Network

Secure Remote Access with SSL VPNs

What to look for when choosing an SSL VPN appliance for small business customers
Secure sockets layer (SSL) virtual private network (VPN) software has been around for a long time, but it is only relatively recently that is has been delivered on dedicated hardware appliances that specialise in hosting remote access, with many of those devices aimed squarely at the SMB market.

 
The main advantage of an SSL VPN compared to an IPSec or PPTP VPN is that SSL connections do not require a software client to be pre-installed on the remote computer before a secure communication session can be established. This makes it ideal for computers outside the umbrella of company security policies – like laptops, unmanaged PCs, public computers or mobile devices. The disadvantage is that  it is arguably less secure than IPSec but that depends on the requirements of the customer.

Companies currently selling SSL VPN appliances tailored and priced for SMB use in the UK include SonicWall, Barracuda Networks, Billion, WatchGuard, NETGEAR and Juniper Networks, with prices starting at just a couple of hundred pounds. But with so many different choices, matching a feature set to the specific requirements of the buyer needs some consideration.
concurrent user numbers

The first question to ask is how many simultaneous SSL connections the device can support; in other words how many remote workers are likely to be logging into the company network or intranet via SSL at any one time.

A small business might need anywhere from 5 to 25 concurrent SSL VPN tunnels, covering all the staff expected to require remote access simultaneously during normal periods, plus additional users in the event of tube strikes, bad weather or other transport problems when more staff are likely to work from home (or elsewhere). Customers need to think about the total number of users that can be supported as well, as SSL VPN appliances tend to limit the number of registered user profiles they can store in the device’s flash memory.

Organisations which expect to grow further in the future should look for appliances that allow you to add blocks of additional user licenses via a simple software upgrade, preferably which one that can be downloaded or installed remotely. Some devices aimed at small businesses, allow blocks of 10, 15, or 25 user licenses to be added at a later date, for example the Juniper Networks SA70.

A dedicated SSL VPN appliance sits behind the company firewall to provide remote users with secure access to LAN resources and centralised business applications.

Browser and operating system support
Support for the browser and operating system in use on the remote client device is crucial  – SSL VPNs work by enabling remote client devices to point their browser at the specific IP address of the VPN appliance, which then uploads a login page, usually in the form of a Java or ActiveX control, for the user to input their user name and password.
 
Some VPN appliances do not support Mozilla’s Firefox browser, so anybody with a grudge against Internet Explorer needs to be sure they choose a product that allows alternative browsers to be used. Check for support for 64-bit operating systems (like Vista and Windows 7) if your customers need this. Some appliances – including Billion’s S10 – can also be accessed by portable devices such as smartphones or PDAs running mobile operating systems like Windows Mobile 5.0 and 6.0.

Hardware and warranty
SSL VPN appliance hardware is fairly basic, offering a wide area network (WAN) port and one or more LAN ports, depending on whether the device will also providing switching and routing functions. Customers can choose between a standalone or a rack mounted appliance, but otherwise the most important aspect is the WAN port, which much be matched to the WAN interface in place at the customer site (whether DSL, fibre, dial up or ISDN, for example) if it includes router capabilities, or the speed of the Ethernet port (10/100 or Gigabit Ethernet) which plugs into  a LAN port.

Some appliances aimed at larger businesses, like the Billion BiGuard S20 and Netgear’s ProSafe Dual WAN Gigabit SSL VPN Firewall, offer two WAN ports; the second provides load balancing and failover to increase the WAN bandwidth and reliability of the Internet connection, but appliances offering these features tend to be more expensive.

Given the relative simplicity of the hardware itself, many of the products are backed by lifetime guarantees, though the power supply is often specifically excluded from the arrangement. Either way, it is a good idea to double check on both the warranty and mean time before failure (MTBF) rating of the PSU before buying.

Billion’s BiGuard S10 device offers router functions, dual WAN connectivity for failover and support for SSL VPN access from Windows Mobile client devices.

Access policies
Understanding the way the SSL VPN controls user access to the company network can save a lot of time and trouble during configuration, but granular access controls tend to be limited on lower cost devices.

The ability to integrate with existing user databases and import existing authentication details from Active Directory, LDAP, NT domains or RADIUS servers is vital here. This allows you to use individual and group user details as VPN profiles with access parameters applied to all users in that group, which reduced the time you’ll need to spend setting it up on the client site.

