Secure that line!
Secure Sockets Layer VPNs deliver clear connections from the road<@VM>Sidebar | SSL VPN: The key to local security, too?<@VM>Sidebar | How does SSL work, anyway?
- By Greg Crowe
- Jul 23, 2007
Virtual private networks have been around for more than a decade as cost-effective solutions to letting employees telecommute from home or work from the road or remote offices. And VPNs have evolved.
A VPN establishes a logical network connection between two points ' using tunneling, which is making packets constructed with a specific VPN protocol ' and encapsulates them within a carrier protocol. Most use IP for transport via the Internet. The packets are de-encapsulated at the other side of the connection, usually without interference from other IP traffic because VPN packets use encryption and authentication.
That's quite an improvement compared with the old ways. One older method was to have dedicated, leased lines between the clients and networks, which formed early wide-area networks and could be costly because you were paying to have a constantly open private line. The other involved a modem connection to an application server, which was feasible for people only in the local dialing area unless you paid for a toll-free line. In any case, the connection was restricted to dial-up speeds.
Another method of connecting clients to a central network is to set up a traditional VPN, one that uses IPSec or another similar protocol. This method uses a client program, which finds and makes a connection to the VPN server on the central network.
The requirement for client software has its pros and cons. It provided extra security, but software licenses can be expensive, and configuring the software to make the proper connection requires user expertise or the presence of a network administrator at each remote location.
Now the best way to connect to a network securely is with a Secure Sockets Layer VPN appliance. It eliminates the need for client software in addition to the expense and headaches that come with maintaining multiple licenses. All recent Web browsers have SSL capabilities built in, so nearly every computer already has the client software in place. The downside of using a Web browser as the client is that users can access only certain Web-based applications, not the entire network. But that also means administrators can more precisely regulate access control, because the only settings that can be made are on the VPN appliance.
We received SSL VPN appliances from Array Networks, Juniper Networks and SonicWALL. They ranged from inexpensive, low-bandwidth, workgroup devices to powerful multienterprise managed appliances. We set up each of them in turn on our test bed network and ran them through normal configuration and maintenance routines, such as incorporating new SSL certificates.
Because of the differences in what the devices could do and the lack of testing standards, we decided not to perform any heavy endurance tests, though we did hook them up to a test network and pushed some traffic through to verify that they could work with their listed number of users. Mostly, we concentrated on the ease of setup and maintenance, and any extra features the devices had. Of course, price did factor into our grading, but only when considering an appliance's other offerings.
Array SPX3000 FIPSUnder the hood:
The SPX3000 FIPS' interface lets users set up virtual sites quickly and gives vital stats on the VPN's performance.Ease of setup:
B Ease of use:
Powerful throughput. Cons:
Setup and configuration are difficult.
The SPX3000 FIPS from Array Networks is capable of regulating an impressive volume of concurrent users and bandwidth. Its additional features make this product an adaptable enterprise-level appliance.
The 1U rack-mountable appliance has the obligatory internal and external RJ-45 Ethernet ports and a serial console port. In addition, the appliance comes with a Federal Information Processing Standard-certified Hardware Security Module (HSM) that meets the FIPS 140-2 Level 2 and 3 security benchmarks. It resides in a secure enclosure in the SPX3000 as an added security measure. The module handles private cryptographic key management and SSL handshakes simultaneously, leaving the SPX free to perform other tasks. That, of course, is the main reason for the exceptional amount of throughput the appliance can handle.
Unlike some VPNs, SPX models are built on ArrayOS, a proprietary operating system programmed for this specific type of appliance, with security a primary concern. As a result, it is more resilient than almost all other commercial operating systems.
The SPX3000 supports as many as 256 virtual portals, which an administrator can use to separate different groups or offices in virtual spaces that have a look and feel all their own. This also gives you an additional method of regulating user access.
Setting up the SPX3000 FIPS was more complicated than setting up the average appliance, and only partially because of the added security module. Upon making the serial connection to the console port, you must log in, go into enable mode ' which requires another password ' go into configuration mode, and then enter the settings one by one with line commands. To get the Web-based administration interface running, we also had to log in to the HSM to make sure it was operational. That is much more secure than a walkthrough, but it is also a great deal more tedious.
The Web user interface was not very intuitive for some tasks. However, there is a quick-task pane that contains several of the most commonly used administrator tasks. Certificate request generation was done through creation of a virtual site, but once that was done, installing the certificate was relatively easy.
The SPX3000 FIPS shines in bandwidth capacity. Array claims it can handle as many as 2,500 concurrent users and 300 megabits/sec of throughput. Based on our tests, that estimate appears to be accurate. Of course, keep in mind that, as with most of these appliances, you have to purchase a license for each concurrent user.
