In our first post in this series, we discussed how the changing security landscape and the shift to remote working have dramatically altered the way we work. Securing the distributed workforce is by necessity top of mind for security professionals in 2022.
Though newer technologies like SD-WAN, ZTNA and SASE are beginning to be deployed, today the dominant method by far of providing secure remote access is still VPN. This is likely to be true for quite some time, due to proliferation of the technology currently and the cost of re-educating users – but the good news is that VPN can also serve as a foundation for newer technologies like SD-WAN.
It’s therefore crucial to understand the strengths and weaknesses of VPN solutions. In our previous post, we took a quick dive into Internet Protocol Security VPN (IPsec VPN), which operates at the network layer, with a brief overview of how it works, drawbacks, and the use cases that it’s best suited for. In this edition, we’ll take a closer look at Secure Sockets Layer VPN (SSL VPN).
The Basics of SSL VPN
‘SSL’ VPN is a bit of a misnomer since SSL has been deprecated since mid-2015. In reality, this type of VPN runs on SSL’s successor, TLS or Transport Layer Security, at the session layer (L5) of the OSI model. However, with everyone from manufacturers to analysts to admins continuing to refer to it as SSL VPN, it seems destined to keep its slightly misleading name.
SSL VPN was designed from the ground up to allow remote and mobile users to securely access network-hosted data and services. It’s comprised of two main components – a server and a client, the latter of which resides on the endpoint. The server accepts access requests from the client, performs authentication and authorization, and sets up a secure connection.
A number of features in SSL VPN technology set it apart from IPsec VPNs and make it the dominant method of supporting remote and distributed workforces. Resource lists, for example allow access to specific resources within the corporate network while preventing access to other areas. Sounds familiar? This emulates elements of zero-trust, as well as elements of micro-segmentation. This allows role-based access to only the data and services allowed for that user or group of users.
SSL VPN can also support multiple authentication methods for additional security. Multifactor authentication can be accomplished via SMS, physical tokens, email, or third-party services.
Another feature that sets SSL VPNs apart is the ability to verify and validate client devices prior to connection to the server. Host ID verification can inspect an endpoint for its MAC address, serial numbers and other criteria before allowing access. In addition, host security checks can detect the security status of the remote device, such as OS, patch, and browser versions as well as the existence and state of security software like antivirus, before granting entry.
Unlike IPsec VPNs, SSL VPNs don’t require a physical client at the remote site; instead, the clients are software-based and typically free of charge. Most SSL VPNs also support an agentless (or clientless) method via a browser.
Another difference of note is in performance. While IPsec VPN performance can be enhanced through Intel CPUs, hardware-based SSL VPNs, like those included in NGFWs from Hillstone and others, can include built-in accelerator boards. This capability can significantly improve the speed of new connections as well as the encryption/decryption throughput, resulting in a much better user experience and higher productivity.
SSL VPN Use Cases
SSL VPNs are primarily used to provide secure remote network access for telecommuters, mobile workers, and system administrators who monitor and manage servers in multiple departmental offices. This is especially important as the world has transitioned into the “branch of one” reality of the distributed workforce. The need for connectivity and security in tandem is at an unprecedented level.
SSL VPN can also be used as a substitute in cases where IPsec VPNs are unable to navigate NAT traversal for some reason, or where they run afoul of firewall rules.
And finally, SSL VPN is often a component of a business continuity plan, used to allow staff to work remotely during business disruptions. Throughout the COVID-19 pandemic, for example, SSL VPN has been widely used to support the new distributed workforce. With the importance of business continuity persistently increasing, SSL VPNs can be key in building a cyber-resilient security infrastructure.
Looking Ahead
Like IPsec VPN, SSL VPN has been in existence for quite some time, and given the new hybrid workforce engendered by the pandemic, both technologies are likely to stick around for quite some time. However, on the not-so-distant horizon lie several newer technologies that can interwork with and eventually supplant current VPN infrastructures.
Industry analyst firm Gartner has proposed a new concept, the Secure Access Service Edge (SASE), that in turn encompasses several other concepts and technologies like Zero-Trust Network Access (ZTNA), SD-WAN, Secure Web Gateways (SWGs) and others. SD-WAN and ZTNA can both be implemented alongside SSL or IPsec VPNs today to enhance security, for example.
In our next post, we’ll take a closer look at SASE, why it’s needed, and how to start the transition. To learn more about Hillstone’s solutions and how they can support the transition to SASE, contact your local Hillstone representative or authorized reseller today.