SSL VPN gateways: a new approach to secure remote access.Secure Sockets Layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ) Virtual Private Networks (VPNS VPNS Virtual Private Network Service (AT&T) ) are quickly gaining popularity as serious contenders in the remote-access marketplace. Analysts predict that products based on SSL VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. technology will rival--or even replace--IP Security Protocol (IPSec) VPNs as remote-access solutions. A number of factors are fuelling the dramatic demand for SSI (1) See server-side include and single-system image. (2) (Small-Scale Integration) Less than 100 transistors on a chip. See MSI, LSI, VLSI and ULSI. 1. (electronics) SSI - small scale integration. 2. VPNS, including: Government mandates--such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States--that are driving key industry segments to protect the privacy of distributed electronic information. The increasing use of extranets--the granting of non-employees and business partners secure access to internal networks--which have become a "must have' requirement of conducting business. Increased demand by employees for flexible working options that enable home working--a trend fuelled by governmental regulations such as the Flexible Working Act in Great Britain that require employers to make reasonable accommodations for working parents of young children It's not surprising that SSL VPNs are benefiting from these developments. SSL VPNs are uniquely suited to meet the diverse remote-access needs of today's enterprise, with their low costs, application access flexibility, high security, and overall simplicity. Traditional Solutions Fall Short Until recently, VPNs based on the IPSec protocol have been seen as the logical choice for providing secure network connectivity beyond the firewall. IPSec VPNS leverage the Interact as an 'always on," ubiquitous data-transfer bridge, eliminating "private' network access costs, such as leased lines A private communications channel leased from a common carrier. Most digital lines require four wires (two pairs) for full-duplex transmission. (communications, networking) leased line , Asynchronous Transfer Mode See ATM. (communications) Asynchronous Transfer Mode - (ATM, or "fast packet") A method for the dynamic allocation of bandwidth using a fixed-size packet (called a cell). See also ATM Forum, Wideband ATM. ATM acronyms. Indiana acronyms. (ATM), or frame relay A high-speed packet switching protocol used in wide area networks (WANs). Providing a granular service of up to DS3 speed (45 Mbps), it has become popular for LAN to LAN connections across remote distances, and services are offered by most major carriers. . IPSec VPNs offer a less-expensive alternative to dedicated networks, and have proven well suited for secure, on-demand point-to-point connectivity over the Interact. However, remote-access IPSec VPNs bring security at a high price. Distributing IPSec clients to remote machines and configuring them for access is challenging, especially when the Information Technology (IT) department does not have easy access to remote computers. Further, because they operate at the network level, IPSec VPNs effectively provide the remote personal computer (PC) with full network visibility, as if it were a computer located on the corporate local Area Network (LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. ). Policy enforcement and security controls cannot be easily applied in this model. For these reasons, remote-access IPSec VPNs typically result in a high total cost of ownership (TCO (1) (Total Cost of Ownership) The cost of using a computer. It includes the cost of the hardware, software and upgrades as well as the cost of the inhouse staff and/or consultants that provide training and technical support. See ROI. ), especially when compared to SSL VPNS. SSL VPNS., Application Gateways for the Enterprise The modern enterprise network is a dynamic environment. Inevitably, corporations deploy an ever-changing variety of applications for a diverse community of users. These heterogeneous data centers may comprise legacy and client/server applications on Windows Terminal Servers An option in Windows NT and 2000 that enables an application to be run simultaneously by multiple users at different Windows PCs. In NT, it is known as the Terminal Server Edition. , UNIX/Linux servers, or mainframes and AS/400 machines, as well as Web applications that reside on intranet Web servers. Historically, opening up this complex realm to remote partners, suppliers, and employees, while ensuring network protection, has been one of the great hurdles to a successful remote-access deployment. As a result, enterprises are turning towards SSL-based VPNs to satisfy the demands of today's more heterogeneous enterprise networks. Today's leading SSL VPNs take this approach one step further, by consolidating three application-access technologies into a single application-layer gateway device: Clientless, browser-based access to remote legacy applications Secure intranet access to Web-based applications and portals Desktop access for client/server applications over SSL tunneling Clientless Access to Legacy Applications While the number of Web-based intranet applications is certainly growing within the enterprise, non-Web-enabled, legacy applications--those residing on centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. Windows, UNIX/Linux, mainframes