Array has set the price for the SPX3000 FIPS at $26,995 for 50 concurrent user licenses, which seems reasonable for such a powerful FIPS-compliant appliance, especially considering the addition of HSM. If you don't need this level of power, Array also offers non-FIPS-compliant models starting at $2,995.
The SPX3000 FIPS from Array Networks would do well in any large-scale environment with numerous remote users who create a great deal of traffic.
Array Networks, (866) 692-7729, www.arraynetworks.com.
SonicWALL SSL-VPN 2000To the point:
SonicWALL's administrator interface is no-frills but will still let users perform the jobs they need to do.Ease of setup:
A Ease of use:
Easy to set up and use. Cons:
Low user threshold.
The SonicWALL SSL-VPN 2000 is designed for small to midsize enterprises. It is easy to set up, easy to use and light on the budget.
The chassis of the SSL-VPN 2000 takes up 1U of rack space, which is as small as rack-mountable equipment gets. It is about two-thirds as deep as other units in this review, allowing for easier mounting. It has four RJ-45 10/100/1000 Ethernet ports for a variety of interconnectivity options, depending upon how your network is set up.
The power supply has a hard switch in the back instead of the expected smart-switch button in the front. That would make restarting the appliance more difficult, especially if the rack is completely full.
The device's setup was the easiest of the appliances we tested. Connecting to the serial console port was not necessary. A computer set to be on the same subnet was connected via a local-area network cable, and the graphical user interface was available to the browser. That is arguably less secure than going through the serial port, but both methods require a direct physical connection to the device to access it.
The installation manual was easy to follow with clear diagrams of various network configurations the appliance supports. Common administrator tasks are outlined clearly in a step-by-step format.
The administrator interface is pretty good, with related windows grouped in a logical fashion, so most tasks are easy to find. Importing a certificate is more involved than we would have liked ' the certificate and private-key files received from the certificate authority must first be put into a Zip file before the admin console can do anything with it. This is not a difficult step, but it is an extra step nonetheless.
The number of concurrent users for the SSL-VPN 2000 is unrestricted and theoretically unlimited. However, for optimal performance, SonicWALL recommends a maximum of 50 concurrent users.
Although you cannot access network files in the traditional sense with an SSL VPN, you can access them through a server-based Web application. The SSL-VPN 2000 provides users with a Java applet that allows them to access shared files on the network. We found this to be a great convenience for users.
The SSL-VPN 2000 works well enough by itself behind a third-party firewall, but it is designed to function with a SonicWALL gateway security appliance.
The SSL-VPN 2000 has a retail price of $2,295, which we found to be a terrific bargain, especially considering the unlimited user licenses. Admittedly, it doesn't have the bandwidth capacity that a more powerful, more sweeping VPN would have, but it can hold its own in a midlevel enterprise environment.
SonicWALL, (888) 557-6642, www.sonicwall.com.
Juniper SA6000SPReady Reminder:
Juniper Networks' Guidance Panel has task lists to make sure that administrators don't forget even the most basic configuration or maintenance step.Ease of setup:
B+ Ease of use:
Fairly easy to use. Cons:
2U of rack space.
The SA6000SP from Juniper networks is a powerhouse that is surprisingly easy to use considering its complexity. It is capable of taking charge of a multienterprise-level environment, yet it is reasonably quick to set up.
This device takes up 2U of rack space, more than any other in this review.
However, the increased size is primarily because of two redundant power supplies, which are hot-swappable in case one of them fails. The unit we tested had only one, but there was space for another. Juniper took advantage of the increased appliance size and made the two cooling fans as big as they could. These are also hot-swappable, which makes replacement easy.
In addition to the expected pair of RJ-45 10/100/1000 Ethernet ports, the SA6000SP has two small form-factor pluggable ports for Gigabit Ethernet connectivity. Even if your network does not yet support this type of connection, you won't need to replace this appliance if you decide to upgrade your network later. The appliance meets FIPS 140-2 Level 3 requirements.
Setting up the SA6000SP is no more difficult than we've come to expect from any security device. We connected a null modem cable from the console port to a computer's serial port, started a Telnet program, set the com port to the correct settings, and off we went. We took the appliance through the basic settings, and it allowed us to change them one by one until it could be accessed via the network by a Web browser.
We found the Admin WebUI to be easy to use if you have basic knowledge of SSL VPN settings. There is a guidance pane to the right that lists the settings that still need to be done and has links to the corresponding pages. There are additional guidance panes that list tasks an administrator might want to perform. Although the menu system on the left is easy enough to navigate, the guidance task lists entirely bypass it for the most basic tasks.
