In our ever changing world, the globalization of business environments has meant that we have remote offices, employees, partners and customers geographically dispersed across the country and the world.
Leased lines between sites served our objectives of fast, secure and reliable communications.
Subsequently the Internet became the alternative data communications highway providing remote users much-needed access to our network.
Internet-connected businesses setup IPSec VPN’s, thus securely tunnelling through the Internet to interconnect sites, providing for lower running costs and improved productivity.
This serves well, except for some shortfalls such as complexity in setup of firewall access rules and security policies for better control.
It also means client software has to be setup and maintained. Connections from remote
external networks via the IPSec tunnel to our network could make us vulnerable through remote machines, which could be compromised or infected with viruses.
For quite some time now Web sites providing e-commerce services and net banking have been using the de facto standard secure sockets layer (SSL) to secure transactions and to protect Web-based communications over the network at the application layer.
It’s time for the IPSec VPN to move over. We now have SSL VPN for secure remote and extranet access.
It does away with some of the previously mentioned shortfalls.
That is, with SSL VPN we get secure, client-less, easy-to-use and simple-to-deploy remote access.
SSL VPN is an ideal candidate to provide secure remote access at ever-proliferating Internet parlours, Web kiosks and Internet-based self service terminals, as well as for access at trade shows, hotel rooms, wireless hot spots and client sites. At these locations, setting up a traditional IPSec VPN is difficult or impossible, as network configuration is unknown and even if it is known, network address translation (NAT) and firewall settings have to be changed for the connection.
In the same space, SSL VPN technology will help us to undertake the tight rope walk between the challenges of lowering total costs of ownership and increasing our remote user’s productivity for critical Web-based applications and client server applications.
Moving down the road, we have SSL VPN gateway appliances which help provide
remote users with the ability to connect in a simple, fast and secure manner using just a browser and Java on the client machine.
SSL VPN access for a remote user can be setup on the fly by IT security officers providing granular security and each remote user can be provided with access to a particular application or applications, as well as different levels of access to files.
As for remote users they are just a click away — that is, they point their browsers to the SSL VPN gateway portal page.
A secure connection is setup over the SSL connection to the SSL VPN gateway and after authentication they can access application servers and Web servers.
Acceptance of SSL VPN for remote access has accelerated as it is easy to setup, yet powerful and flexible. At this stage it is important to remember that secure remote access is a process not a product.
Safenet’s SafeEnterprise SSL iGate family caters to the SSL VPN access market segment. The iGate Pro SSL VPN box has important features, such as hardware SSL acceleration and HTTP compression. Under port forwarding it supports Internet Explorer (IE) browsers, non-IE browsers, cache cleaning, integrated two-factor device and administration.
Under logging, it supports activity and alerts. For session auto log off, it supports token removal, inactivity time out and Global time out.
The iGate Pro for client-side security check has out-of-the-box support for version checks on anti-virus software and firewalls.
It checks dates and times, IP addresses, subnet, file digital signatures and authentication methods.
It also checks the registry and file settings, whether Win32 services and Windows Automatic Update services are running.
You have a choice of local, LDAP and RADIUS. Two-factor token authentication using iKey USB token or RSA SecurID are also available. This gives companies the flexibility of using different methods of authentication, depending on their policies.
Clients can choose a combination of these methods depending on the users, roles and applications being secured. As an application proxy, it reduces Web server exploitation risks.
Passwords can also be set to expire after specific time intervals to improve security.
Access is indeed secure through iGate Pro as it proxies your resources and mitigates problems such as password hacking and exploitation of vulnerabilities.
Remote access deployment and management with the iGate Pro is fast and easy thanks to the two very useful Web administration and access control manager (ACM) tools bundled with iGate. No client installation is needed.
The Web-based user interface is for managing the appliance using HTTPS and helps create the initial network configuration in an intuitive manner.
The Windows-based ACM makes the job of the IT security officer easy for user, application and resource management.
All irrelevant ports are closed except the standard port for Web traffic. Private IP addresses are hidden and encrypted, common exploitation of Web server vulnerabilities are reduced because users must first authenticate themselves with the appliance before being passed to the back-end application servers.
With iKey USB token keys for remote users, you feel assured as it is much more secure than regular password schemes.
iGate Pro will automatically remove any files that were used during the session, thus sensitive information does not remain on the machine. Cache cleaning takes place if a session has timed-out or if users log out or remove the iKey.
For secure access to non-Web applications, iGate Pro provides an application connector called VPX. It’s very easy to use and setup — users just have to go to the portal and click on the application link to be authenticated with the HQ application servers. They then use the normal client they were using in the office.
They can use local e-mail clients and client server applications right from their remote offices securely.
From a security point of view, the iGate Pro’s CPF-client policy feature scores high marks.
Operational Testing
Before you test drive the iGate Pro, keep handy details such as site default gateway, Web server FQDN, Web server IP, port and client port of the HTTP-based resources you are going to protect.
Position the iGate Pro behind the firewall on the private or DMZ segment. Point your browser to the IP of the iGate Pro, authenticate and click on the Net Wizard tab, select the one arm mode and other settings.
Now proceed to the Site Wizard where you can select either the direct site mode (to access the site directly or via a portal page) or the indirect site mode (to access the site only via a portal page).
Also select other settings such as the URL to access the server, Web server IP, port 80, virtual IP address and client port 443.
Next, click on the Advanced tab, which gives a host of control and monitoring options, as well as the ability to setup the VPX connector. The VPX connector allows the client on the remote PC to connect to the application server through iGate Pro. The start up guide proved very useful in our test deployment.
Now we move to the ACM — a central deployment and management tool that helps configure protected resources and users who need access to the resources.
You can define external authentication sources or internal authentication and configure users, groups, access rights and links to the landing page using the ACM.
You can add sites and applications that have to be secured from unauthorized access to the access control list (ACL).
With the ACM, you can import users from the Windows domain or from an external directory.
The dashboard for both tools impressed us as they are well laid out and easy to navigate.
Even a novice can get secure remote access going with the handy quick start guide.
With a few mouse clicks, we could enforce access rights in a granular manner — you can change, revoke or add application access for users.
All traffic is secured through the iGate Pro.
For the remote access test we used a client PC equipped with just the common browser and Java.
Coming from the Internet, we pointed towards the portal site. For authentication, we had setup the password and iKey USB token. We inserted the USB token and entered the required PIN. The displayed page showed Web applications and non-Web applications.
The landing page has links to group resource sites and non-Web applications.
While working we needed to leave the PC unattended so we removed the iKey midway and the SSL tunnel closed automatically — a very useful security function.
The iGate Pro responded well to the gauntlets thrown at it by us in areas such as secure communications, authentication, authorization, secure application proxy, client side security, end user support and management.
List prices start at US$22,995.
Suggestions
Check with your SSL VPN gateway vendor for various client server applications supported.
Test it first hand on your network with the applications.
Conclusion
SSL VPN enhances our business capabilities and Safenet’s SafeEnterprise iGate Pro SSL VPN provides the right combination of security along with manageability and ease of use.
It enables secure access to Web-based and non-Web-based applications, and is indeed a “”click and access product.””
iGate Pro is a definitely a product to look to if you are considering secure remote access for telecommuters using the ubiquitous Internet.
