SSL VPN or Secure Sockets Layer VPN is a protocol, which is already imbedded in most IP stacks and sits at the base of the application layer. This application can deliver remote network access via HTTPS from a web browser. It require only minimal client configuration, so virtually any client with a network connection can use SSL VPN without the needs of additional VPN client software or a complex configuration and setup.
The main drivers for SSL VPN are:
- Cost saving – Because SSL VPNs can be clientless, the cost of deploying clients is saved.
- Platform independent & mobile – Access can be granted from many types of machine (Linux, Windows, PDAs) and from many locations.
- IP mobility – Not bound to the source IP address, thus connections can be maintained as clients move.
- Greater granular access control – Ability to offer a greater granularity, even as far as URL. SSL VPNs also lend themselves to more granular access control because each resource accessed must be explicitly defined.
- No NAT issues – do not suffer Hide Network Address Translation (Hide NAT) issues as it is not tied to the IP layer.
SSL VPN Category
There are 3 different techniques in used and most commercial SSL VPN products will use a combination of these.
- Application layer proxies
- Protocol redirectors
- Remote control enhancers
Application layer proxies
This is the simplest form of SSL VPNs because they rely on the SSL functionality used by existing applications and simplest form of SSL VPNs because they rely on the SSL functionality used by existing applications. This application only support E-mail and Web based traffic. There are additional function such as file transfer, however the function tends to be limited.
Advantages of Application layer proxies : Clientless – operate with nearly all operating systems and web browsers.
More flexible than application layer proxies, but not truly clientless in their operation. It works by downloading a mini client from the gateway, which installs locally and redirects traffic.
Advantages of Protocol redirectors : It can support any application that works on fixed TCP or UDP ports and in some implementations, applications with dynamic port applications can be supported (such as MS Outlook).
Remote control enhancers
This is the most flexible form of SSL based VPN, but they also have the highest overhead. They work by enhancing a remote control protocol like Windows Terminal Services or Citrix Metaframe and adding SSL VPN functionality and Web Browser support. This means any application can be added to the SSL VPN by adding the application to the remote control desktop.
Remote control enhancers are usually with other SSL VPN technologies because applications that reside on the local desktop cannot be used directly.
Advantages of Remote control enhancers : Offer features like the ability to read and update a documents held centrally without ever having to download the entire document.