A number of factors are fueling the dramatic demand for
SSL VPNs, including:
- Government mandates - such as the Health Insurance Portability and
Accountability Act (HIPAA) in the United States - that are driving key industry
segments to protect the privacy of distributed electronic information.
- The increasing use of extranets - the granting of non-employees and
business partners secure access to internal networks - which have become a "must
have" requirement of conducting business.
- Increased demand by employees for flexible working options that enable home
working - a trend fueled by governmental regulations such as the Flexible
Working Act in Great Britain that require employers to make reasonable
accommodations for working parents of young children.
It's not surprising that SSL VPNs are benefiting from these
developments. SSL VPNs are uniquely suited to meet the diverse remote-access
needs of today's enterprise, with their low costs, application access
flexibility, high security, and overall simplicity.
Solutions Fall Short
Until recently, VPNs based on the IPSec
protocol have been seen as the logical choice for providing secure network
connectivity beyond the firewall. IPSec VPNs leverage the Internet as an "always
on," ubiquitous data-transfer bridge, eliminating "private"
network access costs, such as leased lines, Asynchronous Transfer Mode (ATM), or
frame relay. IPSec VPNs offer a less-expensive alternative to dedicated
networks, and have proven well suited for secure, on-demand point-to-point
connectivity over the Internet.
However, remote-access IPSec VPNs
bring security at a high price. Distributing IPSec clients to remote machines
and configuring them for access is challenging, especially when the IT
department does not have easy access to remote computers. Further, because they
operate at the network level, IPSec VPNs effectively provide the remote PC with
full network visibility, as if it were a computer located on the corporate LAN.
Policy enforcement and security controls cannot be easily applied in this model.
For these reasons, remote-access IPSec VPNs typically result in a high total
cost of ownership, especially when compared to SSL VPNs.
Application Gateways for the Enterprise
The modern enterprise
network is a dynamic environment. Inevitably, corporations deploy an
ever-changing variety of applications for a diverse community of users. These
heterogeneous data centers may comprise legacy and client/server applications on
Windows Terminal Servers, UNIX/Linux servers, or mainframes and AS/400 machines,
as well as Web applications that reside on intranet Web servers.
Historically, opening up this complex realm to remote partners,
suppliers, and employees, while ensuring network protection, has been one of the
great hurdles to a successful remote-access deployment. As a result, enterprises
are turning towards SSL-based VPNs to satisfy the demands of today's more
heterogeneous enterprise networks.
As shown in Figure 1 (below)
today's leading SSL VPNs take this approach one step further, by consolidating
three application-access technologies into a single application-layer gateway
- Clientless, browser-based access to remote legacy applications
- Secure intranet access to Web-based applications and portals
- Desktop access for client/server applications over SSL tunneling
Clientless Access to Legacy Applications
While the number
of Web-based intranet applications is certainly growing within the enterprise,
non-Web-enabled, legacy applications - those residing on centralized Windows,
UNIX/Linux, mainframes and AS/400 machines - still form the vital core of
enterprise applications in use today. For IT managers seeking to provide secure
remote access, the challenge is to leverage these crucial legacy applications in
a simple way that provides the same on-demand access to centralized information
as their Web-enabled counterparts.
Some SSL VPN appliances solve this
dilemma by providing clientless, remote access to legacy applications through
the incorporation of Web-enabling technology directly within the platform. This
integrated approach eliminates the need for enterprises to deploy and maintain
server-based "middleware" and associated remote-access clients. In
this model, both the client and server portions of an application are centrally
hosted in the corporate data center. The advantage of this approach is that end
users need only a browser to access these remotely located applications; no
additional software or configuration of the remote computer is needed.
SSL VPN appliance makes client/server applications available to remote users
through the Web, allowing companies to leverage their existing legacy
application infrastructure without costly application re-development or
installing and configuring remote PCs. Any program, running on any platform -
Windows, UNIX and LINUX, or 3270 mainframe and 5250 AS/400 - can thus be made
easily available to remote users.
In this application-layer access model, the SSL VPN gateway uses a built-in
screen-scraping protocol that splits the emulation and display processing so
that only the application's display is sent to the remote user's Web browser.
The gateway supports this capability through a browser enhancement (a small Java
applet) that is downloaded to the user's browser upon the first login. As a
result, the user experiences the application with optimal performance over any
connection, just as if the application was installed and running on the user's
Secure Intranet Access to Web-based Applications
Even as they continue to rely on legacy applications
as part of their application strategy, enterprises are also developing
applications intended for direct Web browser access. These may be "Webified"
versions of legacy applications such as Microsoft Outlook or proprietary
intranet applications. However, sharing such information over the Web can lead
to security risks that must be carefully addressed. IT departments given the
task of extending Web-based applications to remote users and business partners
face significant challenges.
For example, Web-enabled resources
typically reside on a company's secure intranet, and use internal Domain Name
System (DNS) that cannot be resolved by the public Internet.
SSL VPN appliances, however, overcome these obstacles and can safely extend
these intranet resources to authorized users. This is accomplished by providing
clientless, browser-based access to Web-based resources using HyperText Transfer
Protocol (HTTP) reverse-proxy technology. Unlike a forward proxy, which operates
between a corporate intranet user and an Internet Web site, a reverse proxy
operates between a remote user on the Internet and an enterprise Web site. With
this approach, a single point of entry over the Internet - the SSL VPN gateway -
lets remote users access back-end Web servers securely through a Web browser.
This approach delivers fast, secure, on-demand access to Web-based
information, with a highly scalable solution that can easily grow to authorize
users on a global scale. The security benefits are clear: corporate Web servers
remain safe behind the firewall, in a highly secure portion of the private
network, without the cost and maintenance of locking each server down for public
access. Additionally, administrators gain granular access control to
directories, servers, and paths on a user or group basis.
