With greater collaboration inside and outside company firewalls, as well as skyrocketing data protection requirements, SSL VPNs are well-positioned to help IT managers meet the needs of todays remote users.
Since 2004, the number of companies providing remote access solutions that are implemented using browsers and Secure Sockets Layer encryption has increased. At the same time, the capabilities of these SSL VPN products—which are often, but not always, implemented on an appliance—are expanding at a rapid pace.
During tests of Aventails EX-2500 running software Version 8.7 and F5 Networks FirePass 6.0 running on a FirePass 4100 Series appliance, eWeek Labs saw firsthand the rapid feature changes that are the hallmark of current SSL VPN tools.
Capabilities such as VOIP (voice over IP) access that were difficult to implement or were simply not possible even a year ago are now documented features of these VPN products.
And while SSL VPNs once were seen as an application that could be implemented in-house only, many companies are now taking advantage of the technology through outsourced services. Of course, outsourcing the secure transport of data requires a thorough risk assessment, but for low-value remote access applications, this might be a cost-effective method for granting access to users.
Our tests and research revealed that there are two important SSL VPN issues that IT managers should be especially aware of.
First, sophisticated applications often require that some kind of ActiveX or Java plug-in be installed—if only temporarily—in the browser. Thus, the claim that these products are “clientless” rings a bit hollow. Both products we tested, and many others that weve researched, go so far as to offer client agents that can be preinstalled on the users system.
Compared with the often-complex configuration of IP Security client software, these SSL VPN agents seem fairly benign. The fact remains, however, that any agent carries a version management burden that must be weighed against any other management time savings that an SSL VPN product may bring.
The second issue to consider is the granularity with which SSL VPNs allow IT managers to secure applications. SSL VPNs provide a range of choices for allowing access to external users that IT likely has no control over, such as business partners and consultants. Because SSL VPNs operate at the application layer, IT managers have a great deal of control over how access is granted when compared with IPSec VPN implementations.
The classic example of the type of connection that SSL VPNs are well-suited for is a public kiosk that connects to a Web application, with little or no physical access control. Because IT staff knows that the kiosk has less physical security, smart choices can be made about granting application and network access privileges.
For example, with an airline reservation kiosk, order confirmation, price checks, seat assignments and so on could be made available, while ERP (enterprise resource planning) data and network file shares would not. Endpoint identification makes these types of granular and specific remote access connections possible.
Today and moving forward, endpoint identification—determining both the type of device and the location of the device on either a protected internal network or an untrusted external connection—will advance in leaps and bounds. And with endpoint identification comes endpoint security.
A burgeoning number of network access control solutions are coming to market. Right now, these endpoint security controls focus on checking at log-on time for the presence and currency of major-brand anti-virus and firewall products. Both of the SSL VPN appliances we tested had the ability to look for processes running on the endpoint that IT managers could use to determine anti-virus and firewall protection.
We expect that the number of anti-virus and firewall products supported out of the box by these access control products will increase significantly in the near future.
It is also a near certainty that the endpoint security checking provided by SSL VPN tools will expand from pre-log-on checks to checks that would run throughout a connection session. Some products already are offering the beginnings of such a capability—for example, looking for cross-site scripting attacks coming from the endpoint that can then be blocked from reaching their target. ´
Technical Director Cameron Sturdevant can be reached at [email protected].