL VPN gateway. The firewall only allows traffic that matches known good application parameters; offending packets are dropped. Check Point's Connectra SSL VPN can run the same Web and Application-layer attack protection software that runs on FireWall-1. F5's FirePass SSL VPN includes gateway anti-virus detection, as well as basic protection from SQL injection, cross-site scripting, and other Web-based attacks.

Another option is to send SSL VPN traffic through additional security devices after that traffic has been decrypted at the gateway. Check Point, Juniper, and F5 can all point customers to Application-layer security appliances in their respective product portfolios. Aventail also recently announced a partnership with NetContinuum, a Web application firewall maker.Network architects will have to weigh the trade-offs of both methods. Passing traffic through an additional security device means adding latency to the connection, as well as introducing another point of failure. On the other hand, piling security checks onto the SSL VPN gateway will likely affect the overall performance of the system.

Technology Editor Andrew Conry-Murray can be reached at [email protected].