SSL VPNs are quickly gaining popularity as serious contenders in the remote-access marketplace.
Analysts predict that European end-user VPN product and service expenditures will grow 150 percent from $5.4 billion to $12.2 billion between 2002-2006, and that the SSL-based solutions, which are also known as application layer VPNs, will be the dominant method for remote access, with 80 percent of users utilizing SSL (Meta Group). It's not surprising that SSL VPNs will become the dominant force. They are secure, simple to use, rapid to install, and offer a low cost of ownership without needing to train anyone to use them.These systems are also perfect for locations that combine multiple application platforms (e.g., Windows, web, UNIX, mainframe, etc.), into a typical networking environment. SSL VPN's offer real-time access to centralized information with easy accessibility, from any terminal or device – remote, in-house or even wireless. Remote users gain access to specific applications that are presented to them directly within their web browser. This means that any authorized user can gain the use of key applications without having to install or configure any software on their PCs. By delivering centralized applications in a clientless manner – over the internet, with just a web browser –authorized users gain an head office computing experience from anywhere in the world. They give the user the illusion that they are almost sitting at their office desk – literally being able to access their office applications, changing databases, updating the diary, amending documents, picking up and sending emails, altering spreadsheets, access to their intranet – in fact doing everything you would do as if you were sitting by your desk.
SSL VPNs are also well suited for organizations that have a variety of users with differing levels of trust. As a single appliance solution, SSL VPNs allow an organization to control what pre-defined "groups" of remote users can see or use, for different members of an organization's staff, such as the CEO, finance, sales, engineers, partners, suppliers or even customers. This means that organizations can meet the access needs of different remote users quite easily, anywhere, anytime with flawless security.
There are three application access methods that an SSL VPN can use. The first is a "thin client" approach, where the remotely accessed application resides on an application server in the head office. This method actually turns the company's non-web enabled applications – running on Microsoft terminal servers, UNIX/Linux servers, even mainframe computers – into web-enabled applications, and does so instantly, without any need for costly re-writing or application re-development.
The second approach is called Web Reverse Proxy, which enables secure remote access to applications that have already been web enabled, but often reside on the company's secure intranet, and are not easily accessable by remote users. SSL VPNs provide this functionality with unique HTML re-write engines, that mask the URL and web application source code, allowing users to access internal web pages from any remote location, with utmost security.
The third application access method provided by SSL VPNs is called SSL Tunnelling. This allows users to work with local client/server applications that "synch" with a remote office server for secure data exchange. (These applications are often referred to as a "FAT Client"). SSL Tunnelling is similar to the approach employed by traditional IPSEC VPNs, where access to the network is granted directly to authorized users though the firewall. However, IPSec VPNs require special VPN client software on the remote computer, uniquely configured for the remote network. This costly and high maintenance requirement goes away with SSL VPNs, which leverage the web browser as a ready-made access client.
SSL VPNs also offer the advantage of rapid deployment. All that is needed to set up access to the SSL VPN is the SSL VPN appliance itself and the appropriate application servers that host the business applications back in the head office. These include Windows Terminal Servers or Citrix servers for Windows applications, UNIX servers for UNIX or X Window applications, mainframes for 3270 mainframe applications, or web servers for access to web-based applications. The only requirement for remote users is Internet access and a web browser, making the solution virtually self-deploying to the remote site.
Here are the 10 reasons why SSL VPNs are going to revolutionize the way we work.
Clientless deployment: SSL VPNs make sense because they adapt widely deployed internet and ecommerce technologies such as web browsers and their built-in SSL (secure sockets layer) encryption and digital certificates that give remote workers VPN-type connectivity to the workplace. Standard IPSec-based VPNs require users to download and configure special IPSec clients onto their PCs, which can be complex and time-consuming.
Security: SSL VPNs provide security on multiple levels. User data streams are encrypted using 128-bit SSL encryption, the same technology that protects millions of daily ecommerce transactions. The SSL VPN appliance also acts a secure gateway into the private network, controlling access from a single point.
Simplicity for users: Anyone who can use a web browser can easily reach their business applications using an SSL VPN. They simply log into a special URL, type their username and password, and are presented with their authorized applications just as if they were in the office.
Rapid deployment: Most SSL VPNs can be activated in less then a day – often in just an hour or two. There's no need to reconfigure application servers or other elements of the network infrastructure, nor distribute client software to remote users.
Promoting a flexible work environment: Organizations are deploying SSL VPNs to meet their employee requirements for flexibility – as mandated in laws such as the Flexible Work Act.
Fast response to emergencies: A recent Gartner report recommended that their clients look into VPN technologies as a means of allowing employees to work from home in the event of an emergency.
Lowered total costs of ownership: The simplicity of SSL VPNs leads to dramatically lower help desk costs, since there is no need to install, configure and maintain PC clients on users' remote PCs. As a result, Netilla estimates that SSL VPNs are up to 40 percent less expensive than IPSec-based VPNs in terms of total cost of ownership over a multi-year period.
Ability to access any application: Recent SSL VPNs from vendors such as Netilla can now provide secure remote access to virtually any enterprise application – including client/server applications (in Windows, Unix, Linux, AS/400, Citrix or mainframe environments) as well as web applications.
Application-layer proxy design: Many SSL VPNs use an application-layer proxy design that acts as a secure buffer between incoming user requests on the public internet and back-end application servers, which protects network infrastructure. The SSL VPN appliance terminates user requests, authenticates them and enforces policy, then forwards the request onto the appropriate application server.
Future-proof design: SSL VPNs are fundamentally open technologies, as they employ standard web browsers, SSL encryption and standard interfaces (although products from various vendors can be highly differentiated). As such, they are well positioned to support new technologies such as wireless and PDA access. IPSec VPN implementations, in contrast, typically include more proprietary technologies that can pose compatibility problems.
Calum Macleod – european director for Netilla Networks, Inc.
