Book Image

SSL VPN : Understanding, evaluating and planning secure, web-based remote access

Book Image

SSL VPN : Understanding, evaluating and planning secure, web-based remote access

Overview of this book

Virtual Private Networks (VPNs) provide remote workers with secure access to their company network via the internet by encrypting all data sent between the company network and the user?s machine (the client). Before SSL VPN this typically required the client machine to have special software installed, or at least be specially configured for the purpose. Clientless SSL VPNs avoid the need for client machines to be specially configured. Any computer with a Web browser can access SSL VPN systems. This has several benefits: Low admin costs, no remote configuration Users can safely access the company network from any machine, be that a public workstation, a palmtop or mobile phone By pass ISP restrictions on custom VPNs by using standard technologies SSL VPN is usually provided by a hardware appliance that forms part of the company network. These appliances act as gateways, providing internal services such as file shares, email servers, and applications in a web based format encrypted using SSL. Existing players and new entrants, such as Nokia, Netilla, Symantec, Whale Communications, and NetScreen technologies, are rushing our SSL VPN products to meet growing demand. This book provides a detailed technical and business introduction to SSL VPN. It explains how SSL VPN devices work along with their benefits and pitfalls. As well as covering SSL VPN technologies, the book also looks at how to authenticate and educate users ? a vital element in ensuring that the security of remote locations is not compromised. The book also looks at strategies for making legacy applications accessible via the SSL VPN.
Table of Contents (14 chapters)
SSL VPN
Credits
About the Authors
Introduction
A Review of TCP, IP, and Ports

VPNs


You now ask: "So what is a VPN?" The most basic definition of a VPN is "a secure connection between two or more locations over some type of a public network". A more detailed definition of a VPN is a private data network that makes use of the public communication infrastructure. A VPN can provide secure data transmission by tunneling data between two points—that is it uses encryption to ensure that no systems other than those at the endpoints can understand the communications. The following diagram shows a basic example:

Traveling sales people will connect to the Internet via a local provider. This provider can be AOL, EarthLink, a local community Internet Service Provider (also known as a POP—Point Of Presence). The diagram above shows the concept of the VPN. The VPN now hides, or encrypts, the data, thus keeping Hacker Bob out of your data.

Remember your challenge from the CIO—"secure access from 50 sites around the world into the corporate network and each site having about 10-12 computers?" We have the answer for you. Let's look at two examples:

  • Connecting one computer to the company corporate network

  • Connecting networks together (your answer)

One Computer to the Corporate Network

In the example, below, a traveling user is able to connect securely to the corporate network via the VPN. The user will connect to the VPN via a local Internet service provider, then that traffic will be routed to the corporate network. At this point the VPN traffic from the end user will terminate into a VPN receiving device or server.

As you can see, Hacker Bob cannot read and/or trap your data—he is stopped.

Note

In this example above Hacker Bob may still be able to trap a copy of each packet, but the encrypted data will not be readable.

Remote Office Network Connected to the Main Office

In the example below, a remote office will be able to connect to the computers and servers in another office via the Internet. An end user on the remote network will access one of the corporate network services. The traffic will route from the remote office to a VPN device, travel securely over the Internet, and into the VPN device on the corporate network. Once on the corporate network the end user will have the potential to access any of the corporate services or servers. As shown below, Hacker Bob is thwarted once again and cannot read your sensitive data:

Now your problem is solved; your company is able to provide access to its corporate office computers from anywhere in the world. And the final result—Hacker Bob will be looking elsewhere to launch his evil plan.