National Institute of Standards and Technology has released a guide to virtual private networks using Secure Sockets Layer technology, comparing and contrasting them with IPsec and other VPN solutions.
The National Institute of Standards and Technology has released a guide to virtual private networks that use Secure Sockets Layer technology, comparing and contrasting them with IPSec and other VPN solutions.
Special Publication 800-113, 'Guide to SSL VPNs,' includes recommendations for designing, implementing, configuring, securing, monitoring and maintaining VPNs.
NIST also released for comment a draft version of SP 800-124, 'Guidelines on Cell Phone and PDA Security.' It is an overview of common cell phone and personal digital assistant devices to help administrators make informed information technology security decisions about their use.
VPNs that secure connections for remote users via Web browsers and SSL encryption are popular because they are easy to use. The SSL protocol is included in all standard Web browsers, so the client usually does not require reconfiguration and users can access the VPN from a wide range of computers. Portal VPNs enable users to access resources via a Web site. Tunnel VPNs allow users to access applications and protocols that are not Web-based but require the browser to handle active content.
'Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security VPNs,' the NIST guide states. 'The two VPN technologies are complementary and address separate network architectures and business needs.'
Requirements and recommendations for deploying an SSL VPN include:
- Configuring it to allow only cryptographic algorithms and modules that comply with Federal Information Processing Standard 140-2.
- Evaluating several products against clearly defined requirements.
- Using a phased approach to planning and implementation.
- Recognizing the limitations of the technology.
- Implementing other measures to support and complement the VPN.
- Plan for and deploy appropriate security controls for cell phones, PDAs and other handheld devices.
- Ensure that devices are deployed, configured and managed to meet business objectives and security requirements.
- Manage and maintain the security of devices throughout their life cycle.
NEXT STORY: Linux scales Glacier's Everest