Industry welcomes next-gen TLS VPN

Despite being a slow starter, the TLS protocol is taking over for SSL as the de facto VPN technology. Experts offer insight into the benefits of TLS and how it's changing network security.

SSL, step aside. TLS has arrived.

While it's been slow to take center stage, Transport Layer Security (TLS) heralds a new generation of VPN technology, as it offers several advancements to its predecessor, Secure Sockets Layer (SSL).

The original version of SSL was developed in 1994 by Netscape Communications Corp. Two years later, the Internet Engineering Task Force (IETF) established the TLS Working Group to develop an advanced, non-proprietary VPN protocol. In 1999, the IETF published the first standard for TLS v1.0.

Even though it's been a sanctioned standard for several years, only recently have vendors started progressively integrating TLS into -- and phasing SSL out of -- network security products, Web browsers and other applications.

Similarities and differences

Robert Whiteley, an associate analyst at Cambridge, Mass.-based Forrester Research Inc., said TLS is widely referred to as "SSL v3.1" because it is basically the IETF standardization of the existing SSL v3.0 framework.

"In fact," Whiteley added, "I would lump TLS under the broader category of SSL VPN, as it uses all the same basic components."

According to Greg Romania, technical lead at the Herndon, Va.-based ICSA Labs, a subsidiary of TruSecure Corp. that focuses on security product certification, SSL and TLS are similar in that they are both used for confidentiality, authentication and message integrity. In addition, both protocols access the Internet through the port that encrypted Web pages use: TCP port 443.

SSL uses a private key to encrypt communication, unlike TLS, which uses digital certificates to encrypt data packets. However, Romania said, TLS contains a mechanism to allow a negotiation back to SSL v3.0 if TLS is not available on certain legacy systems.

Benefits of the advanced TLS VPN technology, according to Romania, include a wider range of connectivity speeds and an ease of network growth by adding and supporting newer protocols, such as the Advanced Encryption Standard (AES), a data encryption algorithm.

For more information

Read our exclusive: The next generation of SSL VPNs.

Check out our VPN crash course.

Whiteley said TLS doesn't have any downsides beyond those of any SSL VPN. He said SSL and TLS VPNs provide more access granularity, which is one of the major pluses, but that means additional cost and complexity on the management side.

Realities and advantages

Mignon Plyler, director of technology with Dallas-based Sherman Independent School District (SISD), which implemented TLS about a year ago, said the minimal TLS capital costs were worth the network's improved flexibility and security.

The SISD network connects more than 3,000 devices, and is used by approximately 6,400 students and employees.

Prior to installing Verizon Communications Inc.'s network-based TLS services, SISD utilized a transparent LAN Connect (TLC), a dual-ring topology that only delivered 10 Mbps to each location service.

Plyler said she and the district are pleased with the TLS service, which utilizes a Cisco Catalyst switched backbone to provide Gigabit Ethernet connectivity at all sites, as well as increased security and network reliability.

She added, "Our network has not been down since implementing the TLS service."

Dave Piscitello, president of Chester Springs, Pa.-based consultancy Core Competence Inc., said most browsers and SSL VPN appliances support TLS v1.0, so "there's really no business crisis over TLS versus SSL." Piscitello said this information can be verified by looking at a browser's security settings.

Romania said TLS is poised to serve as the new VPN technology, but a need to support SSL lingers.

"Since most new products are incorporating [TLS]," Romania added, "it's now just going to be a matter of upgrading old systems."

ICSA Labs, which tests the data confidentiality, authentication and integrity assurance of SSL and TLS products, has certified the following SSL-TLS products:

  • Array Networks' Array SP v7.1.0.24

  • Aventail Corp.'s EX-1500 SSL VPN appliance v7.02 patch 3

  • F5 Networks' FirePass 1000 and FirePass 4000 4.0.2

  • Fortinet Inc.'s FortiGate-60 v2.80 build 206,050131

  • Juniper Networks' NetScreen Instant Virtual Extranet Platform v4.1.1 build 6951

  • Netilla Networks Inc.'s Netilla Security Platform E-Class v4.0.2.1p2

  • NetScaler Inc.'s NetScaler 9400 v5.1 build 34.9

  • Nortel Networks' Nortel VPN Gateway 3050 v4.2.1.11

  • PortWise's AB PortWise mVPN v3.5.4

  • Whale Communications' e-Gap Remote Access v3.1.0.0 Build 48.
  • Dig deeper on Network Security Best Practices and Products

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchSDN

    SearchEnterpriseWAN

    SearchUnifiedCommunications

    SearchMobileComputing

    SearchDataCenter

    SearchITChannel

    Close