During the past few years, SSL VPNs have matured from devices offering very basic application support to enterprise-ready security jacks-of-all-trades, capable of handling thousands of users and a wide range of connectivity options. Security features are evolving, with extensive host checking taking place prior to user log-on and adaptive, dynamic security policies being applied accordingly.
SSL VPNs are continuing to win over new converts for several reasons: They don't need a "fat client" on a device to function; they require less administrative management; and they can reduce help-desk support calls dramatically. No longer relegated to designer solutions, SSL VPNs are more commonly being added to routers and core network concentrators through a software upgrade or licensing option. Additional refinement of existing features notwithstanding, more noticeable is the absence of any landmark changes to the overall technology in the past 12 months.
I recently looked at the latest releases from two of the SSL VPN market leaders. Both the Aventail EX-2500 and the F5 Networks FirePass 4100 continue to mature and provide excellent platforms from which to build a secure remote access solution. Each appliance comes with updated hardware for greater scalability, as well as software improvements that take existing capabilities to new heights.
Same technology, new uses
Few would have thought that SSL VPNs, as a secure remote access technology, would help provide a solution for internal network access control. Yet some companies are forcing their local network users to log in to the SSL appliance's Web portal before gaining access to corporate resources.
This serves a couple of purposes. First, it allows administrators to perform a preflight check on the client device before permitting access to the network. For example, both the Aventail and F5 boxes can perform end-point security audits to determine the level of trust to apply to the host and deny entry if it fails any test.
This type of policy enforcement intrudes on local policy platforms such as the ConSentry Secure LAN Controller and Elemental Compliance System, although the latter provides a much more granular and flexible system for classifying clients on the network. Aventail and F5 are heading in the right direction, but they have a ways to go to catch up to these two products.
Second, by having users log in to an SSL VPN portal, admins have additional control over the applications and resources those users will be accessing. It allows very granular access control rules to be deployed so that resources can only be accessed a specific way, reducing their exposure to unauthorized guests and allowing admins to perform resource control management from one UI, not many.
As an additional benefit, admins can encrypt all traffic to the resources using SSL for better internal security. With all the encrypted traffic flying around, however, network monitoring and management tools won't be capable of correctly identifying and classifying the data flows. Monitoring tools that peer into TCP traffic will be blinded by the SSL packets, and routers and switches will have trouble identifying traffic to apply QoS policy. Use encryption wisely; it may not be suitable for everything.
Aventail EX-2500
| Test Center Scorecard | ||||||
|---|---|---|---|---|---|---|
 |  |  |  |  |  | |
| 35% | 25% | 20% | 10% | 10% | ||
| Aventail EX-2500 | 9 | 9 | 8 | 9 | 8 |
8.7
Very Good
|
| 35% | 25% | 20% | 10% | 10% | ||
| F5 FirePass 4100 | 9 | 9 | 10 | 8 | 9 |
9.1
Excellent
|
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
Recommend This
