SSL VPN: Is it the Solution for your SMB?

by Deb Shinder | Jan 26, 2007 8:00:00 AM

Tags: VPNs, Network security, SSL/TLS, TELECOMMUNICATIONS, NETWORKING, SECURITY, small and medium business, Deb Shinder, VPN, SSL, SSL VPN, SMB Strategies Newsletter

Takeaway: There are more options than ever when it comes to deploying a VPN solution on your SMB network, and SSL offers a number of advantages – especially now that Microsoft is building an SSL tunneling protocol into the next generation of Windows.

Virtual private networking (VPN) provides a secure way for telecommuters, traveling executives and employees who take work home to connect to the company's local area network and access the resources they need. There are a number of different VPN options available, some of which are built into popular operating systems and some of which require the purchase of additional software and/or hardware. As with most technologies, enterprises have had more flexibility in choosing the right VPN solution due to larger budgets and in-house IT staff with the expertise to choose, deploy and manage different VPN types.

Current VPN options for SMBs

The most popular VPN options for small businesses include:

• Point to Point Tunneling Protocol (PPTP) VPN: PPTP services are built into Windows server software from Windows NT to Longhorn Server so you can set up a PPTP server without buying extra software, and the PPTP client is built into all recent versions of Windows.
• Layer 2 Tunneling Protocol with IPsec encryption: L2TP/IPsec VPN services are built into Windows 2000 Server and above, and the L2TP client is included in Windows 2000 Professional and later client operating systems.
• IPsec-based third party VPN solutions: IPsec-based VPN appliances and integrated firewall/VPN products are available from a number of hardware vendors such as Cisco, SonicWall, Juniper Networks, Symantec, and many others.
• SSL-based VPN solutions: Secure Sockets Layer (SSL) based VPN appliances and software products are available from many sources. With the upcoming release of Microsoft's next generation server operating system (code named Longhorn Server), a new VPN protocol, Secure Socket Tunneling Protocol (SSTP) will be included, and SSTP support will be part of Vista Service Pack 1. This will provide another cost-effective VPN option for the SMB market.

Advantages and disadvantages of SSL VPN for the SMB market

SSL (and its successor, Transport Layer Security or TLS) are relatively simple technologies that use public key cryptography (public/secret key pairs) to create a secure channel for transmitting data. Deployment and management is less complex than, for example, IPsecVPNs. This is especially important to small and midsize businesses because they often do not have large IT staffs, or IT personnel that have specialized expertise that may be needed to troubleshoot IPsec VPN problems.

SSL VPNs are often touted as "clientless" but that’s not exactly correct; it’s more accurate to say that an SSL client is already installed on most computers: the web browser. Thus SSL VPNs can be established from machines on which the user isn’t able to install client software (for example, machines in public kiosks or libraries). This makes it easier for the user and allows more flexibility in where he/she can make a remote connection to the LAN.

A problem that often occurs when users want to make VPN connections from hotels and similar locations is that some network/firewall administrators block the ports used by the VPN protocols. However, most networks allow Secure HTTP (HTTPS) traffic, so the SSL VPN will work in situations where other VPN protocols don’t.

On the other hand, users may not have the same level of access with an SSL VPN as with more traditional VPN technologies.

Security concerns

The purpose of the VPN is to provide a secure channel through which remote users can access the private network. There are certain risks with allowing any type of remote access, including VPN. For example, user passwords can be "cracked," allowing unauthorized persons to access the network through the VPN server. This risk can be reduced by requiring strong passwords and minimized further through the use of two-factor authentication such as smart cards.

Another risk of all types of VPN connections is split tunneling. This occurs when the remote computer is connected to the company LAN and to other resources on the Internet at the same time. If the remote system is attacked through its Internet connection, the VPN tunnel could be used by the attackers to access the corporate network. VPN clients can be configured to prevent split tunneling.

Because SSL VPNs can be established from public computers, this can pose additional risk to the corporate network because those machines may not have the proper security fixes and updates, may not run up-to-date antivirus software and/or may not be using host-based firewalls. And public machines may not support two-factor authentication because they don’t have smart card readers attached or their USB ports are disabled.

Good SSL VPN implementations will allow you to check the "health status" of remote computers that attempt to connect to your network via VPN. These technologies allow you to set criteria (such as requirements for antivirus, firewall and service packs/updates) that can be checked, and remote computers that don’t meet those standards can be blocked from establishing a VPN connection to your network.

Looking forward to SSTP

Microsoft’s new SSTP VPN for Longhorn Server and Vista will help to solve the problems many VPN users have with PPTP and L2TP/IPsec connections being blocked by firewalls, proxy servers and Network Address Translation (NAT) devices, especially on networks where the users have no control over configuration of these devices.

Like its other VPN protocols, SSTP will be configured through the Routing and Remote Access Services (RRAS) on the server. SSTP traffic uses TCP port 443. SSTP tunneling over IPv6 will also be supported; Vista and Longhorn have IPv6 installed and enabled by default. Multi-factor authentication, in the form of smart cards or SecurID tokens, is supported, along with RRAS remote access policies. The Connection Manager Administration Kit (CMAK) will be able to create profiles for SSTP VPN connections, as well.

Summary

Previously, SSL VPN solutions tended to be expensive and thus utilized more by enterprise level organizations. However, there are now low-cost SSL VPN appliances and software available, and Microsoft will built an SSL tunneling protocol into the next versions of Windows server and client operating systems, so that this option is becoming a feasible choice for small and midsize businesses.

Print/View all Posts Comments on this article

I can't wait for SSTP to arrivegeorgeou  | 01/26/07

OpenVPN works on many OSesshuubz@...  | 02/01/07