By Aishwarya Ramani, Contributor
Consider these real-world scenarios. A new acquisition by the top management results in a new subsidiary, and the CIO must ensure that the newly-added users have access only to certain areas of the entire system. Or take another requirement where the network administrator has to permit employees to remotely access email from cybercafés or other public unsecured systems. These are common challenges for most information security departments, and pose major connectivity issues.
The solution to the above scenarios? An SSL VPN is just what the doctor prescribes—the SSL VPN can help enable a secure connection between the company's resources and its employees. SSL VPNs are particularly helpful for remote access. Its clientless operation allows users to access the corporate network securely from any unsecured connection, mobile or even cybercafé.
As the name suggests, this VPN variant uses the Secure Socket Layer (SSL) protocol—the same encryption protocol used by banks (and others) for secure data transfer. The deployment and use of SSL technology over a Web-based browser makes the SSL VPN a rather handy tool for most CISOs.
One such security professional who swears by the SSL VPN is Gautam Golui, the IT manager of HCC. Golui finds the SSL VPN advantageous because a significant number of hits to his servers come from roving users who are working onsite for the construction major. Close to 75 concurrent users remotely access HCC's SSL VPN site. The company has a license for 100 concurrent users. At HCC, the corporate communications department makes use of SSL VPN to allow access to a Web-based application. The department uses HCC's SSL VPN link to authenticate users for access to the resources they are authorized to view.
You can be sure of the need for an SSL VPN connection when most of your users have remote access to your corporate network through a public or shared computer. Yet another telltale sign pointing towards the need for an SSL VPN is if several mobile users log in to your network, or if you do not already have a VPN infrastructure setup.
SSL VPN differs in many respects from its cousin, the IPsec VPN, remote access being the foremost difference. IPsec VPN mandates the need for a client installed on every device in order to be able to connect to the corporate network. However, both solutions maintain confidentiality, have no effect on the integrity of transferred data, and provide access control.
After having gained a clear picture of what the SSL VPN
can do for you, the next step is to scout the market for vendors who are able to provide the
technology. Sonicwall, Juniper, F5 and Array Networks are among the leading players in this space.
Since SSL VPN offerings vary in terms of prices and features; the onus is on the CISO to decide
what protects his data best.
In order to evaluate the various SSL VPN offerings by the vendors, it's recommended that one focus on the scalability, reliability and cost of the product; the market position of the vendor; and after-sales support. In some cases, CISOs and CIOs have been known to refer to Gartner's magic quadrant to help them make a decision.
Need assessment for SSL VPN
The basic difference between the two VPN variants is that the IPsec version works at the network layer, while SSL VPN works at the transport layer. IPsec VPN requires the installation of client software on every user's terminal. The absence of such an arrangement would imply the absence of secure access to the corporate network. Rajesh Gawde, the national technical manager of Miel e-Security points out the need to create a backend support team to facilitate the IPsec VPN's use by employees.
IPSec VPN also comes with the need to install point-to-point links to deploy it over a corporate network. So it's essential to take a close look at your remote access needs before you decide on the IPsec VPN. "If the cost of putting a link between two communicating parties is justified, you might want to consider the IPsec VPN," says Vishal Salvi, the CISO of HDFC Bank.
The inherent advantage of a point-to-point link over which an IPsec VPN is deployed is the lower response time. Hence, if your application is a business-critical one that needs a highly secure link between two terminals, look beyond an SSL VPN. However, do not rule out the use of SSL VPN as a backup or supplement to your existing IPsec VPN connection. "The average cost per user for IPsec VPN is much higher than the cost of SSL VPN," says Gawde.
In an SSL VPN, the transport layer security protocol allows secure communication to a single authenticated session, unlike the IPsec VPN which provides a dedicated point-to-point secure link. There are two flavors of SSL VPN. The SSL portal VPN, as the name suggests, is an SSL connection over port 443, and is used to access a portal with links to other resources that are part of the company's intranet. By contrast, an SSL tunnel VPN provides access through an SSL tunnel. The second variety of SSL VPN downloads active content (such as a Java Applet) that runs on the local machine, and is functionally pretty much similar to an IPsec VPN. "Once I have downloaded this active content, it acts as an IPsec VPN," says Golui.