and AS/400 machines--still form the vital core of enterprise applications in use today. For IT managers seeking to provide secure remote access, the challenge is to leverage these crucial legacy applications in a simple way that provides the same on-demand access to centralized information as their Web-enabled counterparts. Some SSL VPN appliances solve this dilemma by providing clientless, remote access to legacy applications through the incorporation of Web-enabling technology directly within the platform. This integrated approach eliminates the need for enterprises to deploy and maintain server-based "middleware" and associated remote-access clients. In this model, both the client and server portions of an application are centrally hosted in the corporate data center. The advantage of this approach is that end users need only a browser to access these remotely located applications; no additional software or configuration of the remote computer is needed. An SSL VPN appliance makes client/server applications available to remote users through the Web, allowing companies to leverage their existing legacy application infrastructure without costly application re-development or installing and configuring remote PCs. Any program, running on any platform--Windows, UNIX UNIX Operating system for digital computers, developed by Ken Thompson of Bell Laboratories in 1969. It was initially designed for a single user (the name was a pun on the earlier operating system Multics). and LINUX, or 3270 mainframe and 5250 AS/400--can thus be made easily available to remote users. In this application-layer access model, the SSL VPN gateway uses a built-in screen-scraping protocol that splits the emulation and display processing so that only the application's display is sent to the remote user's Web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. . The gateway supports this capability through a browser enhancement (a small Java applet A Java program that is downloaded from the server and run from the browser. The Java Virtual Machine built into the browser is interpreting the instructions. Contrast with Java application. ) that is downloaded to the user's browser upon the first login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. . As a result, the user experiences the application with optimal performance over any connection, just as if the application was installed and running on the user's local machine. Secure Intranet Access to Web-based Applications and Portals Even as they continue to rely on legacy applications as part of their application strategy, enterprises are also developing applications intended for direct Web browser access. These may be 'Webified" versions of legacy applications such as Microsoft Outlook For the e-mail and news client bundled with certain versions of Microsoft Windows, see . Microsoft Outlook or Outlook (full name Microsoft Office Outlook or proprietary intranet applications. However, sharing such information over the Web can lead to security risks that must be carefully addressed. IT departments given the task of extending Web-based applications to remote users and business partners face significant challenges. For example, Web-enabled resources typically reside on a company's secure intranet, and use internal Domain Name System (DNS (Domain Name System) A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. For example, when a Web site address is given to the DNS either by typing a URL in a browser or behind the ) that cannot be resolved by the public Internet. Leading SSL VPN appliances, however, overcome these obstacles and can safely extend these intranet resources to authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal . This is accomplished by providing clientless, browser-based access to Web-based resources using HyperText Transfer Protocol See HTTP. (protocol) Hypertext Transfer Protocol - (HTTP) The client-server TCP/IP protocol used on the World-Wide Web for the exchange of HTML documents. It conventionally uses port 80. Latest version: HTTP 1.1, defined in RFC 2068, as of May 1997. (HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. ) reverse-proxy technology. Unlike a forward proxy, which operates between a corporate intranet user and an Internet Web site, a reverse proxy See reverse proxy cache. operates between a remote user on the Internet and an enterprise Web site. With this approach, a single point of entry over the Internet--the SSL VPN gateway--lets remote users access back-end Web servers securely through a Web browser. This approach delivers fast, secure, on-demand access to Web-based information, with a highly scalable solution that can easily grow to authorize users on a global scale. The security benefits are clear-corporate Web servers remain safe behind the firewall, in a highly secure portion of the private network, without the cost and maintenance of locking each server down for public access. Additionally, administrators gain granular access control to directories, servers, and paths on a user or group basis. Desktop Application Access: Client/Server over SSL Tunneling The two clientless remote access methods described above meet the access needs of most remote users. However, some end-users may need to use local ciient/server applications, such as email or CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. programs, already installed on their computers. These