Product Group Tests

SSL VPNs (2007)

by Justin Peltier October 01, 2007
products

GROUP SUMMARY:

Ease of use, free support and superior documentation make the well put-together BiGuard S10 SSL VPN our Best Buy.

The Array Networks SPX Series Universal Access Controller is an immensely feature-rich appliance, which is why it is our Recommended product this month.

Being almost immune to blocking has given these solutions the edge over their IPSec-based counterparts when it comes to providing secure access for remote workers. Justin Peltier reports

Connectivity is more important than ever. Most members of a mobile workforce must be able to access critical files, print services, company intranet applications, and even their workstation desktops outside of normal business hours. To maintain the level of secure remote access, many organisations are turning to virtual private networks (VPNs), which allow a remote user to connect to the office over the internet in a secure manner.

The VPN connection uses encrypted tunnels to protect the confidentiality of the information in the conversation, as well as making the connection appear to the user as if they are on the corporate local area network (LAN). Originally, IPSec-based VPNs were used to maintain remote access to the office. However, more and more networks are blocking the ports associated with IPSec-based VPNs, such as UDP port 500.

In some cases this is done for security. For example, a corporate LAN may choose to block the IPSec connection because the connection is encrypted and cannot be processed for malicious content such as surfing an inappropriate site or emailing company information to a competitor. Many ISPs block the IPSec-based VPN in order to charge a higher rate for a business- class account that allows traffic for IPSec-based VPNs to pass through the filter.

IPSec is a standard written to specify running on top of IP networks. The standard implements security features the internet protocol was never designed to have. The IP protocol was originally designed for interoperability without a thought for security.

IPSec uses components such as authentication headers, encrypted payloads and message authentication codes as a way to provide pseudo non-repudiation. It provides confidentiality and integrity, but the message authentication code only applies to the group of users and not an individual using the connection. This is because the message authentication code in IPSec uses the shared key to encrypt the message's digest. Since the key is shared, it cannot be used to authenticate an individual.

IPSec-based VPNs work fine as long as the port for internet key exchange (IKE) is open. Since this port is getting blocked more and more, organisations are turning to SSL-based VPNs instead. Since SSL is a standard protocol used by regular web surfers, it is difficult to block SSL access without blocking internet connectivity. That means SSL-based VPNs are more likely to be allowed through whatever type of network the remote user many be on.

SSL versus IPSec
Let's examine the steps of establishing an SSL connection. Like IPSec, SSL - or secure sockets layer - is a negotiated protocol. This means that both parties have to agree on how the protocol will be used in order for the communication to take place.

However, SSL relies on hybrid cryptography which means it uses both public and private key cryptography as part of the communication process. SSL begins when the client (usually a web browser) sends a client hello message to the SSL server. This message contains a list of cipher specifications - all the cryptographic algorithms and configurations the browser will support.

Once the SSL server receives this message, the server picks one of the ciphers and returns the specification to the client in a server hello message. When this is completed, the server sends over the server certificate for the client to inspect.

The client performs several checks against the certificate, for example comparing the signing certificate authority against the list of trusted authorities configured in the browser. The client also checks the URL of the certificate against the one with which the browser is communicating. These are not all the checks that are performed but they represent a good sample.

Once the certificate is checked the browser extracts the public key from the certificate, generates the private or session key, encrypts the session key with the server's public key, and then sends the session key over to the server. At this point, all communication changes from public key cryptography to private or secret key cryptography.

We tested the SSL VPNs by installing them into our test network and using a Windows XP client to connect to the SSL-based VPN. We attempted to use both the SSL portal as well as the layer-three SSL VPN clients to access the internal network.

- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/

SC Webcasts UK

Sign up to our newsletters

FOLLOW US