The best SSL VPN products for you: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
Secure Sockets Layer (SSL) virtual private network (VPN) products, or SSL VPNs for short, are used to encrypt network communications. Generally, this involves protecting the confidentiality and integrity of communications between an individual device (servers, desktops, laptops and mobile devices) and a VPN gateway. Some of today's SSL VPN products, meanwhile, specifically target secure remote access for client devices only, not servers, gateways or other infrastructure devices.
The primary reason to use an SSL VPN product is to prevent unauthorized parties from eavesdropping on network communications and extracting sensitive data. Eavesdropping is a concern mainly when the client devices are on external networks, and their network traffic is going over the Internet, unsecured wireless access points and other networks that don't provide adequate security.
Another reason to use an SSL VPN product is to prevent manipulation of communications, such as alteration of data. An attacker who can intercept communications -- for example, during a man-in-the-middle attack -- can alter those communications if they're not protected, and this alteration is likely to go undetected.
SSL VPN products have been around for a long time, but dedicated SSL VPN products are not as common as they used to be. Many vendors have stopped selling dedicated SSL VPN devices, and instead incorporate SSL VPN capabilities into next-generation firewalls (NGFS), unified threat management (UTM) systems and other network security devices. However, there are still several robust, dedicated SSL VPN products available.
The architecture of SSL VPN products
All SSL VPN products have the same basic architecture: a centralized server or gateway and multiple client devices connecting to that server or gateway. However, there are significant variations within this architecture. For example, while most products in this space are based on dedicated SSL VPN appliances, one major vendor provides its SSL VPN capability on a dedicated router, while another offers a virtual machine-based version of its SSL VPN server (the mentioned vendors will be discussed in a future installment in this series). Regardless of the exact implementation, however, each SSL VPN product is centered on some sort of server or gateway device.
There are also significant differences between products when it comes to SSL VPN client software. Some vendors promote their products as being "clientless," meaning there is no native client application -- the user simply runs a Web browser to access the SSL VPN. Other vendors also rely on the Web browser as the primary client interface, but they have a client run within the browser, such as a Java application. Some SSL VPN products, particularly those for mobile devices, tend to have dedicated client applications that must be installed and configured on the device, instead of relying on a Web browser.
Generally, having a dedicated application or Web-based client allows an SSL VPN to grant access to a wider range of resources, such as file shares -- because of additional features that the application or client provides that a Web browser alone cannot.
Typical environments suitable for SSL VPN protection
As already mentioned, SSL VPN protection is most needed when client devices are using external networks. This includes teleworkers and other remote workers who lack enterprise network security protections because they are using networks, including Wi-Fi and cellular networks, not controlled by the organization. Because SSL VPN products don't require reconfiguration of client devices and often don't require a separate installation of client software (because the client is delivered through the Web browser), they are suitable for using on bring your own device (BYOD) desktops, laptops, smartphones and tablets, as well as organization-controlled devices.
SSL VPN protection is also valuable for business partners, contractors and other non-employees who need to access an organization's resources from external locations. In those cases, the organization would offer the same product used for organization-issued devices to these parties, such as making Web-based SSL VPN clients available, and issuing SSL VPN authentication credentials to them.
The costs of adopting and deploying SSL VPNs
The costs of adopting and deploying an SSL VPN product are generally straightforward. There is a charge for the SSL VPN server or gateway, and this generally includes a license for a certain number of users. Exceeding the number of users may involve purchasing an additional license to add a block of users, or it may necessitate replacing the server or gateway with a "bigger" version that can accommodate additional users. This emphasizes the importance of planning for future needs when acquiring SSL VPN products.
Organizations should also be aware that their SSL VPN users will need to be authenticated. Existing enterprise authentication services can be used, but multifactor authentication is generally encouraged for secure remote access. So this could necessitate standing up a RADIUS server or other enterprise authentication system for remote access.
Users will also need support. Although most of the SSL VPN usage should be fairly transparent to end users, they may need support when it comes to choosing a Web browser, ensuring that it's up to date, navigating dialog boxes involving the download and execution of a browser-based client and -- of course -- the installation and maintenance of a dedicated client application, if applicable.
Some SSL VPN products also provide a client device security health check, meaning that if the client device does not meet the organization's security requirements, that device will not be allowed to use the SSL VPN. In such situations, support will obviously be needed and users will be inconvenienced, but security risk will be lessened.
SSL VPN products for protecting sensitive data
SSL VPN products protect network communications sent over untrusted networks from eavesdropping and manipulation, therefore protecting sensitive data from being accessed by unauthorized parties.
They are largely browser-based on the client side, with a dedicated app common for smartphones and tablets; extensive reconfigurations and other client changes are generally not needed. A dedicated server or gateway, physical or virtual, is the foundation of an SSL VPN product.
Learn more about SSL VPNs and their effectiveness in this tutorial
Find out about using SSL VPN with e-mail clients in this Q&A