ITPRC NEWS - June 2002
Secure Sockets Layer - A New VPN
By Irwin Lazar
Secure Sockets Layer (SSL)
is emerging as a new alternative to IPSec for remote access VPNs.
SSL is not a new protocol, it has been widely used to secure web-based
transactions for a number of years. What is new is a growing
number of products that are enabling enterprises to use SSL as a method
to provide employees with secure remote access to corporate applications
and data resources
SSL in Brief
SSL is a protocol originally developed by Netscape to provide security
for web-browser based transactions. An open standards alternative,
transport layer security, has been defined by the IETF in RFC 2246.
SSL operates above the TCP layer, but below application protocols such
as HTTP to provide encryption of application layer traffic. SSL
can make use of a variety of different ciphers to provide varying levels
of security (see: http://developer.netscape.com/docs/manuals/security/sslin/contents.htm)
for additional information about SSL. User authentication can be
via simple username/password, secureID, or PKI.
Many organizations are now adopting SSL as a core component of their
remote access strategy. Since SSL VPNs do not require any custom
client configuration or application, all that is necessary is a
standards-compliant web browser, SSL VPNs offer significant advantages
in ease of use and management when compared with IPSec alternatives.
are several drawbacks to using SSL as a primary remote access strategy.
SSL sessions require significant processing power on web servers to
conduct encryption and decryption. Thus, deploying SSL will
significantly limit the number of concurrent user sessions that a web
server can support. However, many vendors now offer SSL
accelerator devices which can off-load encryption/decryption tasks from
other major drawback to using SSL is that traditionally it has only
supported a limited number of applications that are based on well known
TCP ports (http, pop3/smtp, ftp, nntp). This makes SSL useless for
users who need to synchronize local applications, or who need to access
non-web-based applications. However a slew of new products from
companies such as SafeWeb, Aventail, Neoteris and more are now offering
SSL-based appliances that can support a variety of applications,
including such programs as Lotus Notes and Microsoft Outlook/Exchange.
These new products are greatly expanding the role that SSL VPNs can play
in a corporate remote access strategy.
Even with the advances provided by many vendors jumping into the SSL-VPN
space there are still a few drawbacks when compared with IPSec-based
VPNs with the primary one being a lack of end-user device
authentication. Since no client is required to access an SSL-VPN
other than a web browser, there is no way to limit access to machines,
only to users. In addition, organizations with home-grown legacy
applications may continue to find supporting access via SSL-VPN
difficult, especially where synchronization with a local machine is
with these drawbacks SSL-VPNs are still an attractive alternative to
IPSec. Since no client is necessary, SSL-VPNs are easier to
administer, support, and manage than IPSec-based VPNs.
For organizations that only need to provide remote users with access to
a limited number of web-based applications, SSL-VPNs are a far more
elegant solution than IPSec. New products are rapidly expanding
the breadth of applications that can be supported. Enterprise
organizations would be wise to strongly consider making SSL-VPNs the
cornerstone of their remote access strategy.
Irwin Lazar is a Senior Consultant for The Burton Group. He focuses on
strategic planning and network architecture for Fortune 500 enterprises
as well as large service providers. He is the conference director for
MPLScon and runs The MPLS Resource Center www.mplsrc.com
Information Technology Professional's Resource Center www.itprc.com.
Please send any comments about this article to firstname.lastname@example.org
All Content Of This Site
Is Copyright 2000-2004 - ITPRC.COM