Home > Ask the Security Experts > Questions & Answers > The necessity of a VPN when providing remote connection via SSL
Ask The Security Expert: Questions & Answers
EMAIL THIS

The necessity of a VPN when providing remote connection via SSL

Stephen Mencik EXPERT RESPONSE FROM: Stephen Mencik

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 22 July 2004

We would like to deploy applications to home users through Citrix Secure Gateway or some sort of hardened SSL appliance (Neoteris, Whale Communication). Our information security group insists that we still install a VPN client on the home PCs. Our goal is to deploy no software, just allow those users access through a browser to some of our productivity applications such as e-mail, Office, etc. The reason that they insist on a VPN client is due to split tunneling. Is this really a security issue (low risk) with this type of configuration, or is there a high risk of compromising our internal network?

>

First, let's define split tunneling, at least as it is used in this context. Split tunneling means that the remote user can be connected to the internal corporate network and also be connected to the Internet at the same time. The tunnel is said to be "split," because there are two parts.

Typically, this is only a problem when you have a VPN installed, as there is no "tunnel" without the VPN. If all you are doing is providing a Web interface to various applications, SSL by itself is generally considered okay. However, there are other reasons why your security group would be concerned.

The issues that your security group are concerned about are: 1) The user's home PC configuration is not under the control of the corporate IT staff; 2) When connected to the Internet from home, the user is not behind the corporate firewall and any other security protection on the network; 3) Any security problems that occur on the home computer could possibly work their way to the corporate network.

As a result of these concerns, there are typically only two methods for remote access that most companies consider secure. The first is that remote users only access the corporate network using corporately-provided computers (typically laptops) that have been configured and locked down by the corporate staff. They access the corporate network via VPN, and that VPN cannot allow split tunneling. If they wish to access the Internet, they must connect to the corporate network via the VPN, and they have their connection go back out through the company firewall and/or gateway.

The second method is to restrict access as you have described. Use SSL-enabled Web pages with authentication of your remote users. Even if all you use is username and password, at least they are protected by the SSL encryption. However, using certificates for authentication while still using SSL would be better. The reason that the Web interface is okay is that there is not a persistent connection like there would be with a VPN or telnet. It is simply a series of client requests and server responses. The SSL protects the confidentiality of the requests, and it is up to the server to ensure there aren't any holes in the interface that would cause problems.

For more info on this topic, visit these SearchSecurity.com resources:
  • Ask the Expert: VPNs and split tunneling
  • On-demand webcast: New directions in VPNs
  • Infosec Know IT All Trivia: Secure Sockets Layer


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts