Since spring 2006, growth of Secure Sockets Layer virtual private networks (SSL VPNs) has accelerated due to greater awareness among users of their commercial advantages, focus on benefits rather than technology, and improved security features.
The ultimate goal of SSL VPN technology is to allow controlled, secure, and managed access to any application, from any device, and from any location. Early implementations had some limitations such as account information not being cleared from browsers after user sessions, no support for dynamic port assignment, support only for Web-enabled applications, and no strong authentication of users or access devices.
SSL technology has matured
All these issues have been addressed as SSL technology has matured. For example, recent enhancements include integration of user authentication. Many SSL VPN vendors offer integrated third-party strong authentication products such as those from VASCO and RSA.
The addition of "client integrity" is another significant step forward for SSL VPNs. Client integrity involves the scanning of the client access device to check for Trojans, viruses, and so on and scanning to check if the device has the latest Microsoft security patches installed. This checking process ensures that the device is "safe" and traffic from the device can be passed to the server side. Through integration with Check Point Endpoint Security solutions, some SSL VPNs have implemented this feature.
An SSL appliance would normally sit behind the firewall taking all traffic from Port 443. Some SSL appliances have built-in firewalls that specifically protect the SSL device and can therefore sit in
front of the firewall. Putting an SSL appliance in front of the firewall, without its own protection, leaves it open to potential hackers. As no client software is required, user security issues relate primarily to authentication and access security.
SSL technology has matured. For example, recent enhancements include integration of user authentication.
Choosing a VPN
There are a number of factors to consider when choosing an SSL VPN. What applications do you want to use it for and how many users are there? For small numbers of users connecting to a small number of applications, ease of use and management are key considerations. Other questions include:
- Does it have an integrated firewall? The inclusion of this will give maximum flexibility of implementation and granularity
- Does it include integrated strong authentication or does it provide scalability and interoperability with third-party strong authentication products?
- Can the SSL VPN provide client integrity, i.e., checking the client for security threats?
- Will it support legacy and Web applications?
- Does it provide support for SSL tunneling, which mimics IPSec?
Then there are vendor-related issues to consider. You should check the vendor and distribution/reseller support infrastructure. Do you need next business day replacement and 24/7 telephone support? If your SSL VPNs are an essential part of your business, you want to be sure that you can replace any problematic systems very quickly and that help is always available to keep the VPNs functioning well. It would also be wise to check out the vendor's plans for enhancing the product's functionality and capability, to ensure that it will keep up to date with your changing needs.
Other considerations
Another consideration is the strength of the encryption technology. SSL uses single DES (56-bit key)—IPSec can use 3DES or the emerging AES standard. For the majority of applications and requirements, DES is adequate. However, for highly secure requirements such as military, 3DES/AES is probably mandated. Browser vendors would have to move to supporting 3DES or AES before SSL VPNs could match the encryption strength of IPSec.
Conclusion
Vendors of both IPSec and SSL VPN technologies have recognized the strengths of each other's solutions and have introduced hybrid products. For instance, Check Point offers Connectra, an SSL product, as well as its long-established SecuRemote IPSec product.
SSL technology is rapidly maturing to the point where there are few clear differences between SSL and IPSec technology. SSL is gaining the upper hand if you count the number of users, but it remains to be seen what difference the introduction of the IPv6 standard, which includes IPSec, will make. All IPv6 end-node implementations will include IPSec as an option, so IPSec advocates hope for a resurgence of IPSec VPNs. If all applications used this feature, then theoretically SSL would be unnecessary. However, SSL may have become the dominant technology by then.
A recent report from Forrester Research indicates that SSL will take over. It concluded that spending on SSL VPN technology will increase at a 53 percent compound annual growth rate and that by 2008 SSL VPNs will overtake traditional IPSec VPNs as the remote access security standard.
Source: The Rise of SSL VPNs, Ian Kilpatrick, Wick Hill Group, April 2007.
About Wick Hill Group
Value added distributor Wick Hill Group specializes in secure infrastructure solutions. The company's portfolio covers security, performance, access, services, and management.