Your SSL VPN solution is typically delivered to you in the form of a hardware box that you connect as a separate component to your network setup. As an alternative, you could have your vendor install the SSL VPN software on one of your servers. "Most Indian enterprises prefer plugging an SSL VPN box to their existing network setup. Installing the SSL VPN software on a server comes with several security concerns," explains Gawde.
SSL VPN solutions come with a simplified user interface or a traditional command line interface to enable the administrator to configure the solution depending on the company's policies. Be sure to check the granularity of the security controls provided by the SSL VPN. The aim should be to implement a solution which helps you to translate your organization's policies into security controls.
Your SSL VPN can act as a supplement to the IPsec VPN and help employees access the network from any remote location. It must provide seamless access independent of the nature of the client device (laptop or handheld device), applications installed on the device, operating system or browser. It is recommended that you enlist and confirm the support provided to the various applications hosted at your end.
The simplest method of creating your initial comparison matrix is by talking to your peer group. SSL VPN has become fairly common, so count on your professional network to give you objective feedback about their experience with various vendors. You also need to run a background check on the SSL VPN vendors' market position and their track record. Golui refers to Gartner's magic quadrant report as a handy reference for making the choice. A vendor's understanding of your IT framework should increase his score.
You may also have to evaluate the SSL VPN solution based on authentication tokens, encryption, accessibility, ease of use, supported applications, number of supported users, and scalability. When a user logs in to your network through the SSL VPN, the user's terminal will be checked for OS patches, updated firewalls and antivirus, and other compliances which are mandated by the policies at your organization. The application will disallow access if the compliances are not met. Check with your vendor regarding the ease of configuring the divide to suit your standards.
The default time-out provided by SSL VPN solutions can be reconfigured by the admin team to suit the organization. However, the drawback is that multiple SSL sessions would be required while accessing a single application.
Experimenting with your SSL VPN
It helps to first implement a prototype in the controlled environment of your testing lab or a small test network. Once you have put an SSL VPN solution to the test, you can then deploy it onto production.
While testing an SSL VPN, check for connectivity, authentication, access control, ease of management and ease of user navigation. Connection to the SSL VPN must be established and maintained for as long as the user intends to. Other network components (like your firewalls) should not block connection to your SSL VPN. SSL VPNs are usually browser-independent; nevertheless, check for browser portability during the testing phase.
Ensure that user groups are granted access to only the intended resources. If you choose to configure multiple access mechanisms for different user groups, be sure the authentication does not fail. After the user is authenticated, he is redirected to a portal with links to other applications. This interface should be simple and easy to navigate, with minimal support from the IT help desk.
If you plan to use an SSL VPN to supplement your existing IPsec VPN, and have already invested in a VPN support team, make sure the new VPN solution is easy to administer. Gawde is of the belief that an SSL VPN is easier to use than an IPsec VPN. When a vendor responds to your RFP, be sure that his solution does not require any more major investment in a backend support team.
A word of caution
When it comes to remote access, the SSL VPN certainly wins, but there are some points you need to consider prior to implementation. The most important of these is the lack of control over client machines accessing your corporate network. While the technology does run checks on the client terminal to check for security compliance, it limits the types of clients that may be able to connect to the corporate network.
It is important that every application supports your SSL VPN. Several vendors could provide additional support, but CIOs who prefer to keep management inhouse need subject-matter experts to help them configure the SSL VPN.
Before implementing your SSL VPN solution, do your homework. There are plenty of options for you to choose from. Take a close look at what your business needs, and how an SSL VPN fits into your setup. For first-time users and those looking to integrate newer networks with their existing setup—for example, after the acquisition of a new company or the addition of a new partner—going the SSL VPN route may have its advantages. It would be a wise decision to implement SSL VPN when you have no control over the remote devices accessing your network. SSL VPNs also prove handy when conditional access needs to be granted to remote clients, employees (or vendors), and users on handheld devices.
This was first published in April 2010