Secure Sockets Layer (SSL) virtual private network (VPN) products, or SSL VPNs, are used to protect network communications from eavesdropping and manipulation. Most SSL VPNs are deployed to support remote access for desktops, laptops, smartphones and tablets. This includes devices issued by the organization or owned by end users via bring your own device (BYOD) policies and controlled by third parties, such as contractors, vendors and business partners.
SSL VPN capabilities are available as standalone appliances and virtual appliances, but increasingly they're being bundled with other security products, including next-generation firewalls and unified threat management. However, whether bundled or standalone, these SSL VPN capabilities are generally quite similar. It's in the details of how these capabilities are implemented that SSL VPN products can be distinguished from each other.
To identify these differences, it's important for an organization to establish criteria for evaluating SSL VPNs to find the right product for its needs. Below are several important criteria to consider as part of any SSL VPN evaluation.
Criteria #1: VPN client software options
For most organizations, the most important decisions they need to make regarding their SSL VPN product are what resources -- websites, applications, file shares, among others -- need to be accessed from SSL VPN client devices and what security requirements need to be enforced on those client devices. This, in turn, will drive the evaluation of SSL VPN client software.
Generally speaking, there are four approaches to SSL VPN client software:
- Clientless. This is where the client device's Web browser is used for SSL VPN connectivity without any software installation. Clientless usually offers the least degree of access to organizational resources, typically only Web-based applications and websites.
- Browser plug-in. This is a Java applet, ActiveX control or other code run within the context of the client device's Web browser. A browser plug-in often enables access to file shares, non-Web-based applications and other resources that are not available in the clientless model. Browser plug-ins are only available for desktops and laptops, not smartphones and tablets.
- Standalone executable for desktops and laptops. This is a dedicated client installed within the operating system (OS), not a Web browser. It enables access to the same resources as a browser plug-in, while potentially providing a stronger level of security through more rigorous system health checks, organization-enforced configuration settings and so on. Also, because it has no browser dependency, it can be used regardless of the Web browser brands and versions installed on the client device.
- Mobile application for smartphones and tablets. This is the functional equivalent of the standalone executable, but it is only available for mobile devices.
Each organization needs to consider its requirements for resource access and security, as well as the characteristics of its client devices (laptops and desktops versus smartphones and tablets -- particular browser brands and versions and so on) Only with all of this information considered together can an organization determine which SSL VPN client software approach or approaches are viable, and then investigate those SSL VPN products that offer such clients. Some products offer clientless and client-based options, while other products have only one client software approach.
Criteria #2: VPN client OS support
If an organization selects a "heavy" client-based approach to SSL VPNs, involving the installation of a standalone executable for desktops and laptops or a mobile app for smartphones and tablets, it must carefully evaluate what OSes the client software is supported on. It is dangerous to assume that the SSL VPN product will support the organization's client OSes. This is true for desktops/laptops and smartphones/tablets.
For example, consider an organization that has a variety of Windows and Mac OS X desktops and laptops, as well as Google Android and Apple iOS smartphones and tablets. It may be difficult to find a single SSL VPN product that offers both standalone executables for Windows and Mac OS X, as well as mobile apps for Android and iOS.
Then take into account the organization's BYOD users and their devices. They may be running additional OSes, such as Unix and Linux on desktops and laptops, and Windows and BlackBerry OSes on smartphones and tablets.
So it may be necessary to deploy "heavy" clients to some devices and use browser-based plug-ins or clientless solutions for other devices. Be aware, however, that smartphones and tablets are likely to need dedicated apps to achieve SSL VPN functionality, so the SSL VPN's support for OSes may be more important than its support for desktop/laptop OSes.
Criteria #3: Support for simultaneous users
Commercial SSL VPN products are licensed in terms of simultaneous users. Most vendors offer several models -- with the smallest handling 10 or 15 simultaneous users, service provider implementations handling 10,000 simultaneous users and a variety of intermediate products handling hundreds or thousands of simultaneous users. Some vendors even offer a "virtual appliance" that offers unlimited scalability in terms of usage because of its cloud-based nature.
What makes this criterion unexpectedly tricky is sizing up SSL VPN products to handle maximum needs. A common example is planning for disaster recovery. Should a natural disaster or other situation prevent employees from reaching the office, will these employees all be teleworking through the SSL VPN at the same time? Usage of the SSL VPN may suddenly increase for a short time (perhaps hours, perhaps days) and then drop back to its old levels. Obviously it's important to size appliances appropriately, such as to handle typical increases due to seasonal conditions, but what about planning for extraordinary conditions?
Fortunately, some SSL VPN product vendors offer surge licensing. This refers to acquiring a temporary license for additional simultaneous users. This type of license can be purchased and applied nearly instantaneously, making it ideal for handling unexpected surges due to disaster conditions. Be warned, however, that an appliance can only handle so many users, so performance may suffer significantly as the number of users is increased.
Still, during an emergency, slow access may be better than no access.
Criteria #4: Network access control
Support for network access control features has become fairly standard for SSL VPN products. Network access control refers to verifying that a client device adheres to certain organizational security policies, such as ensuring a desktop or laptop has current antivirus software installed and running, or verifying a mobile device has not been jailbroken or rooted. What may differ among SSL VPNs is the types of OSes that the network access control features support and the degree to which each product verifies security policies.
An example is the authentication of client-side digital certificates. Many organizations choose to provision their devices with digital certificates that can then be used to authenticate that the device is controlled by the organization. Network access control features may be able to perform certificate verification to confirm the legitimacy of the device before granting it access to the organization’s internal resources.
Organizations are encouraged to test network access control features through evaluation units before acquiring an enterprise SSL VPN to determine how thoroughly each SSL VPN product can check for and enforce enterprise security policies.
Do your homework and evaluate
SSL VPN products have matured over the past several years, and they all tend to offer similar functionality. However, the details of this functionality separate one product from another for a particular organization.
Each organization has its own needs and requirements when it comes to SSL VPN products, so there cannot be a single evaluation that every organization relies on. The criteria outlined in this article -- client software options, OSes supported, simultaneous user support and the degree of network access control -- are starting points for conducting proper SSL VPN product evaluations.
Find out how the PCI DSS 3.1 update may affect SSL VPN use for retailers
Learn how to prevent VPN security issues in the cloud