If your customers need more granular access controls you can apply a variety of other control methods, including location, port, source IP (check for IPv6 support where appropriate), and multiple IP address ranges and different network subnets.
 
Whilst much of the manual configuration work can be avoided by applying group polices, ideally you will still want the option to create individual policies – one specifically for the IT staff, for example, and another for the boss. Access policies on SonicWall’s SSL VPN series for SMBs can be edited based on individual user and group requirements, source IP and service or individual application, for example.

In the same way, VPN appliances should offer let you customise individual user or group login pages, to show company logos, banners or user instructions for instance, or create an interface directing them to the applications and resources they will access during the VPN session.

Configuration
SSL VPN appliance vendors are keen to stress how easy the products are to configure, primarily because they are aimed them at smaller organisations or branch offices where IT support expertise is either scarce or non-existent. Plug and play is rarely what it is cracked up to be though, and most of the appliances will require you to do a degree of configuration as well as connecting up to the relevant WAN and LAN ports on site.

If the appliance doesn’t include routing facilities which support NAT or firewall facilities you may need to configure it to work behind another router to support an existing business Internet connection, with all the appropriate port forwarding rules that allow external users to access that and not block HTTPS traffic.

In many cases it might make sense to trial the product at a test site for while, which should provide the end user with an idea of how easy it is to configure and manage when in the live environment. If configuration is needed, you can do that before installing it on the customer site.

A vital feature to have here is remote support, so you can log into the appliance to perform any necessary configuration or maintenance on the SSL VPN, re-configuring access or authentication details for example, as and when needed. SonicWall’s SSL VPN 2000 series call these ‘virtual assist technicians’, and allows up to a maximum of five to connect to a remote site, for example.

Routing functions
Most VPN appliances are added to local area networks already served by their own routers, many of which have firewalls either on the router or installed behind on the servers. Depending on the age and capability of the equipment already in situ, it may be easier to replace these and install an SSL VPN appliance that combines all these functions into a single device; a single router offering firewall and SSL VPN functions could easily serve a branch office for example, with no other routing equipment needed.

This sort of device can also serve as a small LAN switch; there are four ports Ethernet ports on the Billion BiGuard 10 for example, and more PCs can be connected by daisy chaining other non-managed switches from these ports. The device should provide basic routing and Internet access options depending on the type of WAN connection; for example, PPPoE, PPPoA and support for dynamic or static IP addressing.

Routing functions may also include access controls and URL filtering tools that can be used to create VPN access policies which combine with restrictions on downloading Java applets, ActiveX controls and cookies, if the customer wants to control what users can do over the VPN connection. And where the WAN link is a low bandwidth DSL or otherwise, it might be a good idea to configure Quality of Service (QoS) and bandwidth rate limiting to ensure that the SSL sessions only take up so much capacity both upstream and downstream and do not starve other applications of bandwidth.

NETGEAR’S ProSafe Dual WAN Gigabit Firewall provides a mixture of SSL and IPSec VPN access combined with firewall and URL keyword filtering.

Application access
Virtually all SSL VPN devices aimed at SMBs support a reverse Web proxy that allows remote users to access internal Web applications and network file shares.  However, which other applications which can be accessed during an SSL VPN session depends on features not always present in appliances aimed at the small business market.

If there’s a network or transport extender you can extend secure remote access to network level applications; that means almost any TCP/IP based app on the network including IMAP/POP based email, SMTP and ICMP management tools, and centralised applications such as customer relationship management (CRM), order entry or inventory tools, and file and print services.

Any organisation already running Terminal Services or older legacy applications on their server may prefer to provide application access in a different way. Terminal emulation over SSL VPNs is available on many SSL VPN devices, using application streaming such as Citrix ICA (XenApp), other types of remote display protocol (RDP), or a virtual network client (VNC), with telnet and SSH sessions to legacy applications also widely supported.

Security is everything
Given that security is the watchword for any type of VPN, you need to pay special attention to the security features on appliances. And because SSL VPN sessions are commonly initiated from public or shared computers, features which effectively remove all details of the session once its complete are particularly important.

Most appliances support automatic cache cleaning, so that any sensitive company data accessed via the VPN and stored in local cache memory, such as proxy downloads or temporary files, is wiped at the end of the session preventing anybody else from seeing it. It is also a good idea to make sure the URL of any Web application used during the session is masked, otherwise unauthorised viewers may be presented with login information that helps them attack the system. Beware of operating system limitations here – the SMB version of Sonicwall’s SSL VPN only supports cache cleaning on remote clients running Windows, and other devices can have similar requirements.

All products provide standard encryption facilities during a login session, when the remote device exchanges passwords with the server during the ‘handshake’ and then decides on the keys and authentication algorithms to be used during the session so nobody can eavesdrop. In most cases, small business users can trust to the default options, but if you have a particular preference for a particular standard, check support for common formats like RSA RC4, DES-CBC or 3DES-CBC, AES (128bit, 192bit or 256bit depending on the level of security required) and Blowfish is included.

Which authentication algorithms you need may depend on what has already been configured for use by Active Directory, LDAP or RADIUS, but it pays to check that common forms like MD5, SHA-1 and Internet Key Exchange (IKE) manual key negotiation are present. In some cases, the appliance may even offer support for security certificates based on digital certificates which verify that the user at the other end of the SSL VPN session is who they claim to be.

The base model Juniper Networks SA700 allow you to add on blocks of 10, 15, or 25 user licenses later, according to requirements.

Automatic updates
More expensive SSL VPNs allow the central server to check the health status of the remote computers attempting to connect to them via during the session. The user or administrator can check anti-virus, firewall, service pack updates and so on and block any computer without the latest updates from establishing a VPN connection to the network.

Some appliances, including the Juniper Networks SA700 and Watchguard SSL 100, limit access based on that status. So, if the remote client has the proper updates, full access is granted; if not, it is forwarded into a special ‘quarantined area’ where no access is allowed until all the proper patches are downloaded and installed.

These appliances often offer automatic updates, so the appliance automatically receives the latest virus, security and application definitions.

Also, many appliances scan any files uploaded during a VPN session to network file shares or internal Web sites for viruses and other malware. Check whether these AV engines can scan decompressed files, and also block specific types of file from being accessed, depending on the security level required and whether similar functions are already in place elsewhere.

Central reporting and management
Organisations that support larger numbers of users may also want to keep track of who is doing what. Most of the VPN appliances in this market provide some sort of management software, though feature sets vary significantly, so it is important that to identify which capabilities they need before buying.

In some cases, as with the WatchGuard system manager, administrators or IT staff can view the real-time status of which users and offices are connected and authenticated via the VPN at any one time, and also consult a log of VPN access to identify usage patterns and possible culprits in the event of security breaches, presented in an easy to read graphical format. On other systems, reporting capabilities can be as basic as exporting log files to Excel or your existing reporting software.

With business travel and home working only set to increase, it’s increasingly important for small businesses to provide staff with secure VPN access to the applications and resources they need to do their jobs effectively, from wherever they happen to be. SSL VPN appliances don’t offer everything, but they get the job done at relatively little cost and they’re simple for you to work with. !

 

Software and virtual SSL VPN appliances
Buying a hardware SSL VPN appliance has many benefits; you get an all-in-one solution which is relatively easy to install. In some cases though, SSL VPN software would be suitable; similarly a virtual appliance allows the customer to run the software  on top of virtual server infrastructure, such as VMware ESX.

Astaro, for example, provides its Security Gateway (ASG) as a virtual appliance, which contains an  SSL VPN alongside other network and Web  security functions like firewall, anti-virus, intrusion prevention, and URL filtering, and can be installed  as a virtual application on any server running VMWare player, workstation, server or ESX server.
Astaro also provides ASG as a software appliance – an all-in-one, self-booting image which can be installed on an x86 server; other vendors offer  similar options like MenLo Logic with its AccessPoint product.

The advantage of this approach is that if they have  a legacy server available, the customer doesn’t need to buy new hardware (providing it can be dedicated to the task). This type of deployment also gives you the option of supplying your own hardware to the customer. This disadvantage is that when you add up the license requirements and fees, the costs may not always be appropriate to small businesses. !

SSL VPN advantages  at a glance
• No software client is required: remote users can log in from any system (including public, shared and mobile devices) to gain access to central business applications. (Check browser and operating system support though).

