SSL, step aside. TLS has arrived.
While it's been slow to take center stage, Transport Layer Security (TLS) heralds a new generation of VPN technology, as it offers several advancements to its predecessor, Secure Sockets Layer (SSL).
The original version of SSL was developed in 1994 by Netscape Communications Corp. Two years later, the Internet Engineering Task Force (IETF) established the TLS Working Group to develop an advanced, non-proprietary VPN protocol. In 1999, the IETF published the first standard for TLS v1.0.
Even though it's been a sanctioned standard for several years, only recently have vendors started progressively integrating TLS into -- and phasing SSL out of -- network security products, Web browsers and other applications.
Similarities and differences
Robert Whiteley, an associate analyst at Cambridge, Mass.-based Forrester Research Inc., said TLS is widely referred to as "SSL v3.1" because it is basically the IETF standardization of the existing SSL v3.0 framework.
"In fact," Whiteley added, "I would lump TLS under the broader category of SSL VPN, as it uses all the same basic components."
According to Greg Romania, technical lead at the Herndon, Va.-based ICSA Labs, a subsidiary of TruSecure Corp. that focuses on security product certification, SSL and TLS are similar in that they are both used for confidentiality, authentication and message integrity. In addition, both protocols access the Internet through the port that encrypted Web pages use: TCP port 443.
SSL uses a private key to encrypt communication, unlike TLS, which uses digital certificates to encrypt data packets. However, Romania said, TLS contains a mechanism to allow a negotiation back to SSL v3.0 if TLS is not available on certain legacy systems.
Benefits of the advanced TLS VPN technology, according to Romania, include a wider range of connectivity speeds and an ease of network growth by adding and supporting newer protocols, such as the Advanced Encryption Standard (AES), a data encryption algorithm.
Realities and advantages
Mignon Plyler, director of technology with Dallas-based Sherman Independent School District (SISD), which implemented TLS about a year ago, said the minimal TLS capital costs were worth the network's improved flexibility and security.
The SISD network connects more than 3,000 devices, and is used by approximately 6,400 students and employees.
Prior to installing Verizon Communications Inc.'s network-based TLS services, SISD utilized a transparent LAN Connect (TLC), a dual-ring topology that only delivered 10 Mbps to each location service.
Plyler said she and the district are pleased with the TLS service, which utilizes a Cisco Catalyst switched backbone to provide Gigabit Ethernet connectivity at all sites, as well as increased security and network reliability.
She added, "Our network has not been down since implementing the TLS service."
Dave Piscitello, president of Chester Springs, Pa.-based consultancy Core Competence Inc., said most browsers and SSL VPN appliances support TLS v1.0, so "there's really no business crisis over TLS versus SSL." Piscitello said this information can be verified by looking at a browser's security settings.
Romania said TLS is poised to serve as the new VPN technology, but a need to support SSL lingers.
"Since most new products are incorporating [TLS]," Romania added, "it's now just going to be a matter of upgrading old systems."
ICSA Labs, which tests the data confidentiality, authentication and integrity assurance of SSL and TLS products, has certified the following SSL-TLS products: