Know your SSL from your IPSec? Now you will...Remotely accessing your systems is a common part of many working lives these days. Quocirca analyst Bob Tarzey explains what's good about some common virtual private network (VPN) technologies.
Before joining Quocirca I worked as an international sales rep hawking US software products to prospects far and wide. The pressures of being in IT sales, and working for US employers meant being online at all hours wherever I happened to be; updating sales forecasts for top heavy management teams, drumming up support from overworked research, support and marketing departments and, of course, keeping in touch with my partners, customers and prospects.
Ninety per cent of this time was spent sending and receiving email, the rest updating databases and (in more recent times) accessing the corporate intranet. To this end I lugged a notebook PC around the globe. Don’t get me wrong. To this day I admire the technology that is crammed into even the largest of notebooks but along with the wires and accessories to make it fully functional, it was by far the heaviest item I had to carry.
Sure, technology has improved further. There are smaller (and more expensive) notebooks – generally requiring a doctor’s note citing a bad back, to justify additional expenditure – and more recently PDAs and smart phones – fiddly to use and pretty useless for functions other than email, such as report writing and running presentations.
Having lugged a notebook to the other side of the planet there was then the problem of getting it connected. Dial-up from hotels rooms, if you had compatible adapters, was expensive and access spasmodic. One former colleague carried a special kit with wire strippers and crocodile clips which was supposed to guarantee dial-up access from anywhere). OK – again there has been a lot of improvement in access options. We have GPRS, dial-up via local access points, Wi-Fi hotspots as well as IPSec VPNs which provided access across any connection including third-party LANs (providing their firewalls were not too stringently configured).
But all this could be undermined at a stroke by two factors entirely outside my control: theft or malfunction – making my notebook a single point of failure. Fortunately, I was never a victim of the former, although many colleagues were, but the latter regularly had me pulling my hair out, whether it was hardware, software or the connection. Once a problem had occurred it was generally terminal, for the length of the trip – no way of getting back online without a return to HQ.
Then, a few years ago, a glimmer of hope - the ability to access email over the internet, wherever I could access a web browser. Initially the user interface was crummy and the capability provided was more the ability to see what I was missing than actually keeping up. I did not know it at the time but what I was using was the precursor to what we now call SSL VPNs. Hooray – a dream come true. What is so great about SSL VPNs?
First, I should distinguish them from their IPSec VPN cousins. These require software to be installed on the device from which the VPN is being accessed and for a connection to be established by dial-up, broadband or a third-party’s LAN. This still requires a physical device to be carted around, and the problems of making connections, malfunction and so on still apply. An IPSec VPN connection is all or nothing, namely once the connection is established it is just as if you are actually on the local LAN.
In contrast, SSL VPNs allow access from anywhere you can fire up a web browser. No client software is needed to make the connection, hence their alternative name – clientless VPNs. All you need do is enter the URL for your target SSL VPN, which will communicate with an appliance sitting on your corporate network. Once you have jumped through the required hoops to identify yourself - which can be as stringent as required - you will then have access to any corporate resources you require. Well, almost any.
I say almost because this is one of the key features of SSL VPNs. They will not only limit access based on who you are but also where you are accessing from. A few examples should suffice to explain this further.
If I am sitting in my home office, with my corporate laptop accessing the internet, via a broadband connection to my personal ISP, I can be considered to be in a pretty safe environment – my full usual access rights can be enabled (providing the application I need either runs in a web browser or I have appropriate application client software installed).
Alternatively, if I am using a public internet terminal in an airport lounge or internet café, the SSL VPN can identify this and limit my access to certain applications only, for example just email or allowing me to send updates to my sales forecast, which is probably all I want.
This so far selfish review of the advantages of SSL VPNs has ignored the wider benefits. Anyone can be granted access to relevant applications and information with ease; home workers to email and databases, customers to extranets, system integrators to knowledge bases, partners to sales forecasts. The list is as long as your imagination. This sharing of information between businesses has been possible before but SSL VPNs make it simple to deploy and control.
The market for SSL VPNs is maturing rapidly. Initially the technology was available from specialists such as Aventail, Netilla and Whale Communications who still maintain their independence. But the big guys have become interested and have either been developing their own SSL VPN capability or buying it. Among the networking and firewall vendors, F5 Networks and NetScreen have both acquired specialists. CheckPoint, Cisco and Nokia are developing new solutions in-house, which currently have more limited functionality compared to the specialists – Nokia’s NSAS is the most advanced.
I can’t think of too many drawbacks. Getting access to a web browser is easy enough these days. Users need to be educated about security risks – the better products have intelligent timeout capabilities, which identify a lack of user activity. Presentations can be done across the SSL VPN (guaranteed up-to-date?) or carried to a customer site on a USB memory stick.
For a travelling salesman, not having a notebook in the field does have disadvantages. Reports and proposals are harder to prepare, though a hotel or partners' PCs can usually be pressed into service. But at least on their return to the office they won’t have backache.