SSL VPNs make the connection with users
- Posted:
- 16:45 16 Sep 2004
- Topics:
- Internet Security
Virtual private networks based on
Secure Sockets Layer offer a simpler, more secure way for remote
users to connect to corporate networks and take-up is set to
rise
Companies are beginning to see the value of simplifying their
internet connections. Traditionally, users who have required remote
access have deployed a leased line to connect sites. For remote
workers, the preferred option was running an IPSec client to
connect to a virtual private network in order to gain access to the
corporate network.
But many users have found IPSec VPNs to be cumbersome. John
Pescatore, research vice-president at Gartner, said IPSec could
pose a serious security risk because it offers full network access.
"If you accidentally download a worm such as MS Blaster, your
[infected] PC will spread it across the enterprise," he said.
Gartner estimated that 90% of VPNs today use IPSec, but within two
years 50% of VPNs will use an alternative VPN security protocol
called Secure Sockets Layer. One of the main benefits of an SSL VPN
is that it does not need any client software installed.
Pescatore also pointed out that SSL VPNs can be less prone to
attack by hackers. Many hackers install code remotely, but
Pescatore said SSL has so far been immune to such attacks. It also
limits network access to port 80 (ie web traffic), which reduces
the damage that can be done if a hacker was to break in.
Pescatore predicted that in the future IPSec would only have two
uses: supporting legacy connectivity when it is not possible to use
SSL, and where server-to-server connections are needed.
Pescatore's comments were mirrored in a research paper published
by Forrester Research in June which noted that many businesses
provide remote connectivity for users with IPSec remote access
VPNs.
Forrester found that in 2003 there was significant interest in SSL
VPNs as an alternative to IPSec. It said SSL VPNs offered a smooth
migration to more cost-effective, easier to deploy remote access
than IPSec. "SSL VPNs' combination of flexibility and functionality
makes it competitive with IPSec even when deployed for an
enterprise's power-users," the report said.
Forrester predicted that although SSL VPNs are sold as dedicated
hardware appliances, eventually performance gains and economics
will drive SSL VPNs onto a VPN-on-a-blade, to run in a networking
or server chassis. "This will reduce costs and help lower SSL VPNs
gear out of the premium-priced status it enjoys today," the report
said.
Cutting costs
Forrester said users who deployed SSL VPNs would be able
to reduce the cost of remote working to almost zero. It also said
the simplicity of SSL VPNs would cut the cost of helpdesk
support.
As reported in Computer Weekly last week, users evaluating SSL for
encrypting network traffic on the internet include oil company BP
and Standard Chartered Bank. Both organisations are members of IT
security user group the Jericho Forum, which sees secure internet
access as essential to support the way businesses will need to
operate in the future.
Setting up and managing extranets for hundreds of business partners
and securing global staff in a consistent manner is extremely
difficult. Some businesses find that the networks cannot be
established quickly enough to support business development.
However, simplification using SSL VPN technology to secure
communications across the public internet is seen by some
businesses as the way to build and maintain network connections for
third-party businesses and remote sites and users.
Identity management
As SSL VPN technology becomes more widely available, one area
businesses will have to look at is identity management. Tony Lock,
senior analyst at Bloor Research, said, "Businesses will need to
recognise people coming into the network, who they are, and what
data they have access to."
Although global organisations such as Boeing are developing
identity management pro- grammes to support thousands of staff and
contractors, industry observers believe much more work is needed on
building global standards for identity management.
Nick Bleech, head of security management in the technology advisory
practice at KPMG, said, "What is needed is a globally unique person
ID that is issued once."
The benefits of using SSL VPNs
Levels of granularity : Because it operates at the application layer, the Secure Sockets Layer protocol can track more information about users - location, type of computer, operating system, etc - and provides more granularity than the IPSec protocol.
This allows enterprises to comfortably extend remote access to new areas such as internet kiosks or partner sites where the level of granularity - the degree of modularity of a system - ensures users have access to only the necessary resources.
Flexibility for mobile environments: The proliferation of mobile technologies such as corporate Wi-Fi is driving the adoption of SSL virtual private networks.
Most enterprises are deploying wireless Lan access points outside the corporate firewall, requiring users to gain access via a VPN.
SSL provides a more flexible and seamless VPN architecture so users do not have to manually launch IPSec VPNs when connected wirelessly at the office.
Device types: SSL VPNs are capable of running on a standard browser.
As a result, a wide variety of client types, including PDAs and cell phones, can connect remote users securely via standards-based browsers instead of proprietary IPSec clients that may be difficult to install or are too resource intensive.
Source: Forrester Research