Essential Things To Understand About SSL VPN Gateways

The following Q&A are designed to help you better understand the capabilities and limitations of SSL-based security gateways ("gateways") and some of the key issues surrounding their use. You are encouraged to submit additional questions to SSL VPN Central on topics of similar general interest. Email them to us at info@breakawaymg.com

What is the primary role of an SSL VPN gateway?

Organizations use SSL VPN Gateways to enable their employees the freedom to securely access data and applications residing on internal networks from multiple locations and computing devices. That is, individual employees are not restricted to using a single device issued and managed by the organization. Instead, they can access network resources from shared "corporate" computers, their own computing devices and ones provided by third parties (e.g., friends, kiosks). Gateways services are also often extended to partners who are authorized to access internal IT resources. Since these devices are often not owned and managed by the organization and even "corporate devices" are vulnerable to a wide variety of security attacks, user access privileges can be varied according to the identity and trustworthiness of the device. While these perimeter security gateways were initially designed to support remote users, some organizations also use them to control devices located inside their networks behind internet firewalls. For example, many companies use SSL VPN gateways to protect campus wireless networks and shared computers in wired kiosks.

What fundamental security functions are found in a typical SSL VPN gateway?
The term SSL VPN is widely used today even though it understates the full capabilities of these sophisticated security systems and masks the significant differences between products that are often lumped together in this category. This label is a legacy from the time when SSL-based gateways emerged as a new alternative to IPSec VPN remote access concentrators, when there were heated debates about the relative merits of both approaches. Today the controversy has largely subsided because a continuous stream of innovations has eliminated the shortcomings of early SSL VPN products. In fact, most vendors of IPSec VPNs have either added SSL capabilities to their existing products or introduced new ones. SSL VPN Central uses the term SSL VPN gateway when it refers to perimeter security systems that not only protect communications through SSL technology but also enable organizations to implement granular access control policies based on user authentication, destination resources and the trustworthiness of endpoint devices. All such products offer some level of protection for user sessions and they capture usage data valuable for security audits. Many also include the advanced network and application-level protections normally found in leading firewall/IPSec VPN products.

How does an SSL VPN gateway fit into an existing IT environment?

Gateways are typically installed in a DMZ behind a perimeter firewall. They are self-protected from attacks and use port 80 for http and port 443 for https traffic. Since encrypted traffic cannot be examined at the firewall for network and application -level attacks unsafe traffic can reach the SSL VPN gateway. Two solutions to this problem exist. Traffic decrypted at the gateway can be re-routed through the firewall a second time. Or organizations can acquire an SSL VPN gateway with integrated firewall and IDP/IDS capabilities. Since organizations already rely on a variety of directories for user management and authentication services gateways act as a proxy for these existing services. While most gateways enable organizations to create a local user/password database these are rarely used in production environments. Gateways operate with all the types of authentication methods found in enterprise networks and gateway vendors regularly attest to the fact that their systems operate "seamlessly" with leading authentication products.

Are SSL VPN Gateways really clientless?

The answer is no, but this requires some clarifications. If users are accessing only web applications and web servers then all they usually need is a browser which provides the clientside of the SSL connection. Access to additional resources can be a bit more complicated. Most SSL VPN gateways download either an ActiveX agent or java applet in order to support clientserver applications. And a full SSL client must be installed if level 3 network access is to be provided. It's also worth noting that most SSL VPN gateways rewrite URLs and mask internal addressing schemes. This hides important information from non-employees who are using the gateway as part of an extranet. However, all web traffic (e.g., Flash code) cannot be rewritten. In these cases, some or all of the web traffic must bypass the http rewriter and use a non-web access method. Some gateways redirect all or the just the "troublesome" traffic through a network connector, others handle the non-http traffic with a forwarder technology.

Do SSL VPN gateways work with all types of user devices?

The answer again requires some important clarifications. Most web applications and web servers can be accessed from any browser- Internet Explorer, Firefox, Safari, etc. - on any device that runs them. When a browser extension is required then device support depends on whether an ActiveX or java agent must be downloaded. The former will work only on Windows devices with a suitable version of Internet Explorer. For other browsers, a java agent must be compatible with the version of the java virtual machine that is running on the device. Most gateway vendors offer a network level connector and these installed clients mostly operate only on Windows devices. Gateway support for small devices like handhelds and web phones is still pretty sparse with only a few vendors touting theses capabilities.

What types of endpoint security do SSL VPN Gateways offer?

Every gateway provides a basic set of session-level security features including browser cache cleaning and session termination controls set by a security administrator. While these features can provide some protection on devices shared by multiple users, there usage is limited by the requirement that a user have admin level privileges on the remote device in order to download a security agent. That is, the device must be configured to accept the agent. Although these features seldom work with devices not owned by the either the organization or an employee they

can be useful in situations where either partners are accessing resources over extranets or employees are using their own computers. Since 2004 security vendors have introduced a number of new endpoint security products that complement the security features of SSL VPN gateways. While most of these products can be purchased separately, many gateway vendors now either remarket or sell their own products. The most heavily promoted products enable organizations to define and enforce device-based, access policies. That means they automatically run a battery of tests on a device before it is allowed to connect to your network and again on a scheduled basis after a connection is established. These scans look for both required and unacceptable software running on a device. And if the scan identifies a problem it initiates an enforcement action which can vary depending on the user, device and the specific test results. When access is denied users are typically told what the problem is and redirected to self-service remediation services. A protected workspace is another type of endpoint security solution offerred by a few gateway vendors. When a user connects to the gateway a virtual desktop is downloaded to the access device. The workspace encrypts all session data, deletes it when the session ends, prevents users from printing or copying session files, and blocks maleware on the device from accessing the active user session.

What applications and file servers can be accessed by SSL VPN Gateways?
All IP-based network resources can be accessed IF the gateway offers a level 3 network connector. And user privilege policy management tools can be employed to restrict access to specified application and file servers, i.e., to deny users full network access. Some gateways also enable internal devices to initiate outbound SSL-protected communications with remote devices. This can be useful to organization that remotely administer user devices and value encrypting the associated traffic.

Which technology is really better for protecting remote access communications IPSec or SSL?
The general answer to this broad question - "it depends"- will likely be unsatisfying for those who enthusiastically advocate one technology over the other but this is the only correct answer for a couple of reasons. First, IPSec VPNs (also known as remote access concentrators) and SSL VPN gateways were designed for different roles. IPSec VPNs restrict users to accessing network resources from devices that have a VPN client installed by the organization. And they usually allow full network access akin to what the user enjoys through an internal LAN connection (note: resource access can be restricted with packet filtering but this strategy can be onerous in environments with a large and diverse user communities and it is prone to errors). There are many situations where an IPSec VPN is an excellent approach to remote access so they will continue to be widely deployed. In contrast, SSL VPN Gateways enable users to selectively access at least some resources from most browser-equipped devices (note: access to non-web resources requires the download of either a small agent or a SSL VPN client). The administrator determines the user's access privileges and how these "rights" can vary across device environments. These privileges can even include full network access. The SSL VPN gateway is

the best choice when an organization has decided it will allow its users the flexibility to access IT resources from multiple devices and these may include ones legitimately shared with other users. Finally, it is important to note that neither IPSec nor SSL VPNs can completely protect organizations from compromised devices or unscrupulous users (whether legitimate, or not). Instead, it is critical that well-designed, multi-layer security policies be implemented at devices and network perimeters, on the internal network and at individual servers. So, both IPSec VPNs and SSL VPN gateways can play a key role, but used alone they are woefully insufficient. So the right initial response to our question "Which one is best?" should be "What are you trying to do?"