By Aishwarya Ramani, Contributor
Consider these real-world scenarios. A new acquisition by the top management results in a new
subsidiary, and the CIO must ensure that the newly-added users have access only to certain areas of
the entire system. Or take another requirement where the network administrator has to permit
employees to remotely access email from cybercafés or other public unsecured systems. These are
common challenges for most information security departments, and pose major connectivity issues.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
|
||||
The solution to the above scenarios? An SSL
VPN is just what the doctor prescribes—the SSL VPN can help enable a secure connection between
the company's resources and its employees. SSL VPNs
are particularly helpful for remote access. Its clientless operation allows users to access the
corporate network securely from any unsecured connection, mobile or even cybercafé.
As the name suggests, this VPN variant uses the Secure Socket Layer (SSL) protocol—the same
encryption protocol used by banks (and others) for secure data transfer. The deployment and use of
SSL technology over a Web-based browser makes the SSL VPN a rather handy tool for most CISOs.
One such security professional who swears by the SSL VPN is Gautam Golui, the IT manager of HCC.
Golui finds the SSL VPN advantageous because a significant number of hits to his servers come from
roving users who are working onsite for the construction major. Close to 75 concurrent users
remotely access HCC's SSL VPN site. The company has a license for 100 concurrent users. At HCC, the
corporate communications department makes use of SSL VPN to allow access to a Web-based
application. The department uses HCC's SSL VPN link to authenticate users for access to the
resources they are authorized to view.
You can be sure of the need for an SSL VPN
connection when most of your users have remote access to your corporate network through a public or
shared computer. Yet another telltale sign pointing towards the need for an SSL VPN is if several
mobile users log in to your network, or if you do not already have a VPN infrastructure
setup.
SSL VPN differs in many respects from its cousin, the IPsec VPN, remote access being the foremost
difference. IPsec VPN mandates the need for a client installed on every device in order to be able
to connect to the corporate network. However, both solutions maintain confidentiality, have no
effect on the integrity of transferred data, and provide access control.
|
|||||||||||||||||
After having gained a clear picture of what the SSL VPN
can do for you, the next step is to scout the market for vendors who are able to provide the
technology. Sonicwall, Juniper, F5 and Array Networks are among the leading players in this space.
Since SSL VPN offerings vary in terms of prices and features; the onus is on the CISO to decide
what protects his data best.
In order to evaluate the various SSL VPN
offerings by the vendors, it's recommended that one focus on the scalability, reliability and cost
of the product; the market position of the vendor; and after-sales support. In some cases, CISOs
and CIOs have been known to refer to Gartner's magic quadrant to help them make a decision.
Need assessment for SSL VPN
The basic difference between the two VPN variants is that the IPsec version works at the network
layer, while SSL VPN works at the transport layer. IPsec VPN requires the installation of client
software on every user's terminal. The absence of such an arrangement would imply the absence of
secure access to the corporate network. Rajesh Gawde, the national technical manager of Miel
e-Security points out the need to create a backend support team to facilitate the IPsec VPN's use
by employees.
IPSec VPN also comes with the need to install point-to-point links to deploy it over a corporate
network. So it's essential to take a close look at your remote access needs before you decide on
the IPsec VPN. "If the cost of putting a link between two communicating parties is justified, you
might want to consider the IPsec VPN," says Vishal Salvi, the CISO of HDFC Bank.
The inherent advantage of a point-to-point link over which an IPsec VPN is deployed is the lower
response time. Hence, if your application is a business-critical one that needs a highly secure
link between two terminals, look beyond an SSL
VPN. However, do not rule out the use of SSL VPN as a backup or supplement to your existing
IPsec VPN connection. "The average cost per user for IPsec VPN is much higher than the cost of SSL
VPN," says Gawde.
In an SSL
VPN, the transport layer security protocol allows secure communication to a single
authenticated session, unlike the IPsec VPN which provides a dedicated point-to-point secure link.
There are two flavors of SSL VPN. The SSL portal VPN, as the name suggests, is an SSL connection
over port 443, and is used to access a portal with links to other resources that are part of the
company's intranet. By contrast, an SSL tunnel VPN provides access through an SSL tunnel. The
second variety of SSL VPN downloads active content (such as a Java Applet) that runs on the local
machine, and is functionally pretty much similar to an IPsec VPN. "Once I have downloaded this
active content, it acts as an IPsec VPN," says Golui.
