Problem solve Get help with specific problems with your technologies, process and projects.

The promise of application-aware SSL VPNs

Application-aware SSL VPNs mitigate the risks of SSL VPNs while harnessing the benefits.

Remote access technologies have taken a huge leap forward. To provide trusted employees and partners access to your network, you probably have deployed an IPsec Virtual private network (VPN) -- essentially an extension cord from the LAN to the trusted endpoint computer. Enterprises are now leveraging the ubiquity of Internet-connected browsers to deliver remote access beyond the trusted endpoint. With Secure Sockets Layer (SSL) VPNs, enterprises are now delivering access from any Web browser to any user.

But this is a double-edged sword. Access from anywhere requires security from everywhere. The primary benefit of SSL VPNs, anywhere access for anyone, is also its main drawback, creating potential security risks. Your employees, business partners and customers are now accessing e-mail, files and financial forms from Internet kiosks and other locations not under your control. You no longer want that extension cord into your network, but you still want to provide specific access to particular applications. To ensure security when dealing with un-trusted users and un-trusted endpoints, you must now go to the application level. Application-aware SSL VPNs mitigate the risks while harnessing the benefits.

Relative to the world of networking, the world of applications is a jungle. Networking adheres to commonly accepted rules. There is RFC compliancy for how to handle data, how to pass packets on a network, etc. An IPsec vendor, creating a network extension from the LAN, has guidelines to follow to assure proper and secure delivery of information. When working with an application, however, you are entering a world of competing application vendors, no accepted standards, holes, open source vs. closed source and different protocols. In short, there is no singular way for an application to be developed or behave.

The consequence is idiosyncratic behavior that creates a "Wild Wild West" when it comes to accessing applications remotely. An application viewed from one machine may look different on another. In the same way, this same application may leave a different footprint on one machine than another. The application itself, or at least its data, may be so critical you want no footprint left behind on the machine.

The access to the application also requires a level of control over users, identifying who they are and where they're coming from, since they've stepped over the line of network control that tethers the user to your policy. As a result, the hurdle presents itself to find a way to look beyond the world of networking to figure out a way to handle the applications. While SSL VPNs offer this un-tethered access, the critical component of any secure and controlled SSL VPN implementation becomes true application awareness.

By being aware of the applications, administrators can employ a solution that provides a way to harness and manage the access to the application. It gives them a means to:

  • Identify who is accessing what application
  • Control what application information is presented to the user at the remote location
  • Determine how the user is able to interact with the application (what parts of the application they can access)
  • Secure the connection from the client machine back to the application
  • Avoid having users leave traces of the application and its access on the client machine

When selecting an application-aware SSL VPN, ensure that it uses a flexible architecture that can easily add, support and secure new applications. When you are able to attain an awareness of the application, you are achieving the broadest remote access functionality without compromising on security.

Noam Ben-Yochanan is CTO at Whale Communications. He joined Whale in 2000, where his focus has been on delivering secure data access via the Web. He has some 10 years of experience working for high tech companies providing strategic guidance and spearheading product development. He studied Computer Systems Engineering at the Jerusalem College of Technology.
This was last published in March 2004

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.