Browser Power
The city of Wooster’s traffic supervisor, utilities personnel and its support vendors used to find themselves coming in at 2 a.m. to flip a switch when something needed resetting. But that is no longer the case, thanks to deployment of a Secure Sockets Layer (SSL) VPN.
“Now, if our traffic controller is at his house and on an approved, registered device, he can access the system through our VPN instead of getting up, dressing and driving into the plant,” says Ty Collins, information systems manager for the city of Wooster, Ohio.
When Collins was evaluating solutions last year, he ruled out the more popular IPsec VPN because it required installation of specialized software on each client. Instead, he chose a VPN based on SSL. The technology enables access from anywhere because the secure handshake occurs over the SSL connection between the application and the browser. SSL grants access to the application only, not to the entire network as IPsec does.
With the remote access demands of today’s diverse and mobile workforce, SSL’s time has come, says Chris Silva, an analyst with Forrester Research in Cambridge, Mass. “Employees are demanding remote access from notebooks, notebooks are displacing desktops, and smaller mobile devices are also making their way into network resources as well,” he explains. “IPsec, with its client-based certificates and point-to-point connectivity, simply won’t be able to scale to these demands.”
According to Forrester, IPsec deployments currently outpace SSL by about 20 percent. But over the next five years, SSL is expected to become the dominant technology.
Here, There, Anywhere
“We have people going into homes to take reports who are used to getting their e-mail from the library. They could be coming in from court-appointed computers, other judicial computers, or a public kiosk,” says Jeff Grant, senior network designer for the Connecticut Judicial Branch in East Hartford. “Without the visibility provided by SSL, we don’t know where they’re coming from. With an SSL VPN appliance, we could detect their location and set access accordingly.”
Grant’s agency is looking at an SSL VPN to replace its Lightweight Directory Access Protocol–based remote e-mail access because he also wants to be able to check the integrity of his end-points before granting access to e-mail and, ultimately, database and other telework applications.
Many SSL gateway accelerators include or combine with Network Access Control–based end-point controls to check the integrity of end-points before granting access. This includes checking patch levels and security status and identifying the location or type of device before granting full access, granting limited access (including removing the session from memory in noncontrolled devices) or sending the user to a site for remediation.
“We can use NAC-based controls and registry keys to check MAC [Media Access Control] and IP addresses to determine whether it’s a judicial or nonjudicial device,” Grant adds. “If it’s a nonjudicial device, we could see that they used one of our [RSA] tokens to log in, but the system in use is not kept up to date, so the user is given very limited, view-only access.”
The organization is leaning toward Cisco Systems’ Adaptive Security Appliance existing architecture. Grant plans to phase in the SSL VPN as licensing agreements phase out for his 4,500 IPsec RSA tokens and he can replace them with SSL tokens.
Application-Specific Access
Licensing is another reason organizations are finding SSL VPN attractive, says Forrester’s Silva.
“Instead of having to deal with the cost of licensing for every one of those developers in India or home workers all over your state, you’re only paying license for the [SSL VPN] gateway,” he says. “As many people who support the [SSL] browser token can get into their resources without worry about licensing on each of those devices.”
Like Wooster and Connecticut’s judicial branch, most agencies are implementing SSL one application at a time, Silva continues. And, because mobility is a driving factor, most future applications will likely involve Wi-Fi, for which SSL VPN makers such as SonicWall are developing compression as well as optimization accelerators.
One such wireless SSL VPN arrangement enables public-safety officers in Dane County, Wis., to access criminal database records while in their squad cars over a secure connection.
“Officers can download photos of suspects, including tattoos and scars, to a degree they’ve never been able to before,” explains Dawn Szyryj, senior systems administrator at Dane County, whose offices are based in Madison. “This has allowed more arrests of criminals on the street because we’re getting the right information to the right people at the right time.”
The county uses a Java ActiveX download delivered to the mobile computers’ browsers through the Citrix Systems portal, which also automatically updates the ActiveX code every time a user connects.
In addition to its wireless squad-car application, Dane County has also deployed a Citrix-based SSL VPN portal that allows agents outside the county to access its criminal database. Szyryj credits this project for tearing down silos and improving efficiencies in interagency investigations.
Portals are another access layer that SSL VPNs are well suited for, according to David Nero, director of enterprise applications for the city of Boston.
Boston’s IT group is halfway through a 20,000-user deployment that uses the Juniper SSL Secure Access 6000 appliance to control access to Oracle’s PeopleSoft employee self-service applications. Through the portal, public works and other highly mobile city employees can track their pay, medical and other benefits information from anywhere, even a public computer.
“Not all of our city workers have access to a PC. Public works employees are busy filling potholes, and transportation people are fixing streetlight signals, and they deserve the same access to their HR data as anyone with a computer does,” Nero says. “We are trying to plan for future employee access needs by starting with this project.”
Echoing other agency IT leaders, Nero believes that, ultimately, every remotely accessed application could be integrated into an SSL VPN, most likely managed through a secure, self-service portal.
“People will continue to expect access to what they need from where they are. We have to accept that,” he adds. “We decided to start to solve it with this employee portal project.”
A Sampling of SSL VPNs
- Array Networks SPX2000 SSL VPN
- Cisco Systems Adaptive Security Appliance 5550
- Microsoft Intelligent Application Gateway 2007
- Nortel Networks Alteon 2424-SSL Application Switch
- SonicWall SSL-VPN 2000
- SonicWall SSL-VPN 4000
- WatchGuard Firebox SSL Core VPN Gateway
Proper Configuration Is Key
Once when Ty Collins, information systems manager for the city of Wooster, Ohio, was running Secure Sockets Layer VPN traffic through the city’s internal Barracuda Networks packet filtering firewall, he discovered the firewall was opening encrypted packets. “This was an eye opener — a real-life example of a man-in-the-middle attack,” Collins says.
A successful attack would be possible only if a device was present in-line of the communication path, which was the case in Wooster. The other way would be to compromise the SSL credentials and spoof a session. That makes proper VPN configuration and end-point protection critical when deploying VPNs. You can protect your system by keeping browsers patched and up to date and utilizing end-point management controls through Network Access Control and other controls tied into the VPN management system.