This article is excerpted from a Burton Group research report. The report, "The Changing Face of SSL-based Remote Access," is available with a license to Burton Group's Network and Telecom Strategies Service. Details about Burton Group's research and services are on www.burtongroup.com, or e-mail information requests to info@burtongroup.com.
Enterprises interested in deploying SSL-based products to secure remote access for road warriors or teleworkers should review available products with the following five issues in mind: application support, end-point security, management, scalability, and performance.
Application support is not a huge issue where only Web-based applications are concerned, since the current generation of SSL VPN products are good at handling Hypertext Transport Protocol (HTTP) and embedded URLs (such as might be found in ActiveX or JavaScript). Support for other network applications, such as Citrix, e-mail clients, and applications using UDP, vary from product to product. Furthermore, vendors utilizing port redirection to handle non-Web applications may only handle applications that use static port assignments.
The security of the remote user's computing device or an Internet kiosk includes a number of factors, starting with removal of critical data (such as browser caches, auto fill data, and usernames and passwords) upon termination of a session. As more applications are directed to SSL tunnels and a wider variety of data is transmitted, it also becomes important to verify the integrity of the user's computer. This is most often done by a security agent or probe that ensures that the proper versions of a personal firewall and virus scanner are running on the computer before any user applications are run over the SSL session. Support for these security agents is relatively new and varies from vendor to vendor. Also, not all agents are capable of supporting all of the personal firewall and virus scanning software currently on the market, so you'll need to compare your corporate standards with what the agents support.
Management of SSL VPNs is centered on two different aspects: controlling access to different applications and resources, and setting security policies for authorization based on the remote device and its capabilities. The first management task is a common one and is best handled using some form of group policy and objects that represent the resources. The second task, that of setting device-dependent security policies, is a relatively new feature offered by some of the SSL VPN vendors. It allows network administrators to define policies controlling access based on the functionality of the remote user's device. As an example, full access to a corporate data center might be granted when the user employs a corporate-owned laptop that includes a personal firewall and virus scanner, but only access to e-mail and a few corporate Web-based applications might be allowed when the user logs in via an Internet kiosk.
As the number of remote users increases, the SSL VPN systems must be able to scale up to meet the needs of those users as well as the administrators. Some vendors support clustering of their devices to build systems that can scale with increasing numbers of users. We've already mentioned that some systems include some form of security policy management, but these systems differ in how they treat the creation of objects and their use of objects and policies, which can impact the scalability of the management system.
A related issue is performance. The cryptographic operations associated with SSL can be computationally intensive, so use of an SSL accelerator is mandatory. If content inspection and filtering at Layer 7 is important for added security, this may prove to be a bottleneck in some products. As we mentioned above, the ability to cluster multiple SSL appliances can increase performance.
