This month we looked at nine SSL VPNs (secure sockets layer virtual private networks), and the range of products indicates that the genre is maturing rapidly. We tested both appliances and software products, including one that came to us on a thumb drive. Another test subject was based on open source tools, but was remarkably well developed and reasonably priced. Some products were part of multi-purpose devices, while others were intended to be added to individual servers to facilitate secure access to individual assets.
All in all, we found that there are excellent solutions to just about any user-to-enterprise VPN challenge. Prices ranged from very low to rather high. All of these factors comprise a market segment that is mature or, at least, nearly so. That contention is supported by the general high quality and usability of the products we tested.
In prior group reviews, I have commented that today's complex systems often require complicated solutions to difficult challenges. SSL VPNs are the exception to this generalisation. We found the products on the whole fairly simple to deploy and reasonably transparent to use.
The benefit of SSL VPNs is that there is no special client required. Users connect through a browser and set up an SSL session that provides an encrypted TCP mode. In that regard, these products don't tunnel as some VPNs do. The time to use this type of approach is when you have moderate security requirements for a very large or an uncontrollable community of users. Examples include applications such as moderately secure customer connections to assets over the internet. A customer community falls in both the large and uncontrollable community, because you have no idea who your customers might be until they identify themselves. Likewise, when customer ease of use is a requirement, SSL can offer an excellent option.
I emphasise the notion that SSL is "moderately secure" for an important reason. A cursory search of the National Vulnerability Database yields 174 matches for vulnerabilities relating to SSL. There have been 11 reported in the last three months. This suggests that SSL is a target of exploitation and must be watched carefully.
There is also a common misconception about SSL that needs to be clarified, which is that it provides access control as well as confidentiality. It does not. SSL packets, once the initial connection is made, authenticate to the packet stream, not the application or device. This ensures that the entire stream is encrypted but says nothing about whether the user is allowed to access the asset in question. That authentication requires additional capability such as some sort of multi-factor authentication, ID/password or certificate scheme.
SSL offers moderate to good confidentiality and, in combination with an additional authentication process, can provide a full-featured access system. We tested products that added authentication capabilities to the SSL encryption within the same product for full-featured access capability.
How we tested
We set up two networks that connected through a router. On one network we placed the asset to which we wanted to provide access, and on the other we put a client with an IE 6.0 browser. We set up each product to protect the asset and attempted connection with the client both without and with authorisation where the product offered authentication.
We attacked the device under test and the protected asset in an attempt to crack the VPN or circumvent it. We scanned for vulnerabilities with NetClarity, which currently offers more than 10,000 vulnerability tests and used Core Security's Impact penetration tool in its current release (6.0). We were especially concerned about the ability to violate the SSL server itself. We found several products that had versions of SSL that were considered old or were unpatched for common vulnerabilities.
In general, the products we tested were secure based on current known vulnerabilities. We were unable to defeat any of the products' SSL implementations, although some responded to NetClarity's probes by indicating that they were an earlier, and potentially vulnerable, version of SSL. In no case, however, were we able to exploit the vulnerability using Core Impact. We conclude, therefore, that although the version of SSL may have security flaws, they had been patched.
So, to sum up, today's crop of SSL VPNs is, in general, quite competent. There is likely to be a product for you, but be sure that your application is appropriate for the genre. Not all remote VPN access is a good match for SSL.