are typically local applications that exchange data with backend host servers, while also supporting offline usage (an example is Microsoft's Outlook client and Exchange server for email). These applications often reside on company-owned computers that are managed by MIS staff. In these case, a network-layer type access somewhat similar to IPSec VPNs is appropriate. This can be provided via SSL tunneling technology. SSL Tunneling: The Technology and its Benefits Typically, desktop application access via an SSL tunnel is supported through a VPN adapter that is downloaded and installed the first time a user logs into the remote-access system for client/server access. The virtual adapter negotiates the secure SSL tunnel via the user's Web browser. No changes to the client/server application itself are required; if the network administrator has authorized an application for a user, that application can be used over the SSL tunnel, without needing special configuration or help-desk intervention. Leading SSL VPN gateways are well-suited for these desktop client/server arrangements--and provide key benefits over an IPSec approach: Policy and Network Security: The Application Layer Proxy When supporting clientless access to legacy applications and operating as an HTTP reverse proxy for Web applications, SSL VPN gateways can deliver their rich set of application-access modes as a true application-layer proxy. SSL VPNs are so-called because they operate at layer seven--the application layer--of the Open Systems Interconnection (networking) Open Systems Interconnection - (OSI-RM, OSI Reference Model, seven layer model) A model of network architecture and a suite of protocols (a protocol stack) to implement it, developed by ISO in 1978 as a framework for international standards in heterogeneous computer (OSI (1) (Open System Interconnection) An ISO standard for worldwide communications that defines a framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, proceeding to the ) model. IPSec VPNS, by comparison, operate at the network layer. Operating at the application layer provides visibility into application data, affording network administrators new opportunities to enforce security policy before the user's traffic reaches the application server at the data center. In this way, certain SSL VPN solutions can implement dynamic policy-based access to application resources from a single point of administration. The SSL VPN gateway protects these internal resources by "intermediating' the connection between remote-client requests and server-based applications, terminating incoming connections from the remote user at the application layer. Once the incoming request is terminated (the 'termination gap"), the appliance processes and translates the data to the appropriate backend application protocol such as: Remote Desktop Protocol (RDP) for Windows applications residing on Windows Terminal Servers X.11 over SSH for UNIX or Linux applications 3270 over Telnet for mainframe and AS/400 applications HTTP/HTTPS for Web servers The Termination Gap: Enforcing Policy at the Network Edge During an SSL VPN gateway's "termination gap"--the point between terminating and translating incoming data--a unique opportunity exists to poll external authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. and policy servers, such as Active Directory or Lightweight Directory Access Protocol (protocol) Lightweight Directory Access Protocol - (LDAP) A protocol for accessing on-line directory services. LDAP was defined by the IETF in order to encourage adoption of X.500 directories. (LDAP (Lightweight Directory Access Protocol) A protocol used to access a directory listing. LDAP support is implemented in Web browsers and e-mail programs, which can query an LDAP-compliant directory. ), and credential user identities to authorize specific application access. By analysing terminated-application information and enforcing the appropriate security policy, the NSP (1) (Network Service Provider) An organization that provides a high-speed Internet backbone to ISPs and other service providers. Sprint, MCI and UUNET are examples of NSPs. See Internet backbones. acts as a secure sentry between the public Internet and the enterprise network. This scenario illustrates an application-layer VPN in action--the user messages are not sent directly to the application server on the private network, but rather terminated by the SSL VPN gateway, processed with policy and security, translated to the appropriate back-end protocol, and transmitted via a new connection to the application server. The gateway enforces authentication and policy before allowing the data streams to reach the application server, protecting private network resources in a uniquely effective way unmatched by traditional remote-access solutions. Today's premier SSL VPN gateways consolidate key security features into a unified, hardened appliance. Security elements including authentication, policy, and encryption are bundled into the platform for fast and reliable deployment. The result is a low-maintenance, easily managed solution whose rich feature set cannot be matched by other integrated VPN offerings. Ken Araujo is Chief Technology Officer and Senior Vice President of Engineering at Netilla Networks, Inc. www.netilla.com, a provider of SSL VPN solutions. He can be reached at ken-araujo@netilla.com |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion