SSL-based VPNs use an SSL/proxy server that sits behind the corporate firewall. A user wishing to securely connect to a company's network enters a URL that brings them to a proxy server. The user is authenticated by the proxy server, and the SSL/proxy server provides the link between various application servers and the remote user. The advantage over a traditional IPSec VPN is that no special client software is required. All a user needs is a Web browser that supports SSL. In contrast, traditional VPNs require client software--a sticking point to VPN deployment for many companies. Businesses often encounter problems deploying the software to users' computers and have trouble configuring it correctly. In some cases, the VPN client software creates conflicts with other applications (particularly dialer programs that might share common systems resources). Over the last few years, many VPN vendors have improved client software to ease distribution, installation, and configuration. Many CIOs have also adopted deployment methodologies that reduce problems. For instance, in some enterprises remote users, such as sales reps, bring laptops into the home office to have the VPN software installed by the IT staff rather than by the user. This way, the tech specialist can resolve any problems on the spot rather than trying to troubleshoot over the phone. Such complications can be avoided with an SSL-based VPN because the user simply uses a Web browser and enters the URL of the SSL/proxy server. A handful of vendors, including Aventail, Neoteris, NetSilica, and Netilla Networks, are offering SSL-based VPNs. Yo.net offers a VPN alternative that uses SSL and an authentication gateway to provide secure end-to-end access between a remote user's computer and a wide range of systems, applications, and network services. All but Aventail, which specialises in large corporate and extranet connectivity, are new to the marketplace. Aventail offers both IPSec and SSL-based VPNs. The pros and cons of SSL-VPNs
On some levels, the two VPN approaches offer comparable features. Both are encrypted, though with different algorithms. SSL uses 40 or 128-bit RSA encryption, while IPsec uses 168-bit Triple-DES encryption. Since SSL is a Web encryption technique, it might seem that SSL-based VPNs would be subject to another major limitation, since most corporate applications are not delivered through the Web. There are ways round this -- by using a proxy,m such as the box from Netilla or a similar vendor, to deliver access through Windows terminal server. However, even without this addition, the SSL-based approach is proving very useful for some. "We have two types of users--employees and customers--each needing access to different information," explained Andrew Goldstone, a network administrator at a medical supply company. "Employees need access to everything, including a network-based e-mail system, our CRM application, and some custom-developed client/server applications," said Goldstone. Using IPSec VPNs, Goldstone can provide remote access to all of these applications. Goldstone acknowledges a slightly different scenario when it comes to customers. "They only need access to an order tracking system, which is Web-based, so we use an SSL approach." While some might find the limitations of SSL-based VPNs a major hurdle, the shortcoming may quickly diminish as many companies move to Web services-enabled applications. Such applications would be accessible using the SSL-based VPN approach. For now, companies requiring secure access to Web applications might want to consider the SSL-based VPN approach as a simpler and easier-to-use alternative to traditional IPSec VPNs.
Have your say instantly, in the Tech Update forum.
For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.
Find out what's where in the new Tech Update with our Guided Tour.
Tell us what you think in the Mailroom.
