SSL VPN is an exciting new technology that allows remote access to applications and files from standard web browsers. Because they require no client-side software other than a web browser, SSL VPNs offers great convenience, and promise to provide a much lower Total Cost of Ownership than IPSEC VPNs. Yet, at the same time, this novel technology presents new challenges in the realm of security. This article explains how to deploy an SSL VPN securely exploring both the security issues and proposed solutions.
SSL VPN technology allows users to remotely access important enterprise applications, systems, and files from standard web browsers. Technically speaking, SSL VPNs are composed of specialized reverse-proxy servers1 that have been enhanced to provide users with secure remote access to internal resources. The added functionality includes subsystems to handle authentication, user experience such as navigation between applications, security, and the translation of internal applications to Internet-accessible formats. SSL VPN technology promises to improve both employee productivity and convenience by freeing users from having to carry laptops when traveling, and allowing access from any Internet-enabled computer. The technology also offers tremendous cost savings when compared to classic IPSEC VPNs since it does not require purchasing or maintaining remote client machines. Users also benefit, as they gain the convenience of being able to access corporate resources from any computer that they wish to use. However, as is often the case with innovative technologies, SSL VPN presents some new challenges when it comes to security. SSL VPN security concerns fall into two categories: those created by allowing access into the internal network (server-side issues), and those stemming the fact that SSL VPNs must allow access from all browsers (browser-side issues) including those not under organizational control.