The standard licensing that came with the device we tested allowed for 25 concurrent users, although you could buy licensing for more users separately.
The SA6000SP has a list of more than 80 trusted server certificate authorities, so Web servers with one of those certificates will automatically be trusted. This will save the time that would be spent authenticating specific servers. Importing a device certificate ' so Web browsers will trust your VPN ' was about as simple as it gets: Once you get the certificate and key information from the certificate authority, you just browse for the files they gave you, click Import and you're done. Juniper added no unnecessary steps to an already step-laden process.
Juniper sells the SA6000SP with 25 concurrent user licenses for $24,985, which is about what you'd expect for a FIPS-compliant SSL VPN of this capacity. And the hot-swappable components are a money-saving feature. Of course, Juniper has smaller models for less if that's what you need.
The SA6000SP would perform well in the largest-scale environments. It might be overkill in a smaller arena, but it would be hard to beat in a service provider or a multienterprise-level situation.
Juniper Networks, (866) 298-6428, www.juniper.net.
Secure Sockets Layer virtual private networks are rapidly becoming the most universally used method for remote access to a network. Encapsulated, encrypted packets via the Internet are the most effective means for an external client to securely communicate with a network. But what about the local user?
The established method for local users involves logging in to a computer on the subnet and comparing the user name/password combination to a list of users. The method is universal, and it has done pretty well by us all so far. But increased use of wireless networking ' and the persistence and skill of potential hackers ' has made it necessary to start rethinking this strategy.
Network Access Control (NAC) is a security solution that controls which network resources and applications authenticated users can access based on their identity, the computer they are using and how that computer connects to the network. This level of access can even change during a connection, depending on the behavior of the connecting computer.
All you administrators are probably thinking this sounds too good to be true. Well, in a sense, it is ' for now. Many companies offer solutions under the NAC label with widely varied capabilities, so it is easy to get an NAC product that is not optimal for your needs.
An SSL VPN is essentially an NAC solution for remote users, and many experts recognize it as such. Although the network does not regulate the connecting computer's behavior, administrators can restrict access to network applications or resources using the VPN permission settings. That's why many believe the technologies and processes used by an SSL VPN can easily be turned into an NAC for all users, whether in the office or on the road. That would put organizations that currently employ an SSL VPN one step ahead on the road to NAC.
The future is difficult to divine, of course, but transition from SSL VPNs to total NAC seems to be a logical step. Perhaps as early as next year, we will be looking at SSL VPN-type devices to protect local networks instead of just remote connections. Officials at more than one company in this review suspect that this could be the future, so we thought it would be worth mentioning. You wouldn't want to be left out in the cold when the winds of change start blowing, and a secure network means a local NAC appliance.
Since its introduction about a decade ago, the Secure Sockets Layer protocol has changed the way we do business via the Internet ' or, more accurately, it has enabled Internet business to be done at all. Nearly every credit card purchase or secure log-in uses SSL to keep transactions safe from eavesdropping, tampering and forgery.
Although the details can vary depending on the version, SSL uses four basic steps to create a secure connection via the Web.
First, the client shakes hands with the server and requests that the server send its identification. The server returns the requested identification in the form of a digital certificate that has the server's public encryption key. The client then makes a session key and encrypts a random number using this key, which only the server's private key can decrypt. Finally, the server sends the random number back to ultimately prove its identity, and the secured connection begins.
The crucial element to making this process work is the digital certificate sent as the server's identification to the client. This certificate contains the server name ' servername.domain.com is the typical format ' the trusted certificate authority, and the server public encryption key. If the server name does not match the URL you are browsing, the browser will warn you, allowing you to back out of a potentially insecure connection or continue at your own risk.
You can get these certificates only from a trusted certificate authority. It is the authority's responsibility to verify the identity of each certificate applicant in addition to their authority to get a certificate for a certain domain. Through databases such as the Data Universal Numbering System, maintained by Dun and Bradstreet, the authority can verify the existence and location of the applicant's company. The authority also will determine the ownership of the domain in question and ensure that it matches the company information. The certifying authority must take every step to ensure that the certificates they distribute are to the people they claim to be.
The latest version, SSL 3.0, is officially superseded by Transport Layer Security Version 1.0, but these two protocols are similar and largely synonymous with each other. In fact, VPN appliance manufacturers and certificate authorities use SSL to refer to either protocol.
For our testing in this roundup, we became verified users of and used certificates provided by Entrust (www.entrust.com).