What is SSL VPN and why you should use one?
The two most common types of VPN today include SSL VPN and IPSec VPN. Imagine this scenario – you’re thousands of miles away from your workplace and need to access your company’s intranet portal.
One solution is to make this portal accessible via the Internet, but that can expose the company to a plethora of security risks. After all, different business departments use multiple intranet applications, and publishing them directly on the Internet will open them up to everyone.
A second, and more appropriate, solution is to use a Virtual Private Network (also commonly referred to as VPN). In this article, we’ll take a closer look at what is SSL VPN, its pros and cons, as well as how it fares against IPSec VPNs.
What is SSL VPN?
An SSL VPN uses the Secure Sockets Layer protocol – or the Transport Layer Security protocol – in web browsers to provide users with the capability of secure, remote VPN access. End-to-end encryption is employed to protect all data transmissions between an Internet-connected device and the server.
Enterprises use SSL VPNs for two main reasons:
- To allow remote employees to gain access to internal corporate resources safely.
- To safeguard the web sessions of users connecting to the Internet from outside the corporate network.
Moreover, SSL VPNs are easy to implement and don’t require installing and maintaining specific client software – just a modern browser! These types of VPNs are also known for their reliable connections. They provide a higher level of client platform compatibility as well as configurations for firewalls and remote networks.
They facilitate access to protected network resources remotely by using an authenticated pathway which encrypts all network traffic from end-to-end. This makes it appear as if the user is on the internal network, regardless of their actual geographic location.
Enterprises can also rest assured that unauthorized parties won’t be able to eavesdrop on network communications and alter or capture sensitive data. So, if you need a secure and flexible remote access solution for contractors, employees, etc. SSL-based VPNs are your best bet.
Since an SSL VPN connection can be initiated from a standard browser it opens a door to any unauthorized person doing a brute force dictionary attack on your SSL VPN appliance. This is where a remote system has special software that sequentially (or randomly) guesses a users name and password in an effort to gain remote access. This is typically performed with thousands of unsuccessful login attempts before a valid one is randomly guessed. To eliminate this possibility, Lanwork HIGHLY suggests using Two Factor Authentication (or often called Multi-Factor Authentication) on your SSL VLN appliance. Once you have entered a correct user name and password on your SSL VPN appliance, you are prompted to enter a one time key to validate you really are that user. This all but eliminates the dictionary attack method of brute force unauthorized remote access.
How Does it Work?
As mentioned earlier, an SSL VPN relies on TLS, or the older SSL protocol, to ensure secure remote access from anywhere. It enables authenticated users to create safe connections to internal HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) services via client applications or standard browsers which provide direct access to restricted networks.
Types of SSL VPN
There are two main types that you need to be aware of:
SSL Tunnel VPN
SSL tunnel VPNs allow users to access multiple internal network services securely via standard browsers, as well as other non-web based applications and protocols. The VPN “tunnel” is a link established between the remote user and VPN server, through which they can connect to one or more remote websites at a time on the client’s behalf.
However, this type calls for a browser that handles active content and offers functionality that is otherwise inaccessible through SSL portal VPNs.
SSL Portal VPN
An SSL portal VPN, on the other hand, enables one SSL VPN connection to a remote website. Remote users to access the gateway through their browser after authentication. Once inside, a single web page serves as a “portal” to various internal network services.
Advantages & Disadvantages of Using SSL VPN
One of the biggest advantages of SSL-based VPNs is that they use TLS – the technology implemented in today’s browsers. This eliminates the need to install specialized client software and makes it much easier to deploy. Additionally, TLS-created encryption circuits provide greater outbound connection security as opposed to traditional VPN protocols.
Another advantage is that an SSL VPN requires considerably less technical support and administrative overhead than traditional VPN clients, courtesy of their ease of use and dependence on commonly used web clients. Any browser that supports SSL or TLS will do, no matter what operating system is running on the devices of users.
Furthermore, users don’t have to download any additional software or go through complicated steps to set up an SSL VPN. Unlike IPSec or L2TP (Layer 2 Tunneling Protocol), establishing a secure network with an SSL VPN only requires a modern browser.
SSL VPNs can provide administrators with granular access control as they create tunnels to specified applications instead of an entire corporate network. This means that it’s possible to restrict users on an SSL VPN connection to the applications they’ve been authorized to access, and not the entire network.
SSL-based VPNs bring a lot to the table, but it doesn’t come without certain risks. Considering that users can gain access to the servers remotely, even one user with a device running outdated antivirus software might spread malware to the enterprise’s network.
The split tunneling feature of SSL VPNs can be misused by cybercriminals, which gives users the ability to route sensitive traffic through the VPN tunnel and send the rest of it over unprotected. That’s because attackers can leverage the unsecured channel of a remote user to execute an assault.
That’s not all, though. If a user has established an SSL VPN connection to an enterprise’s network, leaving the session open can prove disastrous. After all, anyone else with access to that system will be able to wreak havoc on the internal network.
Similarly, using a publicly accessible computer to create an SSL VPN connection isn’t a great idea. Chances are the system that doesn’t fulfill enterprise security standards and policies, leaving remote users susceptible to keylogger attacks. In this case, the bad guys could intercept confidential information such as user credentials without much effort.