SSL VPN: IPSec Killers or Overkill?

By J. Conover

SSL VPN (secure sockets layer virtual private network) vendors are introducing features that directly compete with traditional IPsec VPNs. SSL VPNs have certain advantages over IPsec solutions, but some SSL VPN vendors are reinventing the wheel with network-layer SSL VPN gateways.

Issue

SSL is pervasive desktop technology used to secure internet traffic, and is present in every browser. SSL VPNs have been available for several years, but the market for SSL VPN appliances has been set on fire in the last 18 months by a new generation of low-cost purpose-built appliances, lead by competitors such as Neoteris, Nortel, and Aventail. These products were initially positioned as complementary solutions to full-fledged IPSec VPNs, providing carefully policed application-level access to specific internal enterprise applications in a clientless fashion. The latest trend in SSL VPN appliances is to provide full network-layer access over SSL using a pair of appliances or an appliance and a ‘web deployed SSL VPN agent’. Aventail and Neoteris are the latest vendors to announce support for full network-layer access via SSL. Does this technology compromise the very advantages that SSL VPNs provide, and are these vendors re-inventing the IPsec wheel by creating a network-layer SSL VPN connection?

Analytical Summary

Network layer SSL VPN vendors are confusing and misleading customers with their attempts to position network layer SSL VPNs as the best of both virtual private network worlds. SSL VPNs and IPSec VPNS were developed to address distinct security concerns in different environments. Clumsily combining application layer and network layer VPNs together in an SSL VPN weakens both technologies. SSL VPNs are emerging as a viable alternative to full blown VPNs, and are particularly suited to mobile workers and extranet applications where secure, controlled access to a specific set of applications is required. When used in this fashion, SSL VPNs are easier to deploy and maintain than traditional IPsec VPNs. However, when network layer access is granted via an SSL connection, all of the security and control advantages of an SSL VPN are lost. Network layer access via an SSL VPN compromises the security benefits of that SSL VPN. SSL VPN vendors claim that Network Layer access can be achieved using a small-footprint downloadable Active-X or Java application. But IPSec VPN vendors have proven that OS level support is necessary to fully enable complex applications across a secure tunnel. Full network access is the domain of the IPsec VPN. Web based clientless access and thin-client proxy access to specific applications is best handled by SSL VPNs. Both access technologies have distinct and separate markets, and it is the responsibility of the SSL VPN vendors to ensure that SSL VPN technology is not compromised by overambitious desire to capture IPsec marketshare.

Perspective

SSL VPNs leverage the pervasive nature of the browser-integrated SSL client to provide secure, clientless access to internal corporate resources. SSL VPN technology is the killer solution for providing application access outside the corporate firewall. A flood of new products built on existing web switching platforms has created a distinct new competitive market for SSL based remote access.

In the last year, vendors have evolved SSL VPN technology to encompass far more than just web-based applications. Today’s SSL VPN products can securely deliver thin, web delivered applications and fat-client productivity tools, including Microsoft Outlook, Lotus Notes, and Citrix. Unfortunately, these fat applications are not natively SSL enabled. To accommodate these clients, SSL VPN vendors developed small client-side JAVA and ActiveX clients which intercept and forward traffic on behalf of the fat client. SSL VPN vendors continue to call this clientless access, when in reality, they have deployed a thin client for encapsulating native traffic application traffic inside SSL tunnels.

SSL VPNs greatly reduce the administrative burden of remote access, because unlike IPsec VPNs, only specific applications are permitted across the SSL VPN, reducing the potential for unauthorized network intrusions. SSL VPNs offer many technical and security advantages over IPSec VPNs. SSL is integrated in every desktop, handheld, and kiosk. Tunneling applications through SSL eliminates additional holes in the corporate firewall, reducing security risks. SSL is easier to deploy than IPsec, because many corporate firewalls already pass SSL traffic to support e-commerce. SSL traffic can seamlessly pass through Network Address Translation (NAT), where IPsec requires special handling. Most importantly, SSL VPNs give the administrator per-user access control to a strictly specified list of applications. All of these advantages translate to better security and lower total cost of ownership.

When SSL VPN vendors introduce support for network-layer access, as several have already done, all of the security advantages of SSL VPNs are flushed down the toilet. Because SSL VPNs can be initiated from nearly any client, there is a high of network contamination from Trojan horses, viruses, and malicious code on an unknown, unprotected workstation. This risk typically does not exist with IPsec VPNs, because the network administrator often has tight control over the workstation where the IPsec client is installed. IPsec clients also provide driver level client integration, ensuring more complex applications such as Microsoft Netmeeting function flawlessly. Browser-downloadable SSL VPN clients cannot achieve this level of integration. SSL VPN vendors will find themselves in a quandary when their network-layer access fails to provide the same functionality as an IPsec VPN.

SSL VPNs and IPSec VPNS were developed to address distinct security concerns in different environments. Clumsily combining application layer and network layer VPNs together in an SSL VPN weakens both technologies, and creates a network security liability. Customers evaluating secure remote access technologies should be advised that network layer SSL VPNs present a risk to their network, and should question vendors about how they address the threats of viruses, Trojan horses, and other malicious code on the remote host system when providing SSL-based VPN access from unknown hosts. Better yet, customers should stick with IPSec for network layer access, and use SSL VPNs to solve the application layer access problems SSL VPNs were created to address.

Recommended Vendor Actions

• Vendors offering SSL VPN products should be sure to educate and caution customers about the liabilities of deploying network layer access when application layer access is sufficient, particularly if network layer access is granted from untrusted machines.
• Vendors should add safeguards to their products to ensure that administrators fully intend to offer network layer access through an SSL VPN.
• Vendors should add additional security health checks to the client side component of network-layer SSL VPNs to prevent potentially harmful network contamination by viruses and Trojan-like programs that might be present on the remote client machine.
• IPsec VPN vendors should develop “lightweight” IPsec clients that can be web-deployed to simplify IPsec based network-layer access.

Recommended User Actions

• Customers with an existing IPsec VPN should not be evaluating SSL VPNs as a replacement for network layer access, unless the majority of remote access users do not require network layer connectivity.
• Customers that do deploy network-layer SSL VPNs should add additional security safeguards to exposed networks to ensure that untrusted client workstations do not accidentally contaminate vital corporate resources.
• Customers should evaluate SSL VPN solutions to determine which vendors provide the most client-side security mechanisms, whether through internal technology, or via tie-in to external applications such as personal firewall validation, anti-virus software validation, and Windows Update verification.
• Customers can use SSL VPNs without deploying the network-layer access model to significantly reduce the security threat and complexity of managing a traditional IPsec VPN.