Technical evaluation
Your SSL VPN
solution is typically delivered to you in the form of a hardware box that you connect as a
separate component to your network setup. As an alternative, you could have your vendor install the
SSL VPN software on one of your servers. "Most Indian enterprises prefer plugging an SSL VPN box to
their existing network setup. Installing the SSL VPN software on a server comes with several
security concerns," explains Gawde.
SSL VPN solutions come with a simplified user interface or a traditional command line interface to
enable the administrator to configure the solution depending on the company's policies. Be sure to
check the granularity of the security controls provided by the SSL
VPN. The aim should be to implement a solution which helps you to translate your organization's
policies into security controls.
Your SSL VPN can act as a supplement to the IPsec VPN and help employees access the network from
any remote location. It must provide seamless access independent of the nature of the client device
(laptop or handheld device), applications installed on the device, operating system or browser. It
is recommended that you enlist and confirm the support provided to the various applications hosted
at your end.
The simplest method of creating your initial comparison matrix is by talking to your peer group.
SSL VPN has become fairly common, so count on your professional network to give you objective
feedback about their experience with various vendors. You also need to run a background check on
the SSL
VPN vendors' market position and their track record. Golui refers to Gartner's magic quadrant
report as a handy reference for making the choice. A vendor's understanding of your IT framework
should increase his score.
You may also have to evaluate the SSL
VPN solution based on authentication tokens, encryption, accessibility, ease of use, supported
applications, number of supported users, and scalability. When a user logs in to your network
through the SSL VPN, the user's terminal will be checked for OS patches, updated firewalls and
antivirus, and other compliances which are mandated by the policies at your organization. The
application will disallow access if the compliances are not met. Check with your vendor regarding
the ease of configuring the divide to suit your standards.
The default time-out provided by SSL
VPN solutions can be reconfigured by the admin team to suit the organization. However, the
drawback is that multiple SSL sessions would be required while accessing a single
application.
Experimenting with your SSL VPN
It helps to first implement a prototype in the controlled environment of your testing lab or a
small test network. Once you have put an SSL
VPN solution to the test, you can then deploy it onto production.
While testing an SSL VPN, check for connectivity, authentication, access control, ease of
management and ease of user navigation. Connection to the SSL VPN must be established and
maintained for as long as the user intends to. Other network components (like your firewalls)
should not block connection to your SSL
VPN. SSL VPNs are usually browser-independent; nevertheless, check for browser portability
during the testing phase.
Ensure that user groups are granted access to only the intended resources. If you choose to
configure multiple access mechanisms for different user groups, be sure the authentication does not
fail. After the user is authenticated, he is redirected to a portal with links to other
applications. This interface should be simple and easy to navigate, with minimal support from the
IT help desk.
If you plan to use an SSL
VPN to supplement your existing IPsec VPN, and have already invested in a VPN support team,
make sure the new VPN solution is easy to administer. Gawde is of the belief that an SSL VPN is
easier to use than an IPsec VPN. When a vendor responds to your RFP, be sure that his solution does
not require any more major investment in a backend support team.
A word of caution
When it comes to remote access, the SSL VPN certainly wins, but there are some points you need to
consider prior to implementation. The most important of these is the lack of control over client
machines accessing your corporate network. While the technology does run checks on the client
terminal to check for security compliance, it limits the types of clients that may be able to
connect to the corporate network.
It is important that every application supports your SSL VPN.
Several vendors could provide additional support, but CIOs who prefer to keep management inhouse
need subject-matter experts to help them configure the SSL VPN.
Before implementing your SSL VPN
solution, do your homework. There are plenty of options for you to choose from. Take a close look
at what your business needs, and how an SSL
VPN fits into your setup. For first-time users and those looking to integrate newer networks
with their existing setup—for example, after the acquisition of a new company or the addition of a
new partner—going the SSL VPN route may have its advantages. It would be a wise decision to
implement SSL VPN when you have no control over the remote devices accessing your network. SSL VPNs
also prove handy when conditional access needs to be granted to remote clients, employees (or
vendors), and users on handheld devices.
This was first published in April 2010