Welcome Guest | |
Follow Us:
    
Newsletter Signup:
Accelerated, scalable SSL VPN
By Rakesh Singh VP, Products, & MD, Citrix R&D India Today’s transacting environment has made absolutely imperative the need to access corporate applications and data by employees and partners from outside the corporate perimeter NWC News Network, October 01, 2007

By Rakesh Singh
VP, Products,
& MD, Citrix R&D India

Today’s transacting environment has made absolutely imperative the need to access corporate applications and data by employees and partners from outside the corporate perimeter. Enterprises are increasingly looking to leverage the Internet to provide remote access in a cost-effective manner.

Though many enterprises use IPsec VPN technology to provide this access, the technology has several limitations. The IPsec protocol essentially encrypts communication between two trusted parties. IPsec VPN, while effective in providing high performance encryption of data for site-to-site communication, isn’t so effective when used as a remote access solution.

Client software needs to be rolled out to every access device used for remote access. The requirement to deploy client software to thousands of corporate employees and partners is challenging from a software rollout, upgrade and maintenance standpoint. It can be equally discouraging training users on using separate client software. Frequently, there are situations where users need access to their applications and data from locations such as industry conferences, where they may not have or cannot use their own computers that have the IPsec client installed.

Moreover, IPsec exists as a separate protocol, and hence is often blocked by firewalls. For users who are guests at a facility and have no control over firewalls, this restriction often makes IPsec VPNs useless. These problems limit the range of locations where IPsec can be successfully used.

Inter-operability issue

Another issue is inter-operability between manufacturers of VPN gateways and client software. Due to differences in implementation, not all client software works with all VPN gateways, thereby complicating the job of IT administrators in providing remote access to the user base. While IPsec is a proven, accepted solution for site-to-site communication, it has significant limitations when used for remote access.

The fact that most VPN gateways fall short when it comes to limiting the access rights of remote users (once they have been granted access to the network) ties up the IT administrator’s hands in terms of restricting the remote user’s access to only certain servers or applications.

SSL-based VPNs can overcome some of these challenges. For example, a key limitation of IPsec VPNs, as stated earlier, is the need for deploying client side software on every access device, then training users on the client software and managing the ongoing upgrades for these devices. As every client machine comes with a browser, and since every popular browser uses SSL, this issue can be overcome using SSL VPN.

Valuable man-hours that would otherwise be spent administering VPN client software can be used for more productive tasks. In addition, the learning curve for new users is negligible as most users know how to access content via a browser. SSL is highly inter-operable too since it is a well-known open standard in wide deployment.

Unlike IPsec VPNs, SSL VPNs can work seamlessly from behind client firewalls. Because SSL traffic is allowed to pass by most firewalls, SSL VPNs can be used from almost any location.

SSL VPN technology can intelligently provide access to applications and data by recognizing the location of the user. For instance, a user accessing the corporate network from a kiosk or Internet café could be restricted to access email applications only, while a user accessing from home could be allowed broader access.

Several advantages

Clearly, SSL VPNs provide many advantages over IPsec VPNs for remote access. However, secure remote access is not the ultimate target of IT administrators. Instead, the goal is to achieve secure application delivery in which critical applications are accelerated, secured and transmitted to end users. Remote access to the network is just one component of this concept.

A key point to remember when considering SSL VPNs is inter-operability with existing infrastructure and applications. To provide secure application delivery, an SSL VPN gateway should support applications transparently. Further, it should also enhance application performance. Remote users may dial-up on low-bandwidth connections and access applications that were never written for distribution over a wide area network. A poorly performing solution that makes remote users wait for page downloads reduces user productivity as well as the ultimate value of the application being accessed.

According to some estimates, about 70 percent of all intrusion and hacking attempts occur because SSL traffic is not secure. This makes enterprises vulnerable to a range of denial of service and Web-based worm attacks which can be disastrous to the organization. SSL VPNs therefore should also have application layer protection.

To conclude, a full-featured SSL VPN solution should:

  • Be clientless. It should not require any additional client software piece to be installed for remote access.
  • Provide access to a broad range of applications, including e-mail, native client/server applications, corporate intranets and shared file systems with a standard browser.
  • Support RADIUS, LDAP, Active Directory and other authentication schemes.
  • Deliver comprehensive auditing and logging
    capabilities.
  • Provide simplified management and monitoring via a command line or a Web-based graphical interface.
  • Allow for granular access control by limiting user access on a per user/group basis.
  • Integrate with end-station security components such as personal firewalls and antivirus software.

SSL VPNs solve many of the remote access problems associated with IPsec VPN solutions. SSL VPNs provide access via the browser and don’t suffer from firewall issues. Since client software is not required, many more access options are available to remote users. Administrators are also freed of the burden of maintaining client software.



blog comments powered by Disqus
Featured Videos


 
    
 
Future Strategist Award
Who's next in line for the CIO position?
As a CIO you mentor someone in your organization for the future IT leadership role. InformationWeek would like to acknowledge and felicitate that special person at an awards ceremony at Interop
Top Stories
Interview
CIOs must leverage social media to increase their presence in the boardroom
Arun Sundararajan, NEC Faculty Fellow and Associate Professor at New York University’s Stern School of Business, discusses with InformationWeek the relevance of social media to the overall business, and how CIOs must handle social media
BankTech India - IT News for BFSI Segment
We're on Google+
InformationWeek India on Facebook