The Buyer's Guide presents vendor-submitted information. To find out about future Buyer's Guide topics or to learn how to include your product in an upcoming Buyer's Guide, go to http://www.windowsitpro.com/buyersguide.
Not having access to your company's network and applications when you're on the road or working at home can seriously compromise your ability to do your job. Various solutions are available to deal with this problem, however. A VPN encrypts data so that you can securely connect to your office network over the Internet. Remote access clients connect to your company's VPN gateway. This Buyer's Guide looks at Secure Sockets Layer (SSL) VPN, a special type of remote access technology that complements the secure gateways and network-based VPN technology that most companies already have. But not all SSL VPN products provide the same level of access that traditional VPN does, and SSL VPN capabilities vary dramatically by vendor and model. SSL VPN products provide advantages over the other solutions, however, and are a viable alternative to traditional VPNs. This Buyer's Guide describes SSL VPN's remote access capabilities as well as some other features to consider.
SSL VPN Advantages
SSL VPNs share the security and configuration elements of traditional firewalls and other network-based VPN solutions, which makes them familiar to security administrators. But SSL VPNs have different features. Most firewalls let you publish Web applications to the Internet through a port, Network Address Translation (NAT), or network routing but don't encrypt data beyond the encryption that the applications might (or might not) provide. IP Security (IPSec)– and PPTP-based VPNs let users connect to a remote network as if they're plugging directly into a LAN and typically encrypt all data between the client and the VPN server. However, most VPNs require special client software. SSL VPNs use a Web browser to give remote workers access not only to internal Web sites but also to applications and file servers.
An SSL VPN uses encrypted Web-based protocols, such as SSL and Transport Layer Security (TLS), that access the Internet through TCP port 443—the port encrypted Web pages use. Because encrypted (e.g., HTTP Secure—HTTPS) Web traffic uses the same port, many firewall administrators keep this port open and therefore don't require special firewall provisions for SSL VPNs. An SSL VPN also doesn't have the NAT problems that IPSec and PPTP sometimes encounter. For these reasons, many remote users have more success using an SSL VPN than a traditional VPN.
Types of Access
Many SSL VPN products provide two types of client access: a basic Web browser for accessing Web-based content and a proprietary client for accessing non-Web-based applications and file servers. Other products use a Web browser to access both Web-based content and internal resources such as Common Internet File System (CIFS)/ Server Message Block (SMB) file servers. More sophisticated SSL VPN gateways provide additional network access through downloadable ActiveX components, Java applets, and installable Win32 applications. These add-ons let remote users access a wide range of applications, such as Citrix MetaFrame, Microsoft Outlook, NFS, Remote Desktop, Secure Shell (SSH), and Telnet. Not all SSL VPN products support all applications, however.
Make sure you understand what network traffic various products support. Some vendors claim to support specific applications. Others claim to support all network traffic, but they might support only UDP- and TCP-based applications, not all the protocols that traditional VPNs support (e.g., Internet Control Message Protocol—ICMP). SSL VPNs typically support cross-platform browsers and work with most popular browsers such as Apple Computer's Safari, Microsoft Internet Explorer (IE), The Mozilla Foundation's Firefox, and Netscape. ActiveX technology, however, is compatible only with IE.
Other Factors to Consider
SSL VPNs support a rich suite of authentication methods and protocols such as Active Directory (AD), Lightweight Directory Access Protocol (LDAP), Windows NT LAN Manager (NTLM), Remote Authentication Dial-In User Service (RADIUS), and RSA Security's RSA ACE/Server and RSA SecurID. Many SSL VPNs have single sign-on (SSO) capability. How long SSL VPN sessions remain active is also an important consideration. Some products time out after a period of inactivity; others break the connection only when you close the browser.
An Easy-to-Access Tool
SSL VPN provides a useful option for accessing internal networks. Although it doesn't generally offer the robust network-level access that traditional VPNs do, it provides access to a variety of applications through a widely available tool—the Web browser.