SSL Provides VPN Security the Web Way SSL-Based VPNs an Ideal, Economical Alternative to IPSec VPNs Joe Moran
When businesses need to provide employees with remote access to a corporate network, they usually turn to a Virtual Private Network, or VPN. In a nutshell, VPNs allow private communication over a public network like the Internet, and using one is a quantum leap over the old days when companies had to set up banks of sluggish dial-up modems to allow workers to log in from home or the road.
Most current VPN products employ some version of IPSec, a collection of network protocols used to set up an encrypted connection between two points. When properly set up, an IPSec VPN is very secure, but unfortunately getting one up and running is far from trivial. Most IPSec VPN products use specialized hardware and/or client software that must be configured precisely in order to work properly.
IPSec VPNs, which operate at the OSI model's Network Layer (Layer 3), tend to have problems interacting with firewalls and networks that use NAT (Network Address Translation), which can make configuring and troubleshooting IPSec connections difficult.
Moreover, the client software that most IPSec VPNs require is typically licensed on a per-user basis — you have to purchase licenses for every user you want to give access to — which can get expensive very quickly.
The challenges associated with having a VPN based on IPSec are hardly insurmountable for companies with ample technical expertise and/or a healthy IT budget, but they often put a VPN beyond the reach of home offices and small businesses. For these environments, it might be worth considering a alternative type of VPN — one that encrypts data using SSL, or the Secure Sockets Layer protocol.
When you think of SSL, you probably think of online banking or shopping at e-commerce sites such as Amazon.com, but SSL-based VPNs are becoming increasingly popular these days because they address some of the issues that can make IPSec VPNs so daunting. SSL VPNs are generally far easier and less expensive to set up and maintain than traditional IPSec VPNs.
A big reason for this is that unlike IPSec VPNs, SSL VPN don't require a software client. Rather, you can access a SSL VPN using only a Web browser. The lack of a special VPN client is a big advantage, because when users aren't tied to a client running on particular machine, they have more flexibility and can access the corporate network from almost any available computer — not just the company-issued laptop.
This means you don't have to spend time installing and configuring a client on multiple systems, and it also makes it easier to provide network access to outside vendors or partners without prior preparation (e.g. sending out the software and then trying to properly configure it from a distance).
Eliminating the dedicated VPN client usually has a significant cost benefit, too, since you don't have to pay a license fee for each user you set up. Another nice thing about SSL VPNs is that they operate at the OSI's Application Layer (Layer 7) and thus can permit a more granular level of access than many IPSec VPNa. This lets you grant users access to specific resources or applications rather than an entire network.
A browser-based VPN client is obviously enormously convenient, but convenience and security often occupy opposite ends of a continuum. Browsers, by their very nature, cache data, which is a big no-no when it comes to security. After all, you don't want any potentially sensitive residual information left behind on a computer (especially a public one) used to access a VPN.
Most SSL VPNs address this issue with a feature — usually in the form of an ActiveX or Java plug-in — that will clean up the browser cache and delete any cookies or temporary files that may have been created during the VPN session.
SSL-based VPN products are available from a variety of vendors at prices ranging from several hundred to several thousand dollars. Most are hardware appliances, and examples range from entry- and mid-level offerings from Linksys, Netgear and SonicWall to higher-end devices from Cisco and Juniper, both companies known for their IPSec VPN products.
Most SSL VPNs offer the same basic features, but differ in the number of users supported as well as additional capabilities like logging and reporting, failover, and load balancing.
An SSL VPN may not be the best choice for all situations. For example, they're generally more appropriate for remote user access than for creating secure links between offices. But if you're looking for a way to set up secure access with less complexity and cost than a traditional IPSec VPN, an SSL VPN may be the ideal way to go.