• The SSL VPN client can traverse firewalls and NAT devices that do not have application layer intelligence to support other types of VPN.

• SSL VPNs allow administrators to easily and strictly limit server and application access to users based solely on username and password. Conversely, this can be a security risk if those details are hijacked.

• Companies can place their own customised front end for remote access on a Web page and present users with a simple click-through interface to access network resources.

• VPN appliances can be quick and easy to install at branch offices, with little pre-configuration required and remote support options often available. !

Software and virtual SSL VPN appliances
Buying a hardware SSL VPN appliance has many benefits; you get an all-in-one solution which is relatively easy to install. In some cases though, SSL VPN software would be suitable; similarly a virtual appliance allows the customer to run the software  on top of virtual server infrastructure, such as VMware ESX.

Astaro, for example, provides its Security Gateway (ASG) as a virtual appliance, which contains an  SSL VPN alongside other network and Web  security functions like firewall, anti-virus, intrusion prevention, and URL filtering, and can be installed  as a virtual application on any server running VMWare player, workstation, server or ESX server.
Astaro also provides ASG as a software appliance – an all-in-one, self-booting image which can be installed on an x86 server; other vendors offer  similar options like MenLo Logic with its AccessPoint product.

The advantage of this approach is that if they have  a legacy server available, the customer doesn’t need to buy new hardware (providing it can be dedicated to the task). This type of deployment also gives you the option of supplying your own hardware to the customer. This disadvantage is that when you add up the license requirements and fees, the costs may not always be appropriate to small businesses. !

SSL VPN advantages  at a glance

• No software client is required: remote users can log in from any system (including public, shared and mobile devices) to gain access to central business applications. (Check browser and operating system support though).

• The SSL VPN client can traverse firewalls and NAT devices that do not have application layer intelligence to support other types of VPN.

• SSL VPNs allow administrators to easily and strictly limit server and application access to users based solely on username and password. Conversely, this can be a security risk if those details are hijacked.

• Companies can place their own customised front end for remote access on a Web page and present users with a simple click-through interface to access network resources.

• VPN appliances can be quick and easy to install at branch offices, with little pre-configuration required and remote support options often available.

 

Implementation considerations for SSL VPN deployments
When to deploy SSL VPNs and when other solutions may be more suitable:
http://articles.techrepublic.com.com/5100-22_11-5677162.html?tag=rbxccnbtr1


The Cable Guy: The Secure Socket Tunneling Protocol
More detail on SSTP and what you’ll need to consider: http://technet.microsoft.com/en-us/magazine/2007.06.cableguy.aspx

SSTP Remote Access Step-by-Step Guide
Installing and configuring SSTP on Windows Server 2008: http://technet.microsoft.com/en-us/library/cc731352(WS.10).aspx

Configuring an SSTP VPN on Small Business Server 2008
SBS 2008 does not enable SSTP VPNs by default: this article steps you through the more complicated process to make it work: www.c7solutions.com/blog/2009/03/configuring-sstp-vpn-on-small-business_31.aspx

Screencast
Deploying SSTP remote access

Guides you through setting up a three PC test SSTP VPN: www.microsoft.com/downloads/details.aspx?FamilyID=fc4d7d3f-0376-45bf-9544-ec35329a2fc1&DisplayLang=en

Setting up SSL on a Domino server:  
www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/0/0efb03569412411385256c1d00398e86

Securing a Domino server with SSL using the CA process: www-01.ibm.com/support/docview.wss?rs=463&uid=swg21193730


 
Banner
Share |
Write comment
security image
smaller | bigger

busy

Download


Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010

 
FREE SUBSCRIPTION!
Banner

IT EXPERT TOP TIP

None of your customers are complaining about viruses, their network being slow or strange things happening on their new PDAs and laptops; is it time to take the afternoon off? Maybe, but before you do, make sure things will look as good next week by making sure you know what you’re defending against. Microsoft has a set of resources at http://technet.microsoft.com/en-us/security/cc514043.aspx covering the current threat landscape and showing ways to help protect your clients and their customers, including analyses of data collected from millions of users, strategies, mitigations and countermeasures. read more

TAKE THE POLL

Unified communications

Banner

The #1 Bestseller for Only 77p

RECENT COMMENTS