Manage Learn to apply best practices and optimize your operations.

How will SSL VPNs evolve in order to address security concerns?

In this Ask the Expert response, VPN expert Rainer Enders discusses how he thinks SSL VPNs will evolve in order to address security concerns.

In this article, Top VPN security breaches of 2011, you discussed that SSL VPNs have inherent security holes because they use unreliable clients (Web browsers) and have had their certificate authorities (CAs) spoofed. What do you see happening to Web VPNs in order to address these security issues? Will another type of Web VPN emerge that’s more secure?

I am a true believer in gradual improvements of mature technologies over rip-and-replace strategies. SSL, when it was designed many years back, was a great effort, but not everything can be foreseen or assessed during initial technology development. With that in mind, it is remarkable how long SSL has served in its original form.

Similar to IPsec, SSL has a good foundation with flaws and weaknesses. A few vendors that focus on VPN technology have recognized the major benefits of IPsec and addressed its weaknesses in their product offerings. Likewise, there are ways to fix the key weaknesses in SSL. For example, a registration process within the Domain Name System Security Extensions (DNSSEC) could potentially address the weak link in the chain of the certificate authority model. Conceptually, DNSSEC is a good ide a, even though it suffers from this chain of trust model to some degree.

My core philosophy is best of breed, so why not use the best of both worlds -- hybrid IPsec and SSL? I’ve never believed in the promised land of SSL VPN as a rip-and-replace approach for existing, well-developed IPsec VPNs. Until a new disruptive technology is available, the best approach is to complement and improve existing solutions.

Email your VPN-related questions to editor@searchenterprisewan.com.


This was last published in December 2011

Dig Deeper on Network Security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.