SSL VPN In Detail
By Waheed Warden, MCIM
Article Date: 2003-12-01
As with any security technology, SSL VPN will have to demonstrate tangible business benefit before it will even be considered. The current benefits of SSL VPN were briefly outlined in section 1.2.2, but are discussed in greater detailed below.
2.2 How do they work?
As stated above in figure 2, SSL VPNs make use of the existing SSL functionality already present in most IP Stacks. Because SSL fits into the stack between layers 4 and 5, each application must explicitly define its use. Based on this fact, SSL VPNs fall into 3 distinct categories:
Most commercial SSL VPN products will use a combination of the above techniques, although some insist that only one of these techniques offers a complete solution. Each of the techniques is covered in detail below.
2.2.1 Application layer proxies
Application layer proxies are the simplest form of SSL VPNs because they rely on the SSL functionality used by existing applications. Because of this, application layer proxies have the least application support. Generally, they only support
However, to provide additional functionality over and above this they do tend to ‘web enable' greater functionality, such as file transfer. Even with this, functionality tends to be limited.
They work by using the SSL setup in existing applications, for example, you would web browse to the gateway which then proxies web traffic internally (using a simple method to display links to internal systems). To use email, your administrators would configure the SSL functionality in your email client and proxy all email traffic via the gateway.
One of the advantages of application layer proxies are that they are truly clientless. They operate with nearly all operating systems and web browsers.
2.2.2 Protocol redirectors
Protocol redirectors have more flexible than application layer proxies, but they are not truly clientless in their operation. Protocol redirectors work by downloading a mini client from the gateway, which installs locally and redirects traffic. The redirection is illustrated in figure 3 below.
For example, if a connection is made from an application, which does not use the SSL layer, the connection is captured at the base of the IP layer and then encapsulated within an SSL tunnel. Once the traffic reaches the SSL gateway, it is decrypted and then proxied to the original destination. This would appear to be an ideal mechanism, because all normal applications work with minimal intervention for the user. The reality though is slightly different.
The only realistic way the shim can capture the traffic on the way through the IP stack is to redirect traffic based on name resolution to a local resource. For example, I may try to connect to mail.trinitysecuirty.com, which normally connects to 126.96.36.199. Once the port redirector is enabled, the name mail.trinitysecurity.com will be forced to connect to localhost (127.0.0.1) through the use of a host file. This means the mini client must have the ability to write changes to the hosts file, which in a hardened corporate desktop may not always be possible. Also, in most implementations some administrative permission is required on the local desktop to install the mini client, which is rarely possible using a machine in an Internet Café.
The main advantage of the protocol redirection system is that it can support any application that works on fixed TCP or UDP ports and in some implementations, applications with dynamic port applications can be supported (such as MS Outlook).
2.2.3 Remote control enhancers
Remote control enhancers are the most flexible form of SSL based VPN, but they also have the highest overhead. They work by enhancing a remote control protocol like Windows Terminal Services or Citrix Metaframe and adding SSL VPN functionality and Web Browser support. This means any application can be added to the SSL VPN by adding the application to the remote control desktop. As a stand-alone application, this has serious limitations, because applications that reside on the local desktop cannot be used directly. This is why most remote control enhancers are partnered with other SSL VPN technologies.
On the positive side though, they can offer features like the ability to read and update a documents held centrally without ever having to download the entire document. When travelling and using VPN over low speed connections, or when connection quality is poor this could be very advantages (because connections are restarted without loosing any work).
2.2.4 Technical considerations
Other technical considerations include
Click here to read part 1 of this article.
Click here to read part 3 of this article.
Click here to sign up for FREE Tech. newsletters from iEntry!
About the Author:
Waheed Warden, MCIM, Channel Marketing Manager, Trinity Security Services
M +44 (0) 7879 647 497
T +44 (0) 870 350 1284
F +44 (0) 845 280 2712
We don't compromise on your security