Choosing The Right SSL VPN Solution
Other Array authors have written in the past about the value of SSL VPNs in supporting BYOD, and in the technology’s overall value as a key component of the network security infrastructure. SSL VPN – a.k.a. TLS VPN, secure access gateway, etc. – is a pretty mature technology; however if you are planning for a new deployment or a technology refresh, there are several overarching themes that should be considered.
The primary benefit of SSL VPNs lies in the encryption of data traffic between points, of course, but encryption is only part of the story. Because of their position at the network edge, in order to be truly secure SSL VPNs usually employ a combination of protection mechanisms. Array’s AG Series SSL VPN gateways, for example, use a proprietary OS and SSL stack that is not based on OpenSSL (which has had multiple high-severity vulnerabilities throughout its lifespan).
Firewalling can also be a problem, since inbound SSL-encrypted traffic cannot be inspected by traditional firewalls. Thus it’s important that the SSL VPN product itself include firewall capabilities, including DoS/DDoS protection for Layers 3 – 7. Protection for the corporate network itself is typically provided by a network gapping technique. Array’s products use a full reverse proxy to create this gap between the non-secured and secured networks. Application-level filtering can provide an additional fine-grained level of control by enforcing access control policies based upon protocol content.
AAA is the foundational step in establishing the identity of a user, and the SSL VPN appliance should be able to integrate with the organization’s existing authentication interface (typically RADIUS or LDAP). If a non-standard authentication interface is used (such as a legacy system, database, etc.), then it’s important that the SSL VPN appliance allow customization to integrate with these types of interface. Highly granular and role-based authorization is also essential in keeping network assets safe, and administrators should be able to limit access to data and applications based on user role as well as other parameters. For flexibility, it should be possible for policies to be stored locally or on an external server, and for administrators to correlate policies across external and internal policies.
Especially in the world of BYOD, there is risk in unsecured devices gaining access to secured network locations. For this reason, host checking is essential – and the administrator should have the ability to set different parameters in order to determine the level of risk posed by a given device, and to allow/disallow access to various assets based on that risk assessment. In addition, because mobile devices are frequently lost or stolen, there should be a mechanism available to ‘wipe’ the device of any sensitive corporate information after a session’s end.
Access by mobile devices can present special challenges, and the SSL VPN appliance should support the two major mobile OSs (Android, iOS) and offer multiple access methods (Web-based, mobile app) for flexibility. In addition, Array’s SSL VPN appliances allow existing Windows and desktop applications to be seamlessly presented via the mobile app, while sensitive data remains on the enterprise network.
Almost all SSL VPN vendors publish performance metrics, however when evaluating solutions it’s important to compare apples to apples. Drill down into the numbers, for example, for maximum number of SSL operations per second, do the vendor’s specifications include handshakes, bulk encryption, or both? Are performance test graphs under simulated load available that can help you validate the claims? And do the performance parameters complement each other, i.e. is the volume of SSL operations per second adequate to support the number of concurrent user sessions that is claimed?
Users can quickly become frustrated when they are required to use multiple interfaces and methods to access the resources they need to be productive, so the SSL VPN solution should offer the ability to customize the login and other pages to suit the needs of employees, partners, departments, etc., and it should be intuitive with minimal user interaction required.
In addition, Array’s AG Series offers DesktopDirect™, a remote desktop access solution that allows workers to remotely connect to office PCs from any device and access their familiar desktop applications and data. This solution eliminates the need for additional laptops, software or training, and the user experience is virtually identical to that of the office environment. Data never leaves the network, so security can be assured.
Another area to consider is segmentation, i.e., some organizations will need to ‘wall off’ separate access portals to eliminate the possibility of an employee accessing information for which they are not authorized. One good example of this is a finance or HR department, which has highly confidential data and resources that should be completely separate from other departments. Some SSL VPNs, like Array’s AG Series, offer up to 256 virtual secure access portals to allow segmentation to control access to resources.
Obviously your company’s individual needs will dictate your own short list of technical requirements, but this post – though by necessity brief – should give you a good starting point. For more information on Array’s AG Series SSL VPN appliances, visit our Web site or contact your Array representative today.