Connecting to files and applications using SSL can be as easy as browsing to a portal page and clicking on a link. Through access control lists and user policies, applications, data, and servers are exposed to the Internet through the SSL VPN appliance.
Access control policies are extremely granular, allowing for pinpoint accuracy when granting access to protected resources, something IPSec VPNs lack.
SSL moves the access control away from the servers and out to the edge where the tunnel terminates. Because it is not a network-level connection, none of the servers behind the appliance is immediately exposed to the user. So, all authorization, authentication, and policy enforcement occurs on a device just behind the firewall, but off the individual servers.
This is an important concept with SSL VPNs. Unlike an IPSec tunnel, when users connect to the VPN appliance, even though they have a secure session, they still don’t have access to resources on the LAN. Based on group membership, users can only connect to systems specifically defined in the access policy.
Managing SSL Risks
Vowels, who has deployed both IPSec and SSL VPNs, clearly has faith in both VPN schemes, but SSL’s browser-based access raises concerns. “We want folks using SSL to exercise discretion,” Vowels says. He worries about where his users will be accessing applications; untrusted sites such as Internet cafes and other locations pose a risk to a company simply because the provider can be anyone. Cameras that record computing or undetectable devices that capture keystrokes are not unheard of.
Some SSL VPN appliances include “cache cleaning” technology that purges the browser’s cache and temp files on exit. This also helps prevent private information from being intercepted.
So far, most adopters are not too concerned about the cipher strength of SSL VPNs. Paceck, for one, says he has complete confidence in the technology. Currently, Virtua Hospital’s security policy requires only one type of authentication — but that could change if the HIPAA (Health Insurance Portability and Accountability Act) requirements change to necessitate the use of two forms of identification. He believes this will be easy to accomplish by issuing smart card or biometric devices that physicians can carry on their person.
Changing of the VPN Guard?
Can something that sounds as good as SSL really be that good? Well, almost. SSL is a very capable platform, but it’s not all things to all people. Policy generation requires more effort and can be more prone to errors with SSL than with IPSec tunnels. In part, this is because SSL appliance vendors have not “wizardized” the process.
The number of choices and options available during policy creation can be overwhelming. For example, the Neoteris Access Series VPN appliance provides a high level of policy granularity, but for each level of access control, a choice must be made. SSL’s policy creation plays against IPSec’s client support time and administrative costs, but overall, policy definition for SSL takes up less time and creates fewer problems than IPSec client support.
So, IPSec or SSL? In fact, most midsize-to-large organizations need both. Which technology gets deployed where depends on who needs access. Remote IT administrators that require full, network-level access need IPSec; so, generally, do remote offices. But the advantages of minimal client deployment and application-level authorization argue that just about everyone else should connect via SSL.