How should you spell
VPN?
SSL VPN appliances simplify remote access security
Given the wide-open nature of the Internet, which allows anyone with the will
and a network sniffer to eavesdrop on communications, IT groups must extend the
protection of corporate applications and data to end-users accessing them
remotely. This means implementing a VPN solution, and there’s more than one way
to do it.
The classic VPN uses the IPsec framework to encrypt client/server connections
over the Internet. The problem with the IPsec approach is that it requires
specialized client software in addition to an IPsec gateway at the corporate
office. Many firewalls can function as an IPsec VPN gateway. However, end-users
typically find IPsec clients difficult to configure and use, and installing and
supporting these clients can be time-consuming for IT.
An alternative is to use an SSL-capable Web browser, and make resources
available through an SSL-enabled Web server. But there are downsides to this
approach. First, it takes a lot of computing horsepower to handle SSL
transactions. Second, securing a Web server for VPN access can be tricky, both
in terms of making sure all the security patches have been applied, and in terms
of locking the server down to prevent meddling. And third, enabling Web access
to applications isn’t trivial because few applications include the extensions
necessary to support a Web interface.
These issues are addressed by
SSL VPN appliances from companies such as Array
Networks, Neoteris, and Netilla Networks, which are designed to provide secure
access to corporate resources without configuring special VPN software on the
client side or hardening Web servers. They each have different approaches to
enabling access to applications, but all act as reverse proxies to present
networked applications inside the firewall to external users via Web browser.
And all perform dynamic rewriting of content to prevent someone who intercepts a
URL from simply using the same URL to access data or resources without logging
in.
Array Networks’ Array SP is an appliance that provides authentication via LDAP,
SecureID, RADIUS (Remote Authentication Dial-In User Service), or Active
Directory, then determines what resources a user should have access to and makes
those resources available through an SSL browser. It maps corporate servers to
named links in the portal, and provides one-time URLs to access resources. It
also keeps detailed logs of all user activity, from failed logins to approved
content requests.
Neoteris’ Access Series appliances run a hardened Web server that receives
external requests via SSL/HTTPS, providing authentication, authorization, and
access control. Once a request is authorized, it is dynamically rewritten,
including complex application content such as signed Java applets. Then the
appliance sends the request to the appropriate application.
The Netilla Security Platform uses a hardened version of Linux and the Apache
Web server to provide access to central office data and applications,
dynamically rewriting requests to ensure security and keep out malicious code.
The Netilla box supports a number of remote access protocols including RDP
(Remote Desktop Protocol) for Windows, X for X Windows, Telnet, SSH (Secure
Shell), and SNA (Systems Network Architecture) 3270 for terminal emulation. It
also provides client/server file and e-mail synchronization through SSL
tunneling, supporting Microsoft Outlook, Lotus Notes, and CRM applications.
It’s possible to duplicate the functions of these appliances -- perhaps with an
SSL processor, a Web server, and an authentication server such as LDAP -- but it
would require considerable programming ability and a lot of development time to
do so. The Array, Neoteris, and Netilla appliances represent drop-in solutions
that bypass the headaches of IPsec-based VPNs and provide both strong security
and easy access to corporate resources.