Secure Sockets Layer (SSL) virtual private network (VPN) products, better known as SSL VPNs, protect the confidentiality and integrity of communications between systems. Although SSL VPN can theoretically be used between any two endpoints -- such as a gateway-to-gateway VPN architecture -- today's SSL VPN products are most often used as a remote access VPN architecture. This means there is a single SSL VPN gateway (server) for an organization and many SSL VPN clients -- desktops, laptops, smartphones, tablets and the like -- that access the corporate network through that gateway.
Using other VPN products, such as Internet Protocol Security (IPsec) VPNs acting in a gateway-to-gateway VPN architecture (for example, connecting a branch office to the headquarters network), does not preclude the use of SSL VPNs. In fact, many organizations leverage both IPsec and SSL VPNs for different, but related, purposes.
An organization can even choose to use both IPsec and SSL VPNs for remote access, such as supporting enterprise-issued desktops and laptops with a traditional IPsec VPN, while providing an SSL VPN to organization-issued smartphones and tablets, as well as all bring your own device (BYOD) systems. This strikes a good balance for many organizations -- allowing greater control and access through the IPsec VPN for the most tightly secured devices, while still allowing less secure devices to use the SSL VPN.
This helps to reduce risk by separating classes of devices from each other. Meanwhile, because nearly every organization has some remote access users -- including contractors, business partners and vendors, not to mention employees -- nearly everyone can benefit from using an SSL VPN to protect the communications involved in remote access.
Using an SSL VPN does not necessarily mean standing up a dedicated SSL VPN appliance; SSL VPN capabilities are often supported by next-generation firewall (NGFW) and unified threat management (UTM) products, sometimes in an add-on module, sometimes natively. So an organization that already has an NGFW or a UTM installed may be able to leverage it to support SSL VPN. (This is well worth checking out when starting the SSL VPN buying process.)
The key to determining whether an SSL VPN capability would be beneficial for an organization is to understand its remote access infrastructure and security requirements. An SSL VPN provides additional security features besides just encrypting network traffic, which could alternatively be accomplished by adding SSL to individual Web-based applications. Any one of the following SSL VPN security features may be sufficient to justify acquiring SSL VPN products for an organization.
Additional layer of authentication
Accessing organizational resources through remote access -- particularly through devices that aren't controlled by the organization (e.g., BYOD devices, partner devices) -- generally increases the risk for an organization when compared to accessing the same resources from an internal organization network. This is because the devices are outside the physical control of the organization, and their network traffic is being carried over external, unsecured networks, such as the Internet and Wi-Fi hotspots in cafes and hotels.
To help mitigate these increased risks, many organizations require remote access users to be authenticated multiple times through different means via multifactor authentication (MFA). SSL VPNs support the use of enterprise authentication services for remote access, such as a RADIUS server that is linked to cryptographic tokens provided to users in MFA systems. Requiring this additional form of authentication, particularly one that has a physical hardware component, makes it highly unlikely that an attacker who steals a user's password can use it to gain remote access to organizational resources.
Another benefit of using the SSL VPN to authenticate users is that it enables access to low-risk organizational resources that don’t specifically require authentication. A classic example is an intranet, which is available to all internal users without any direct authentication. By using an SSL VPN, an organization can make the intranet accessible to remote users by first authenticating them as legitimate remote users.
Security health checks
SSL VPN products typically offer the ability to do security health checks on each device before granting remote access to organizational resources. These health checks can involve a wide variety of security characteristics. Some, such as checking the device for a preinstalled digital certificate, can -- for example -- be used to identify which device (and whose device) is requesting remote access. Devices with an expired or revoked certificate, or no certificate at all, can be denied remote access strictly on that basis, because this indicates the device hasn't been properly provisioned by the organization for remote access.
Another example of a security health check is ensuring a desktop or laptop has antivirus software installed and running, and that the software is up to date with patches and signatures. A failure to meet the organization’s policies for this results in a notification to the user that their device does not meet the antivirus policy and -- as a result -- they are denied remote access to services. Yet another common health check is verifying that smartphones and tablets have not been jailbroken or rooted, which causes security protections to be circumvented and can indicate the presence of malware or other malicious content.
Centralized access control
Another beneficial feature of SSL VPN products is that they provide centralized access control for a variety of organizational resources. If SSL was applied to resources without a centralized SSL VPN in place, each SSL deployment, authentication to each resource and access control over each resource (i.e., which users are allowed to perform which actions with the resource) would have to be done separately. This would cause significant overhead and duplication of efforts.
By implementing an SSL VPN product, operations are considerably streamlined because of the centralized access control it provides. For example, users can be placed into groups (which can be imported or linked from existing enterprise authentication products), and these groups then be used to grant differing levels of access to individual groups. So a standard user may have access to the intranet, email, calendaring and a few other basic enterprise resources, while a human resources associate may have access to human resources-specific systems, as well as all the general resources available to standard users.
Revoking remote access to these numerous resources is as simple as deactivating the user's remote access credentials in one spot.
Centralized access control also implies centralized auditing and monitoring. This can be particularly important if the SSL VPN grants access to sensitive resources, such as databases containing personally identifiable information, financial records or other information. Organizations may be required by law, regulation or policy to monitor and audit all access to such resources, and this of course would include remote access. Having an SSL VPN acting as an intermediary between remote users and the sensitive data provides a point of accountability.
Benefits of SSL VPN products
SSL VPN products are able to protect the confidentiality and integrity of network communications for remote access users, but they are able to do much more than that. Supported on desktops, laptops, smartphones and tablets, SSL VPNs typically provide an additional layer of authentication, enabling multifactor authentication for remote access users. This helps reduce the risks inherent in remote access by making it difficult for an attacker to steal a password (such as through social engineering) and gain unauthorized remote access.
Other beneficial security features offered by SSL VPNs include performing security health checks on remote access devices before permitting access, and providing centralized access control to streamline remote access operations.
SSL VPNs are available for virtually every organization, from the smallest to the largest. However, it should be noted that SSL VPN capabilities are increasingly being built into NGFWs and UTMs, either as native features or as available add-ons to enhance their capabilities. So acquiring an SSL VPN could involve buying a dedicated appliance, or it may involve purchasing an SSL VPN add-on for an existing network security infrastructure component. Either way, SSL VPNs provide invaluable security capabilities to safeguard remote access to enterprise resources.