Application Access: Client/Server over SSL Tunneling
The two clientless remote access methods described above meet the access
needs of most remote users. However, some end-users may need to use local
client/server applications, such as email or CRM programs, already installed on
their computers. These are typically local applications that exchange data with
with backend host servers, while also supporting offline usage (an example is
Microsoft's Outlook client and Exchange server for email). These applications
often reside on company-owned computers that are managed by MIS staff. In these
case, a network-layer type access somewhat similar to IPSec VPNs is appropriate.
This can be provided via SSL tunneling technology.
Tunneling: The Technology and its Benefits
application access via an SSL tunnel is supported through a VPN adapter that is
downloaded and installed the first time a user logs into the remote-access
system for client/server access. The virtual adapter negotiates the secure SSL
tunnel via the user's Web browser. No changes to the client/server application
itself are required; if the network administrator has authorized an application
for a user, that application can be used over the SSL tunnel, without needing
special configuration or help-desk intervention.
Leading SSL VPN gateways are well-suited for these desktop client/server
arrangements - and provide key benefits over an IPSec approach:
SSL VPN Tunneling
Network-layer IPSec VPNs create a peer-to-network connection
between remote users and the corporate network, without easy application
authentication and authorization.
An integrated dynamic firewall limits access to the
client/server applications on a per-user basis.
Require multiple firewall ports opened on the corporate network
All traffic is multiplexed over a single port, 443, which is
already open to secure Web traffic. The result is no firewall configuration and
Do not work well with NAT-enabled devices
A secure SSL tunnel communicates over Network Address
Translation (NAT) connections easily, without requiring router re-configuration.
Require that the client's private key/shared secret or
certificate be installed and maintained on the PC.
A successful login creates a secure token for authenticating
the SSL tunnel via the user's browser on a per-session basis,
simplifying security management.
Policy and Network Security: The Application Layer Proxy
When supporting clientless access to legacy applications and operating
as an HTTP reverse proxy for Web applications, SSL VPN gateways can deliver
their rich set of application-access modes as a true application-layer proxy.
SSL VPNs are so-called because they operate at layer seven - the application
layer - of the Open Systems Interconnection (OSI) model. IPSec VPNs, by
comparison, operate at the network layer.
Operating at the
application layer provides visibility into application data, affording network
administrators new opportunities to enforce security policy before the user's
traffic reaches the application server at the data center. In this way, certain
SSL VPN solutions can implement dynamic policy-based access to application
resources from a single point of administration.
As Figure 2 (below)
shows, the SSL VPN gateway protects these internal resources by "intermediating"
the connection between remote-client requests and server-based applications,
terminating incoming connections from the remote user at the application layer.
Once the incoming request is terminated (the "termination gap"), the
appliance processes and translates the data to the appropriate backend
application protocol such as:
- Remote Desktop Protocol (RDP) for Windows applications residing on Windows
- X.11 over SSH for UNIX or Linux applications
- 3270 over Telnet for mainframe and AS/400 applications
- HTTP/HTTPS for Web servers
and Security Regulations - How Do they Impact Storage Systems? - article by
What are the legal regulations covering the type of
storage system, backup and disaster recovery and encryption mandated for
companies operating in the US?
This article answers those questions
and is a sound starting point for anyone having the duty of care and
responsibility for their corporate data. Because regulations change so quickly
it's worth considering the impact of these best practises on your own
organisation even if you think you are currently outside the scope of these
laws. That will reduce the level of panic when they creep up on you. ...read the article,,
Disk to disk backup,
Optical Storage Libraries,
Web based storage
About the Author
is Chief Technology
Officer and Senior Vice President
at Netilla Networks,
Inc., a provider of SSL VPN
(1) - user launches browser and enters url of gateway. (2) - thin-client
application (or HTTP) is secured via SSL and sent over internet to proxy. (3) -
gateway terminates data stream enforces authentication policy and translates
data to application server protocol. (4) - gateway sends converted data to
target application server in private network. (5) - server-based application
responds to gateway. (6) - browser displays legacy application screen updates
(or displays rewritten HTML) to remote user.|
The Termination Gap: Enforcing Policy at the Network Edge
During an SSL VPN gateway's "termination gap" - the point
between terminating and translating incoming data - a unique opportunity exists
to poll external authentication and policy servers, such as Active Directory or
Lightweight Directory Access Protocol (LDAP), and credential user identities to
authorize specific application access. By analyzing terminated-application
information and enforcing the appropriate security policy, the NSP acts as a
secure sentry between the public Internet and the enterprise network.
scenario illustrates an application-layer VPN in action - the user messages are
not sent directly to the application server on the private network, but rather
terminated by the SSL VPN gateway, processed with policy and security,
translated to the appropriate back-end protocol, and transmitted via a new
connection to the application server. The gateway enforces authentication and
policy before allowing the data streams to reach the application server,
protecting private network resources in a uniquely effective way unmatched by
traditional remote-access solutions.
SSL VPNs: Flexible, Secure
Remote Access In One Platform
Security is the cornerstone of any
remote-access implementation; it is axiomatic that good security is easily
managed security. SSL VPN appliances can quickly integrate into the network,
providing companies with a rapid-deployment solution without modifications or
interruptions to existing application servers and security mechanisms.
premier SSL VPN gateways consolidate key security features into a unified,
hardened appliance. Security elements including authentication, policy, and
encryption are bundled into the platform for fast and reliable deployment. The
result is a low-maintenance, easily managed solution whose rich feature set
cannot be matched by other integrated VPN offerings.
With a rich
variety of access modes, dynamic policy protection over network resources, and
overall ease of use, the most advanced SSL VPN gateways can help boost an
enterprise's productivity, revenue potential, and customer reach.