"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

---

Secure Authentication and Access to Critical Resources

Overview

Every day thousands of people type "SSL VPN" in Google to search for relevant material on this new technology. SSL VPN is one of the fastest growing remote access categories, yet most organizations are not really that familiar with the value, history, or what this new type of remote access product really can deliver. Key questions like: All this hype around SSL VPNs, is it warranted? What is an SSL VPN and why do I need one ? Will it make me a savior to management and the business constituents or end my career?

As the ability to access corporate information has moved from RAS dial up servers and leased line to broadband, the need to secure the information has grown substantially. This need is primarily driven by of the inherent weaknesses of the Internet because of its open architecture.

Justification for remote access security continues to be a plaguing problem. Demonstrating ROI primarily comes back to improved partner access, a reduction in downtime and the cost of patching security holes after they are opened up. The PR from a security breach continues to be priceless. This all leads back to fundamental questions like: How can we open up our systems to more remote employees and business partners without creating security vulnerabilities? At the same time, how can we make this security not overly intrusive to users? These questions and the ultimate goal of providing a high degree of access to critical information, without pain will be answered within.

As applications have moved to the Web, the challenge that organization face is how to deliver the flexibility of "anywhere" access without being intrusive on the end-user. For the last 20 years, users and management have constantly heard that they are not allowed to access applications outside of the office because of security reasons. In the 1970’s the concept of remote access was accessing an application from a remote office. This required expensive WAN and leased line connections causing limited deployments.

During the1980’s a limited group of users could use a modem and dial directly into modem banks or their own PC, but this was extremely costly and limited to a select group. Personal computers were just becoming mainstream at work and the demand for remote access was not as great.

Workers lead a more serene ‘work stays at the office’ life unless you wanted to drag a plethora of paperwork home, which many did. As the 1990’s rolled around, laptops started emerging as well as the home PC. Executives and sales representatives started travelling with their computer and needing access to information real-time. Site to Client IPSec VPN’s came into being to protect this access. Site to Client VPNs provided the needed security, but were challenging to install and maintain. Any changes in the PC might disable the VPN. End users put up with these nuances and ongoing access headaches because they didn’t have a choice. Even today, you are hard pressed to find an end user that hasn’t had problems with his VPN. From the IT side, rolling out an IPSec VPN was not only about installing and maintaining the client, but about the changed needed for the infrastructure. With an IPSec VPN, NAT didn’t always play nicely with the packets and sometimes broke the connection. Firewall changes to allow an IPSec to go through are common and an ongoing management challenge. If an IT department has complete control of the infrastructure from the back-end to the client this was one degree of complexity. If the IT group did not have control, the degree of complexity went up a number of times. Imagine that users want to use their own home computers or if a partner wants access. Deploying a VPN client to a computer that you don’t own or control can be very difficult. The same principal applies for local NATing and firewalls at the partner, home or other sites such as hotels.

Today, organizations are starting to look at what their options are for secure remote access. IPSec VPNs and leased WAN lines are a perfect fit for static connections that don’t change frequently. Companies started looking at SSL as a protocol that would ride on the Internet backbone and not break the model. SSL was and is a common method for encrypting traffic over the Internet and many organizations moved to implement SSL for their Extranets and Intranets.  Access control was limited though and SSL VPNs evolved.

SSL VPN’s evolved to complement existing SSL implementations and increase the level of access control and security that an organization implements. SSL VPNs also address the challenge that organizations have because the native security in application access has decreased. Dial up by nature is relatively secure because there are only specific phone lines that can authenticate the user. Client Server and old-fashioned VPNs themselves have a certain amount of security because client software needs to be installed. At the same time, the risks of fraud, threats and hacks are only increasing. Now that our applications and access is potentially available to anyone with a browser, the nature of security has changed.

SSL VPNs to the rescue. SSL VPN’s take the ease of use that SSL provides and implement the level of data security and access control that a traditional VPN uses. SSL VPN is a phrase that was developed by the market a few years ago and continues to baffle everyone as to its true meaning. Everyone understands what the acronym SSL and VPN means independently, but what does this new phrase mean together? At an academic and business level, it can misconstrued to be an oxymoron because of what they stand for:

SSL secures data over the Internet with encryption that is automatically enabled in every browser. A certificate is needed for the web server, but other than the few days you wait for your credit card to clear buying your certificate, turning on SSL is relatively straightforward for an application. If the application does not natively support SSL, then changing some links might be needed, but this depends solely on the application. For larger loads of traffic, SSL acceleration is recommended to alleviate any bottlenecks, but this is a plug and play implementation.

