Evolution of the species

At Cleveland Hopkins International Airport, providing remote access to sensitive applications, including a SCADA system for power management and a system for monitoring runway conditions, was a tricky proposition.

Remote control could save time and money because employees could fix problems from anywhere if needed – for example, a power problem in the middle of the night. But expanding the airport's IPsec VPN would expose the systems "to an all-or-nothing type of remote-access environment," says Mark Hogan, chief of business management at Cleveland Hopkins.

Not at all comfortable with that risky scenario, Hogan and his staff found an alternative – an SSL VPN from Caymas Systems, which allowed Hogan to limit what remote users could see by tying access to their identities. "It's as granular as we want it to be," he says. "You can let someone see this directory, but not these files, or let them have access to a single application."

In addition to its power management and runway systems, the airport uses the Caymas device to provide access to email and PeopleSoft finance apps on the road.

Like Cleveland Hopkins, many organizations are deploying SSL VPNs for remote access to critical applications. Eager to forgo the cost and hassle of installing VPN clients on individual workstations, companies are entrusting the browser-based technology with not only email and office applications, but also financial, ERP and custom systems.

But while SSL VPNs make for easier deployment and offer more granular access controls, they make endpoint security critical. And though SSL VPN has grown to integrate with more applications, companies can still run into compatibility problems.

A big factor behind the enterprise push towards SSL VPNs is that vendors have expanded their support for more than web applications, says Michael Suby, analyst at Stratecast, a division of research firm Frost & Sullivan.

Mike Salas, founder and vice-president of strategy at Britestream Networks, agrees that SSL VPNs have become more adept at providing seamless access to enterprise applications, such as Oracle's.

Indeed, global specialty chemicals manufacturer Johnson Matthey USA has expanded use of its AEP Netilla Security Platform SSL VPN from email and Office apps such as PowerPoint to a diverse mix of 100 applications, says Randy Colone, technical services manager there. That mix includes legacy green-screen programs on an AS/400, which get terminal emulation through Netilla, and JD Edwards financials.

"[With SSL VPN] it's just very easy to deploy new applications and maintain them," says Colone.

Colone says the lack of client software sold his company on the technology. In fact, many companies are rolling out SSL VPN solutions because their clientless nature makes deployment and maintenance so much easier than IPsec VPNs, which is a huge benefit from a total cost of ownership perspective, notes Michele Araujo, senior product manager at Symantec.

Before they take the plunge, companies are taking a hard look at security of the SSL VPN gateway to ensure that it is as secure as an IPsec gateway and will not open up new avenues into the network for intruders. At Cleveland Hopkins, a third-party firm rigorously tested the security of the airport's Caymas system and it came through with flying colors.

Experts cite SSL as a tried-and-true security protocol. Overall, however, "security purists" say that IPsec is more secure, states Barry Porozni, CTO at mobile security provider Fiberlink.

"There are shades of gray involved. It's not like going from a Volkswagen Beetle to an Audi, but it is a degree more secure, so someone with extremely high security requirements... would probably consider IPsec over SSL," he says.

More vulnerabilities have been found with SSL than IPsec, he adds, but the key aspect is that a VPN client provides a protective barrier: "With SSL, you only need to know a URL and then you have a degree of connectivity and a point for a hacker to try to crack the system."

Because of the client's intrinsic role in the IPsec VPN model, a company usually has some knowledge about the system seeking remote access – for example, whether it has local firewall and antivirus protection, notes Dean O'Campo, product marketing manager at Check Point. That control disappears with an SSL VPN, because the mix of endpoints widens, from company-owned PCs to home PCs or even internet kiosks.

Consequently, firms are looking for ways to inspect endpoint security before connection, then dictate what that endpoint is allowed to access, he says.

Most SSL VPNs have added varying capabilities for checking host security, says Stratecast's Suby. So some companies deploy additional endpoint security. For example, Raymond James Financial uses WholeSecurity software in conjunction with its SSL VPN to scan systems for malicious code before they are allowed to connect to the network. That layered model provides better security assurance, says Gene Fredriksen, the firm's CISO.

"It's one of the things that a lot of people don't think about when they go down a VPN path," he says. "For all intents and purposes, it's like allowing this [remote] machine to plug directly into your backbone."

For Johnson Matthey, RSA SecurID tokens – which provide two-factor authentication – add a layer of protection to its SSL VPN. "Once we had RSA... in place, it was a done deal as far as security [was concerned]," says Colone.

Cleveland Hopkins already requires a stronger password with more characters for remote users of its Caymas SSL VPN, but plans to add SecurID.

Security aside, companies can run into more management concerns with SSL VPNs than they expect.

The technology is great for companies that have taken the time and money to "webify" their business applications at the backend, says John Gray, portfolio brand manager for VPNs at Nortel Networks. But for applications that are not sufficiently web-enabled, SSL VPNs will download Java applets or Active X controls to the end user.

"At that point, the end user starts to get involved, from needing particular versions of Java, Firefox or Explorer," says Gray. "What started off as a simplified 'get a web browser and have at it' suddenly gets to a complex deployment."

Robert Hopkins, senior consultant at IT services firm Optimus Solutions, agrees. Compatibility problems can crop up if the SSL VPN uses pop-ups to maintain connectivity and a user's web browser blocks pop-ups, or the client system has a version of Java that the SSL VPN does not support, he says.

User education also comes into play with the cache-scrubbing feature of SSL VPNs. Users need to know that they must properly close out their connection otherwise the cache will not be scrubbed.

And some apps, such as Lotus Notes, perform much better for the user via IPsec than SSL, says Fiberlink's Poronzi.

But Cleveland Hopkins has not run into any problems so far – performance or otherwise. It even plans to test how Caymas would handle the most sensitive of applications – physical security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.