SSL VPNs – You Can’t Afford to Ignore Them

Amidst the cacophony about VPNs and whether IPsec or SSL is the better solution, and which vendor has done the most to satisfy the journalists and analysts, one “minor” issue seems to be falling by the wayside – You the user – Irrelevant maybe to most vendors, but nevertheless a problem they need to resolve in order to achieve those quarterlies!

Ask any IT Manager today what is his or her greatest issue is when it comes to secure remote access for employees and customers, and they will tell you 9 times out of 10 that it is their end users. They are faced with the problem as to how their organizations can deploy secure remote access on a scale never before undertaken, in a cost effective and manageable fashion? Of course allied to the major issue of the end user deployments are the peripheral issues such as authentication, the integrity of the users’ PC, administration, etc., all of which are important, but end user deployment and ease of use is the issue.

What manufacturers frequently lose sight of is that they are so concerned about arguing that their way of solving the problem is so vastly superior to that of their competitors that frequently they don’t even ask the customer what the problem is. How often have you, as a potential end user, had to sit through a tiresome presentation about Mission Statements, long-term strategy, death by buzzword, and interminable case studies that have absolutely no relevance, and find that at the end of it all the vendor is none the wiser as to why you invited them in the first place. In fact they often assume that they are better placed to explain to an IT Manager what the problem is, which by definition can only be solved effectively by that particular brand.

The Proof of The Pudding Is What’s inside the Tin

When looking at SSL VPNs, the first caveat is that SSL VPNs are not like their cousin IPsec. Because IPsec is a network layer connection, it is not concerned with the applications in the tunnel, but only with ensuring the integrity of the tunnel.

SSL VPNs on the other hand not only ensure the integrity of the tunnel, but because they are “application layer VPNs” have a direct involvement in the type and nature of the application using the tunnel. Talking to any organisation considering deploying, or upgrading existing remote access environments and you very quickly discover that whatever VPN technology is used, it must serve existing applications. The problem with many SSL VPN solutions is that the vendors are trying to dictate to the customer how the customer’s existing applications should work in order to comply with the limitations of the SSL VPN technology being presented.

Regardless of the type of SSL VPN technology being deployed, one key criterion that should be applied from the outset by you, the prospective user, is whether or not there are any application limitations.

Do you as a user need to change anything, or add anything, in your existing infrastructure to let you run every application you may possibly wish to run the way you always have?

Are there any applications that require an alternative VPN technology to compensate for the limitation of the so-called VPN solution that you are being presented? If so, then it is questionable as to whether or not such a solution has the right to use the term VPN, and should possibly be forced to carry a health warning – “to be used only under certain limited conditions”. So examine what is “in the tin” very carefully before signing on the dotted line.

To SSL or Not SSL

The argument as to whether SSL is more or less secure than alternative technologies is to a large extent an irrelevant discussion. As far as support for authentication, encryption, access control, and all the other technology issues both technologies can make an equally strong case.

A favourite argument for the IPsec fraternity is that IPsec is more secure because of advanced cryptographic algorithms, etc. In practice the frequently complex design, married with a myriad of acronyms and settings that most of us cannot understand, gives it a very soft underbelly. How many IT administrators have installed IPsec VPNs by simply selecting the “default” option on the many settings that have to be defined? For all we know we could be setting all security to the Off position, and telling our management board that we’re bomb proof because our IPsec VPN supports AES – It may well do, but it’s not doing us much use if we switched it off by default – Suggest you go and check just to be on the safe side!

SSL on the other hand is simple and straight forward – Excellent authentication to get the process going, including client side certificates if you want to get ambitious, seamless negotiation of the encryption to be used during the session, and all the necessary bits and bobs to protect against the evil man-in-the middle, and all built into the users PC when they start their browser!

The Clincher

The real benefit of the SSL VPN is that it uses the ubiquitous browser that is found on virtually every machine today. Regardless of how limited one’s IT know-how might be you would be hard pressed to find a user who has not used the browser.

So just imagine that you believed what was written on the tin, and then found that it wasn’t there when you opened it. Well you may end throwing your tin back at the vendor who sold it to you, but as far as you’re users go, the browser is still the browser. Imagine carrying out several IPsec pilots with different vendors. Each time you did so you would be removing and reinstalling client software. The beauty of the SSL approach is you can test as many vendors as you like, and although they all differ in some ways, and some offer less functionality than others, they all have one thing in common – their “VPN client” is the browser!

Oh Yes – the Peripheral Issues

Whatever it is that comes on the market today, and revolves around security, whether it be anti-virus, authentication tokens, personal firewalls, secure desktops, you name it; all these products are designed to work with a particular application called the browser. Is there a more secure foundation on which to build your secure access infrastructure than the browser, and you can tell your management you’ve already deployed it! Nothing stands still in this industry and SSL VPNs are accelerating remote access in ways that we could not even imagine two or three years ago. Suggest you check it out.