But this is a double-edged sword. Access from anywhere requires security from everywhere. The primary benefit of SSL VPNs, anywhere access for anyone, is also its main drawback, creating potential security risks. Your employees, business partners and customers are now accessing e-mail, files and financial forms from Internet kiosks and other locations not under your control. You no longer want that extension cord into your network, but you still want to provide specific access to particular applications. To ensure security when dealing with un-trusted users and un-trusted endpoints, you must now go to the application level. Application-aware SSL VPNs mitigate the risks while harnessing the benefits.
Relative to the world of networking, the world of applications is a jungle. Networking adheres to commonly accepted rules. There is RFC compliancy for how to handle data, how to pass packets on a network, etc. An IPsec vendor, creating a network extension from the LAN, has
The consequence is idiosyncratic behavior that creates a "Wild Wild West" when it comes to accessing applications remotely. An application viewed from one machine may look different on another. In the same way, this same application may leave a different footprint on one machine than another. The application itself, or at least its data, may be so critical you want no footprint left behind on the machine.
The access to the application also requires a level of control over users, identifying who they are and where they're coming from, since they've stepped over the line of network control that tethers the user to your policy. As a result, the hurdle presents itself to find a way to look beyond the world of networking to figure out a way to handle the applications. While SSL VPNs offer this un-tethered access, the critical component of any secure and controlled SSL VPN implementation becomes true application awareness.
By being aware of the applications, administrators can employ a solution that provides a way to harness and manage the access to the application. It gives them a means to:
- Identify who is accessing what application
- Control what application information is presented to the user at the remote location
- Determine how the user is able to interact with the application (what parts of the application they can access)
- Secure the connection from the client machine back to the application
- Avoid having users leave traces of the application and its access on the client machine
When selecting an application-aware SSL VPN, ensure that it uses a flexible architecture that can easily add, support and secure new applications. When you are able to attain an awareness of the application, you are achieving the broadest remote access functionality without compromising on security.
Noam Ben-Yochanan is CTO at Whale Communications. He joined Whale in 2000, where his focus has been on delivering secure data access via the Web. He has some 10 years of experience working for high tech companies providing strategic guidance and spearheading product development. He studied Computer Systems Engineering at the Jerusalem College of Technology.
This was first published in March 2004