Understanding SSL VPN
by Bhaven Haria, CISA | Discuss this article »» (4)
What if you are sitting in a hotel room, hundreds of miles away from your office and you need to access the intranet portal of your company? One of the solutions is to publish this portal on the web, so that all employees can access this application from anywhere. But often, there are multiple intranet applications used by different business groups of the company. Publishing all these applications directly on the web can expose the company to multiple security risks as they become accessible to everyone on the Internet. In addition, some of the applications may not be web-based.
The most common practice adopted by enterprises in such a scenario is to use a Virtual Private Network (VPN) . The two most used forms of VPNs are IPSEC VPN and SSL VPN. In this article, we will discuss the working of SSL VPN, its key advantages and few concerns about it.
What is "SSL VPN"
In a nut shell, Virtual Private Network (VPN) is a technology that allows creating a private or secure network over the public network, such as Internet. This is achieved by establishing a secure tunnel between the user’s machine and the enterprise network after authenticating the user. This enables the enterprises to provide access to the internal network for mobile employees without compromising on security. Secure VPN are one type of VPNs that use tunneling protocols with cryptographic capabilities. Secure Socket Layer (SSL) is one such protocol that is used to provide confidentiality and authenticity while communicating over Internet. As the name indicates, SSL VPN uses SSL protocol to secure the VPN tunnels.
How SSL VPN Works
Figure 1. SSL VPN setup of ABC Company
Figure 1 shows an SSL VPN setup of some ABC Company. myvpn.abc.com is an SSL VPN Gateway, which means, all the VPN connections from the internet will be accepted by this gateway, which in turn initiate connections to the internal application servers. Firewall-A protects the internal application servers and it allows connections only from SSL VPN gateway on the required application services. Firewall-B is the outside firewall and it is configured to allow any internet machine to connect to SSL VPN Gateway on SSL protocol (TCP/443). The purpose of this SSL VPN infrastructure is to provide secure access of application servers to the mobile employees of the company over internet.
Let’s consider John is a sales executive of this company who is currently out of office. John has access to internet and wants to access the web-based sales portal on the company’s intranet.
In order to connect to the intranet portal, John opens his internet browser and types https://myvpn.abc.com and connects to SSL VPN gateway. John is asked to provide his username and password by the gateway. Upon successful authentication, the gateway provides him the list of applications, which sales executives of the company need to access. John clicks on the sales portal application from the provided list. At the same time, gateway initiates connection to internal sales application server through firewall-A. When gateway receives response from the application server, it encapsulates that response with SSL and sends it over the connection established by John. Thus, the SSL VPN tunnel gets established between SSL VPN gateway and John’s machine. The key point here is that the SSL tunnel exists only upto the SSL VPN gateway and not up to Application Server.
While this mechanism works well for Web traffic, different SSL VPN vendors have used different approaches of implementation for non-web traffic. Let’s look at two of the most commonly used approaches.
Forwarding of Traffic sent to specific ports
The SSL VPN gateway transfers a script or an applet to the user’s machine that makes it to listen for requests to specific IP addresses and TCP/UDP ports, and when such requests are made, it intercepts them. It sends the contents of requests to the SSL VPN gateway via SSL VPN tunnel, after which SSL VPN gateway resends those requests to the actual destination on the internal network.
Establishing Network Connectivity over SSL
In order to establish the connection, the SSL VPN gateway transfers a small program (typically an ActiveX Control or Java applet) to the user’s machine and thereby creates a virtual network adapter on the user’s machine. It then assigns the user’s machine a private IP address and uses the SSL tunnel to establish a network connection between the company’s internal network and the user’s machine.
Figure 2. SSL packet with additional headers
As shown in figure 2, the packet created (by virtual network adapter) is encrypted using SSL and encapsulated by new headers and then sent over the public network,
Using SSL VPN for non-web traffic, users can access network shares, remote desktop and administrators can use SSH or telnet over SSL to manage their systems remotely.
While discussing the pros and cons of SSL VPN, we mainly compare it with the other predominant VPN technology, which is IPSEC (IP Security) VPN. IPSEC is an encryption protocol that works at the network layer.
- Unlike IPSEC VPN, SSL VPN doesn’t require installation and configuration of client software at the user end. You just need an internet browser to use SSL VPN. This in turn provides flexibility to use SSL VPN from any platform - Mac OS X, Windows, UNIX or any device like PC, Web-enabled phones, PDAs, etc.
- SSL VPN solutions provide granular access control for the application. One can define which user groups have what level of access on which all applications.
- SSL uses TCP port 443, which is normally already opened on the firewall. It also helps remote users when they are sitting behind other company’s firewall. IPSEC uses specific UDP ports; If not in use, these ports are blocked by the firewall.
- If SSL VPN is configured for non-web traffic, Viruses and Worms may infect the company’s internal network from an insecure public terminal.
- Third party searching tools (like Google desktop) cache the web pages served by SSL VPN gateway. This poses a serious security concern even for the people using SSL VPN, which erases temporary data after the completion of each SSL VPN session. Data cached by search tools - and index information created by such tools may persist in the search engine’s proprietary data stores.
- Hackers may bridge to corporate network through the SSL VPN user’s machine.
- SSL VPN: Understanding, evaluating and planning secure, web-based remote access - ISBN: 1904811078
- SSL Remote Access VPNs: Is this the end of IPSEC?