The new crop of secure sockets layer virtual private networking (SSL VPN) products are touted as low-cost methods of accessing the corporate network from outside the company without leaving sensitive information on the remote desktop.
But one analyst warns the products have their limitations,
including limited access from machines that are not trusted by the server.
One Canadian firm, Mold Masters, adopted Aventail Corp.’s SSL VPN product because it does not require a client software installation.
“”What we were looking for was something that can allow our remote users a connection with zero footprints from customer sites or from the public Internet,”” says Val Smith, IT manager for Mold Masters.
This flexibility will let users, theoretically at least, access a company’s Web, client-server and legacy applications from any computer with Internet access.
“”That is one of the gains from SSL VPN: you can get access from a shared device,”” says Hari Krishnan, product manager for F5 Networks Inc. in Seattle. “”With SSL VPN, you can selectively open up specific applications, and you don’t need to have client software installed as a managed device, so partners and suppliers can have access a lot more easily.””
In spite of the initial investment required, vendors such as Seattle-based Aventail also claim SSL VPNs can save users money over the long term.
“”Something that I hear over and over again from our customers is that they cut the number of calls to support desks for help with remote access sometimes by 80 to 90 per cent,”” says Margaret Dawson, spokesperson for Aventail.
While SSL VPNs may be set up to offer the same network connection as one with deployed client software, the reality is that users may be unable to access the same number of applications.
“”It is easy to get caught up and think that every one of the SSL VPN solutions will give you access to every one of the applications you are used to accessing,”” says Mark Bouchard, an analyst with Meta Group Inc. of Stamford, Conn. “”So one of the things you need to look at closely for any given product is what scope of applications can it allow me to get to.””
Apart from the user’s own access privilege, the reach of any SSL VPN can be limited by the security features on the computer from which the user access the network. Few problems would arise if a user tries to access the network from a company-issued laptop, or from behind another company’s firewall.
But access from uncontrolled shared devices, such as airport kiosks, may place restrictions on the end-user.
“”It is important to make sure that when you are providing access to users the network itself is protected from worms or viruses,”” says Krishnan. “”Not only from external intruders but also companies’ own employees who may inadvertently have a virus-infected laptop.””
But VPNs can provide a very detailed level of security, Krishnan says.
“”You can also access and audit the user activity at the application level so you got a detailed audit trail.””
Bouchard says some users may find their access is limited beckause the administrator has set up a system to ensure the remote client has anti-virus and firewall software installed.
However, some vendors say their products can overcome the security limitations imposed by administrators.
“”What I would do is I would use the Aventail Secure Desktop which is a secure sandbox area,”” says Chris Hendricks, Aventail’s product marketing engineer. “”It is an encrypted virtual desktop where everything essentially gets stuck into an encrypted ball, and when you are done it gets cleaned up.””
Mold Masters’ Smith said this is one reason his company chose Aventail.
“”We were convinced that it did not leave a footprint,”” Smith said.
SSL VPNs present few interoperability problems for the client, but users may encounter snags if they go beyond Web applications.
“”With many of these products, if you go beyond accessing Web applications, they actually require an Active X or Java plug-in to be downloaded,”” says Bouchard.
Krishnan of F5 says large companies need to account for the fact that they frequently change existing applications and add new software.
It doesn’t take long to train users, because the user interface is normally the same as the previous VPN.
“”Because it is usually Web-based, and it is usually portal based, they just go to the Web site, they point to it, and sign in,”” says Hendricks.