Fifteen years ago Virtual Private Networks (VPN) access was a fairly new concept to most businesses. While large corporations already had a good head-start with VPN technologies, the rest were starting to realise the potential and possibilities provided by VPN connections provided. Vendors such as Cisco, Checkpoint, Microsoft and many more, started to produce a variety of products that provided VPN services to business. Today, VPN is considered a standard feature in any serious security-router related product and is widely implemented throughout almost all companies.
Early VPN products required, as many still do today, their own client which is usually installed on the remote workstation that requires access to the local network. The encryption methods and supported protocols made them either a very good choice, or simply a very bad one which could be easily compromised. These days, IPSec based VPNs are a standard, using the IP Security protocol and a number of other relative protocols, they provide adequate security and encryption to ensure a session is secure and properly encrypted.
VPN clients are usually preconfigured by the company's IT department with the necessary details and all end users need to do is launch the SSL VPN program and enter their credentials. Once user credentials are verified, they are granted access to the company's network and all associated security policies (such as access control lists) are applied.
We would say that, until recently (last 5 years), one of the major fall backs with VPN solutions was the fact that their vendors would in most cases only support their own VPN client, making the product usable only with their software – a major drawback for most companies. Another big problem with VPN clients is the fact they usually support specific operating systems. For example, many vendors provide VPN clients for Windows based operating systems but few support 64bit operating systems! Linux and Unix systems are usually out of luck when it comes to vendor-based VPN clients but, thanks to the open source community, solutions are freely available .
But these are just a few of the problems vpn-users and administrators are faced with. Getting access to your corporate VPN in most cases requires custom ports to be open through the firewall that's in front. Hotels and public hotspots usually block these ports and only allow very specific protocols to pass through such as HTTP, HTTPS, POP3, SMTP and others.
Web SSL VPN has started to change all that. As the name implies, Web SSL VPN is a popular version of VPNs, moving in a complete different direction from that which most vendors have been used to.
What is Web SSL VPN?
Web SSL VPN is, as the name implies, a web-based VPN client. While this might not mean much to many, it's actually a revolution in VPN technology! By moving from the program-based VPN client to a web-based VPN client, the operating system is no longer a problem. You can download, install and run your web-based VPN client on any operating system without a second thought!
Web SSL VPN works by communicating over standard HTTPS (SSL) protocol, allowing it to pass through almost any proxy or firewall that might be limiting your access. Once connected, a small java-based client is downloaded to the computer's web browser which creates a virtual connection between your computer and VPN concentrator or firewall providing the service.
An early version of Cisco Web VPN client, being downloaded and preparing its installation
The great part about Web SSL VPN is that it will automatically download if needed on to your computer and install itself. Once your session is over, it can be configured (by the administrator setting up the VPN service) to automatically delete itself from the computer, leaving no trace of the VPN client!
This means that using Web SSL VPN, you can safely log on to your corporate network from another computer, without requiring special certificates installed or group passwords at the user end. All you need to know is your own credentials and the URL to your Web SSL VPN concentrator.
After installation, your connection is established with the corporate Firewall
Another big advantage of Web SSL VPN is that it supports ‘split tunnelling' natively. Split tunnelling is a technique where when connected to a VPN network, only traffic destined for that network is encrypted and passed over the tunnel. All other traffic (e.g Internet browsing) bypasses the tunnel and is sent directly to the Internet as any normal connection. Split tunnelling is a wonderful feature that allows users to do necessary work through the VPN, but also maintain a direct Internet connection. Of course, this feature is easily disabled, again, by the administrator of your VPN concentrator.
Note: WebVPN for Cisco IOS routers is fully covered in our article: Configuring WebSSL VPN AnyConnect on Cisco IOS Routers.
Is Web based VPN Considered Safe?
Fortunately Web based VPN connections do not suffer from the same vulnerabilities as websites and webservers. The technology might use the same protocols (HTTP & HTTPS), however the Web SSL VPN implementation is completely different for most vendors. The non-web server based solution of Web SSL VPN offers a much more secure approach and is generally considered safe. The main difference here is that you've got a dedicated appliance offering a web service, and not a dedicated machine with a buggy operating system and web server full of exploits.
Web SSL VPN is considered to be very secure and capable of encrypting your user sessions so that no data is compromised over the VPN.
Client-Side Security of Web SSL VPN
The latest Web SSL VPN solutions offered have certainly improved in both performance and security requirements for the end user. They are now capable of checking a number of parameters on the host's side to decide whether or not to install. Administrators are able to create their own policies that would allow the Web SSL VPN client to install on a host's PC only if the host has a firewall installed and operating on its system, or if it has a valid up to date antivirus. If any of these requirements are not met, the Web SSL VPN client can fail to install.
VPN Application Support for Web SSL VPN
Early Web SSL VPNs, or First-Generation Web SSL VPNs, supported fewer features and protocols and provided secure access mainly to Intranet web-based application services. Their limited functionality and immaturity did not allow many companies to see them as an alternative to the well-known vpn client program.
As things started to progress and the Second-Generation of Web SSL VPNs came out, there was full support for all IP-based applications. Intranet Web services, File services, ERP services and pretty much anything you can think of is now capable of running through a second generation Web SSL VPN. This is also called a True SSL VPN solution as it completely replaces the IPSec based VPN client used until now.
Today, all Web SSL VPNs offer tunnelling of all IP Services, thereby falling into the second category .
Business Value of Web SSL VPN
While this fairly new technology is great, is there any real value in it for business? The answer is clearly ‘Yes'. Here are a few pointers that will help clarify:
• Easy to setup with a lot less administrative overhead and technical support required due to the ease of use.
• Costs less than traditional IPSec VPNs. They do not require propriety vpn client software to be purchased or licensed (in most cases).
• SSL makes use of Port 443. This almost guarantees it will work though any firewall that provides standard Internet access, without the need for any special configuration. No more troubled users trying to connect to the corporate network due to a restrictive Internet connection.
• Compatible with all operating system and web browsers.
• Full IP application support – replacing IPSec vpn client programs completely
• Ability to create security policies and allow access only when these policies are met e.g. Firewall, up to date antivirus and more.
• Available on servers, firewalls and even routers! You don't necessarily need a dedicated machine only for your VPN users as it is supported even on small devices such as Cisco 870 series routers!
WebVPN for Cisco IOS routers is fully covered in our article: Configuring WebSSL VPN AnyConnect on Cisco IOS Routers.
We saw what the Web SSL VPN hype is all about and it's good. As time passes, more vendors will start offering these solutions in their products. The message is 'use them'– don't be afraid to adopt these solutions as they will help you solve a great deal more problems and help get the job done better, faster and safer.
Invest in Web SSL VPN – it's the future of remote VPN access.