Virtual private networks based on Secure Sockets Layer offer a simpler, more secure way for remote users to connect to corporate networks and take-up is set to rise
Companies are beginning to see the value of simplifying their internet connections. Traditionally, users who have required remote access have deployed a leased line to connect sites. For remote workers, the preferred option was running an IPSec client to connect to a virtual private network in order to gain access to the corporate network.
But many users have found IPSec VPNs to be cumbersome. John Pescatore, research vice-president at Gartner, said IPSec could pose a serious security risk because it offers full network access. "If you accidentally download a worm such as MS Blaster, your [infected] PC will spread it across the enterprise," he said.
Gartner estimated that 90% of VPNs today use IPSec, but within two years 50% of VPNs will use an alternative VPN security protocol called Secure Sockets Layer. One of the main benefits of an SSL VPN is that it does not need any client software installed.
Pescatore also pointed out that SSL VPNs can be less prone to attack by hackers. Many hackers install code remotely, but Pescatore said SSL has so far been immune to such attacks. It also limits network access to port 80 (ie web traffic), which reduces the damage that can be done if a hacker was to break in.
Pescatore predicted that in the future IPSec would only have two uses: supporting legacy connectivity when it is not possible to use SSL, and where server-to-server connections are needed.
Pescatore's comments were mirrored in a research paper published by Forrester Research in June which noted that many businesses provide remote connectivity for users with IPSec remote access VPNs.
Forrester found that in 2003 there was significant interest in SSL VPNs as an alternative to IPSec. It said SSL VPNs offered a smooth migration to more cost-effective, easier to deploy remote access than IPSec. "SSL VPNs' combination of flexibility and functionality makes it competitive with IPSec even when deployed for an enterprise's power-users," the report said.
Forrester predicted that although SSL VPNs are sold as dedicated hardware appliances, eventually performance gains and economics will drive SSL VPNs onto a VPN-on-a-blade, to run in a networking or server chassis. "This will reduce costs and help lower SSL VPNs gear out of the premium-priced status it enjoys today," the report said.
Forrester said users who deployed SSL VPNs would be able to reduce the cost of remote working to almost zero. It also said the simplicity of SSL VPNs would cut the cost of helpdesk support.
As reported in Computer Weekly last week, users evaluating SSL for encrypting network traffic on the internet include oil company BP and Standard Chartered Bank. Both organisations are members of IT security user group the Jericho Forum, which sees secure internet access as essential to support the way businesses will need to operate in the future.
Setting up and managing extranets for hundreds of business partners and securing global staff in a consistent manner is extremely difficult. Some businesses find that the networks cannot be established quickly enough to support business development. However, simplification using SSL VPN technology to secure communications across the public internet is seen by some businesses as the way to build and maintain network connections for third-party businesses and remote sites and users.
As SSL VPN technology becomes more widely available, one area businesses will have to look at is identity management. Tony Lock, senior analyst at Bloor Research, said, "Businesses will need to recognise people coming into the network, who they are, and what data they have access to."
Although global organisations such as Boeing are developing identity management pro- grammes to support thousands of staff and contractors, industry observers believe much more work is needed on building global standards for identity management.
Nick Bleech, head of security management in the technology advisory practice at KPMG, said, "What is needed is a globally unique person ID that is issued once."
The benefits of using SSL VPNs
Levels of granularity : Because it operates at the application layer, the Secure Sockets Layer protocol can track more information about users - location, type of computer, operating system, etc - and provides more granularity than the IPSec protocol.
This allows enterprises to comfortably extend remote access to new areas such as internet kiosks or partner sites where the level of granularity - the degree of modularity of a system - ensures users have access to only the necessary resources.
Flexibility for mobile environments: The proliferation of mobile technologies such as corporate Wi-Fi is driving the adoption of SSL virtual private networks.
Most enterprises are deploying wireless Lan access points outside the corporate firewall, requiring users to gain access via a VPN.
SSL provides a more flexible and seamless VPN architecture so users do not have to manually launch IPSec VPNs when connected wirelessly at the office.
Device types: SSL VPNs are capable of running on a standard browser.
As a result, a wide variety of client types, including PDAs and cell phones, can connect remote users securely via standards-based browsers instead of proprietary IPSec clients that may be difficult to install or are too resource intensive.
Source: Forrester Research
This was first published in September 2004