How should you spell VPN?

SSL VPN appliances simplify remote access security

Given the wide-open nature of the Internet, which allows anyone with the will and a network sniffer to eavesdrop on communications, IT groups must extend the protection of corporate applications and data to end-users accessing them remotely. This means implementing a VPN solution, and there’s more than one way to do it.

The classic VPN uses the IPsec framework to encrypt client/server connections over the Internet. The problem with the IPsec approach is that it requires specialized client software in addition to an IPsec gateway at the corporate office. Many firewalls can function as an IPsec VPN gateway. However, end-users typically find IPsec clients difficult to configure and use, and installing and supporting these clients can be time-consuming for IT.

An alternative is to use an SSL-capable Web browser, and make resources available through an SSL-enabled Web server. But there are downsides to this approach. First, it takes a lot of computing horsepower to handle SSL transactions. Second, securing a Web server for VPN access can be tricky, both in terms of making sure all the security patches have been applied, and in terms of locking the server down to prevent meddling. And third, enabling Web access to applications isn’t trivial because few applications include the extensions necessary to support a Web interface.

These issues are addressed by SSL VPN appliances from companies such as Array Networks, Neoteris, and Netilla Networks, which are designed to provide secure access to corporate resources without configuring special VPN software on the client side or hardening Web servers. They each have different approaches to enabling access to applications, but all act as reverse proxies to present networked applications inside the firewall to external users via Web browser. And all perform dynamic rewriting of content to prevent someone who intercepts a URL from simply using the same URL to access data or resources without logging in.

Array Networks’ Array SP is an appliance that provides authentication via LDAP, SecureID, RADIUS (Remote Authentication Dial-In User Service), or Active Directory, then determines what resources a user should have access to and makes those resources available through an SSL browser. It maps corporate servers to named links in the portal, and provides one-time URLs to access resources. It also keeps detailed logs of all user activity, from failed logins to approved content requests.

Neoteris’ Access Series appliances run a hardened Web server that receives external requests via SSL/HTTPS, providing authentication, authorization, and access control. Once a request is authorized, it is dynamically rewritten, including complex application content such as signed Java applets. Then the appliance sends the request to the appropriate application.

The Netilla Security Platform uses a hardened version of Linux and the Apache Web server to provide access to central office data and applications, dynamically rewriting requests to ensure security and keep out malicious code. The Netilla box supports a number of remote access protocols including RDP (Remote Desktop Protocol) for Windows, X for X Windows, Telnet, SSH (Secure Shell), and SNA (Systems Network Architecture) 3270 for terminal emulation. It also provides client/server file and e-mail synchronization through SSL tunneling, supporting Microsoft Outlook, Lotus Notes, and CRM applications. 

It’s possible to duplicate the functions of these appliances -- perhaps with an SSL processor, a Web server, and an authentication server such as LDAP -- but it would require considerable programming ability and a lot of development time to do so. The Array, Neoteris, and Netilla appliances represent drop-in solutions that bypass the headaches of IPsec-based VPNs and provide both strong security and easy access to corporate resources.