VPNs on the other hand are focused around virtually connecting networks. Private ensures privacy of the data and a certain level of access control. VPNs are always associated with IPSec because it is the de-facto protocol used to encrypt traffic for VPNs. IPSec VPNs are used to connect two networks or end-points. These are then closed end points or connections. This is done with a physical client that is installed on a users machine. IPSec also operates at a network layer for this connection.

So, how do SSL and VPN collide? One school of thought can be convenience of describing the ubiquity of SSL and the security or perception of security that a VPN provides for secure remote access. SSL VPNs are the best description for the technology that is used to solve the business problem of easily and securely connecting end users to critical corporate data. SSL provides an easy to use avenue to access information, replacing the difficult to use VPN client. Any machine with a browser can use SSL VPN’s, where with a traditional VPN; a physical client needs to be installed on every machine that is used for access. Because SSL is embedded in browsers, the need for a client disappears. This is especially important when users have several machines (Home, work, client site) they use to connect to information. VPN is a common term for describing secure remote access tunnels. At an academic level SSL VPN might seem like a contradiction, but really it is a clarification on the next generation of secure remote access properties.

SSL VPNs are the savior to remote access problems for a number of reasons. As more organizations struggle with the right balance of access control, security and overall end user acceptance, SSL VPN’s provide a perfect fit. In a recent Infonetics Research article, they stated, "By 2005, 74% of mobile workers will use VPNs, up from 59% in 2003; this increase is due in large part to the fact that SSL offers an alternative to IPSec that avoids the headaches of deploying and managing client software."

John Girard, vice president and research director at Gartner, Inc in a recent report, best describes the value of SSL VPNs: "Enterprises that want easier and more flexible ways to deploy secure remote access should consider SSL VPNs for new investments, and as upgrades for legacy VPNs. Many enterprises implement complete VPNs where simpler, easier, less expensive private access could be created by using SSL-based solutions."

The value of an SSL VPN comprises multiple areas. The key areas are improved access control, security, ease of use and the return on investment.

Access Control is more efficiently implemented with an SSL VPN because the users are centrally managed. All remote access is controlled through the SSL VPN console to more effectively monitor the privileges and rights of users. These users can be employees, business partners and clients. Access is restricted at the application layer and can be granted down to a URL or even file level. With an IPSec VPN, security is only enforced up to the network.

Security is enforced and more comprehensively managed through hardened, appliance-based SSL VPNs. Data integrity is upheld by ensuring only users with their vested rights can access critical data. All traffic goes through the Web ports that you already have open for traffic. Other ports or "holes" in your firewall don’t need to be created. The risks that exist from vulnerabilities with Web servers are mitigated because the SSL VPN appliance proxies the web servers in effect hiding the web server DNS information. The major security concerns that IPSec VPNs create are that they bridge networks, where an SSL VPN terminates sessions between it and the client side applications. 

Ease of Use is one of the most important reasons why clients choose an SSL VPN and want to move away from traditional VPN technology. Although IPSec VPNs are very secure, they tilt the scales too far into the security direction and away from ease of use. If any security solution is too difficult to use on a day-to-day basis, then the end user will either bypass it or simply refuse.

The average user wants to leverage the freedom that Web Based applications offer and a full client VPN defeats the objective of "anywhere access". From initial installation through ongoing maintenance, the value that SSL VPNs provide is the ability for deployment of an application without having "control of the desktop". Remote sales executives can access their CRM system securely through only a browser. With a traditional VPN, downtime and opportunity costs are incurred because their laptop would have to be sent back to the corporate IT group so they could configure the VPN client. The only other option would be for the IT administrator to painfully walk them through the installation over the phone or visit them in-person; neither of which are attractive alternatives. Because SSL VPNs can be deployed without changes to an organizations infrastructure and especially firewalls, secure remote access can now be expanded in a more economical fashion.

Business partners that need access to systems such as Supply Chain and CRM can now access them via only a browser, where before they might never have been given access. The critical factor is how easy it is for end users because if the technology is too difficult, then users won’t use it.

Most SSL VPNs offer the ability to protect Web and legacy applications through their proxy technology. SSL VPNs can securely move almost any protocol over SSL by using a local applet to interpret the data calls to the backend. Instead of a local client talking POP to the server for example, the local client talks POP to the local applet, which then wraps it in SSL and sends it securely over the Internet to the SSL VPN appliance. The SSL VPN appliance then forwards the POP data to the back-end server.

Examples of this are mail (POP, IMAP), file sharing (FTP), and other legacy applications such as Telnet. The value from this support is that organizations don’t have multiple holes in their firewall to allow various ports to move through. All access is done through the SSL VPN proxy over SSL. Users can now discard their IPSec VPN because SSL VPNs offer Web and legacy support.

Return on Investment (ROI) is one of the most critical areas to look at when analyzing an SSL vs. IPSec VPN. The ROI for an SSL VPN can be broken into a few categories:

Telecommunication Costs can be reduced because companies can use the Internet backbone directly instead of relying on dial-up connections for remote users. Many users could not leverage the high-speed Internet connection available in remote offices and hotel rooms because their VPN client would not always function. Because firewall and NAT changes are required in areas like client sites, this can be a large burden.

Initial Implementation Costs will be reduced several fold with an SSL based VPN because SSL doesn’t require any changes to the corporate or client infrastructure. SSL can be implemented on the back-end in a matter of hours, where IPSec would require changes to the firewall, resolution of any NAT issues, and definition of sophisticated security policies to ensure users only have access to the areas on the network where they are permitted. The majority of implementation costs occur with the clients because VPN clients need to be installed on every desktop. This can take several hours per client machine because the TCP/ IP protocol stack needs to be modified and varies depending on the client settings. With an SSL VPN, the implementation is minutes because the user just fires up a browser.

Operational Costs is really where an SSL VPN shines because the browser doesn’t need to be updated on every revision and the browser doesn’t interfere with other applications. SSL is built into every browser. With an IPSec client implementation, the client always needs to be updated on every computer and has a very fragile relationship with the client computer. One tweak or change to the system and many VPN clients can stop working. This increases support costs and creates an environment where opportunity costs can skyrocket because employee’s access is cut off. With an SSL VPN, the Internet connection needs to work and that’s all. IPSec and other non-SSL based VPN’s require a specific type of skill set which increases the overall resources and investment needed to support the implementation. SSL VPN’s don’t require specialized training or configuration knowledge.

Security can be an important financial driver as organizations weigh the costs of sophisticated security policies that are required for traditional VPN’s. Because an IPSec VPN allows users access to the entire network, complicated access policies need to be implemented and maintained to ensure users only have rights to their respective applications. An SSL VPN can be easily set up controls to limit access to an application and even file level within that application. This provides more control and reduces the need for hard to manage network security policies.

Proactively monitoring and patching applications as new vulnerabilities arise can be resource intensive, but is needed with traditional VPN’s that throw the network wide open for users to see. SSL VPN’s proxy web servers and provide an additional level of authentication because users must first authenticate to the SSL VPN appliance before they are passed on to the application. Users that are not part of an already trusted group wont’ even be allowed to see the web servers. The need for aggressive patching is reduced because of this additional security layer. Wireless access can be securely managed by restricting use to applications and ensuring encryption and authentication are properly implemented.

ROI Comparison The cost Savings can be summarized by the Yankee Group. According to The Yankee Group SSL VPNs are 45 percent less expensive than IPSec solutions and 72 percent cheaper than dial-up (excluding toll costs).

Total 1st Year   Dial-Up = $840 * IPSec = $415 * SSL Remote Access = $235

The Yankee Group, Sept. 2002

Because SSL VPNs are easier to manage and less expensive, corporations can extend the reach of remote access to more employees. The solution is ideal for corporations whose employees are often on the go.

One of the biggest questions that arise is what degree of access control on the client end is needed. Demand for security that is better than passwords has been minimal with traditional remote access solutions, but with more applications moving to the Web and SSL VPN solutions that enable anywhere access with only a browser start to take off, the interest is renewing. Preventing exploitation of web server vulnerabilities, hacker prevention and simply reducing password theft are all major drivers to investigate technology better than passwords. The form of client side security, whether it be passwords or not, is your option but should be considered for more sensitive data that is being accessed and protected with an SSL VPN. Three interesting facts that support the use of technology that is better than passwords are:

• In one survey, carried out by PentaSafe Security, two-thirds of commuters at London's Victoria Station were happy to reveal their computer password in return for a ballpoint pen. Another survey found that nearly half of British office workers used their own name, the name of a family member or that of a pet as their password.
  
  

• According to Meta Group, the most common way for intruders to gain access to company systems is not technically related, but simply involves finding out the full name and username of an employee (easily deduced from an e-mail message), calling the help desk posing as that employee, and pretending to have forgotten the password.
  
  

• There is well-known software on the market that can guess your passwords in a matter of seconds. Even the most complicated passwords can be broken by brute force in mere minutes.

Tight hardware token integration should be viewed as a key security feature. Password based credentials are not constantly checked and re-checked on many authentication systems to ensure that the user is authorized to gain access. Tokens should be integrated with solutions such that when a user leaves the workstation with the token then the secure connection to the content is closed. Access control is the key to an effective SSL VPN solution and password alternatives such as random-number tokens, USB keys, and digital certificates all exist. For companies concerned about password management, specific solutions replace passwords with tokens and offer a "reduced sign-on" capability, providing users with a single private Web access.

Password-based authentication (single factor) presents a number of problems:

• The compromise of a password often goes undetected. When a hacker guesses a password, the legitimate user is often unaware that his credentials have been stolen — that, in effect, his or her identity has been stolen.
  
  

• Password sharing amongst users is a related form of the above problem.
  
  

• Passwords that are hard to guess are also hard to remember, resulting in additional administration costs to support users that have forgotten their passwords.
  
  

• Since passwords are hard to remember, the typical user often uses the same password in many locations: guess it once, and the hacker has them all. Worse yet, users often write them down.

When deploying a secure remote access solution such as an SSL VPN or other VPN, evaluate the value of your data against your password policies and use scenarios. More organizations are turning to USB tokens, smart cards and other technology to ensure their data is secure.

The applications and use case scenarios for an SSL VPN are limitless, but we have honed in on the most important ones that apply to almost every organization. 

Email is the crux of every company and there are always times when you can’t get access or have problems. Traditional VPN’s allowed you to protect email but with a client installed you were limited on access. With an SSL VPN, the best of both worlds is finally here. Secure access can be granted from any web browser to access your web email, and now you can take advantage of accessing your client server email from your own computer with a high-speed line. Both web and client server applications are securely protecting via SSL and sent over the Internet where the appliance manages the connections centrally. In the old days, you would need to dial-up to use your local email client and using a high-speed connection at home or on the road was not possible. There were always problems with access and the firewalls. Imagine consultants that are working on site that need access to email. Dial up is not possible, with an Internet connection; they can either access web or local client server (MS Exchange for example) without interfering with the client’s network or firewall settings. Several SSL VPN’s allow users to access applications via a portal page and hide the back-end domain of the email or other servers for security reasons.

Intranets are the most basic access points, but always the most complicated to manage. It’s always that one file on the network you need when travelling, but can’t get to it. Organizations have been reticent to allow full file sharing remotely for security concerns and many don’t have a method of pushing out access via a browser. SSL VPNs enable secure file and intranet access now to increase productivity of employees.

Partner Extranets are becoming critical as companies move to increase operating efficiencies and improve relationships. SSL VPNs are positioned well to take advantage of this business driver because traditional IPSec VPNs were almost impossible to deploy to a business partner. Because organizations are concerned about security and ensuring that business partners can only see what they are allowed to, most organizations have only allowed limited access for partners. Most sensitive pricing, inventory and other critical business data is still emailed or faxed instead of being able to be downloaded directly from a vendor extranet. The ability to upload information from partners is also unheard of because of security concerns. SSL VPNs can address all these concerns by providing granular access to allow partner’s access not only to specific applications, but limiting users and user group’s access even to the file level.

SSL VPNs offer a low cost, easy to deploy and overall superior experience to other types of remote access. SSL VPN technology harnesses the flexibility and ubiquity that the Internet offers us with the security of traditional VPN’s. This gives us the perfect balance between security and ease of use. SSL VPNs will help your organization meet its business, security and information technology goals of securely opening up systems to remote users at an attractive level of investment. Meta Group, a Stamford, Conn.-based research firm, predicts that SSL VPNs will be installed in one out of three major companies by 2004, and in 80 percent by 2006. Rainbow’s NetSwift iGate SSL VPN is a leading provider in the space because of Rainbow’s extensive SSL background and authentication leadership.

Rainbow Technologies is a leading provider of information security solutions for mission critical data, access control and software protection. Founded in 1979, Rainbow Technologies has been breaking the security paradigm by making complex security simple to implement and use for 25 years. Rainbow Technologies maintains their headquarters in Irvine, California and has solution providers that deliver it's solutions in over 100 countries worldwide.