VPNs Made Easy

Physicians at Catholic Health System in Buffalo, N.Y., want access to medical information and images. Managers at Perry Manufacturing Co. in Mount Airy, N.C., need remote access to e-mail and applications running on an AS/400. At these businesses and elsewhere, users are becoming increasingly reliant on remote access to business applications and data.

Yet even in the era of the Internet, there has been no easy and secure way to provide remote access to the data and applications users need. Dial-up connections, terminal emulation tools, Internet portals and traditional virtual private networks (VPN) can do some of the job, but each has its limitations.

"We had an old dial-up product to reach the AS/400, but no e-mail," recalls Howard Ward, Perry's director of information systems. The company had Cisco's Easy VPN for e-mail but found it to be too slow, he adds.

Catholic Health wanted to give physicians remote access to patient information and medical test results. Its first attempt—sending medical information and images via fax—proved cumbersome. Then it deployed a VPN based on the IPsec protocol. That provided session encryption and authentication and enabled network-level access to resources, but it also proved problematic. "Some physicians still use our VPN, but there are real support issues. You need to configure software on each client. What we wanted was an application-level gateway of some sort," explains Douglas Torre, director of networking and technical services at the health care services provider in western New York.

Both he and Ward have turned to Secure Sockets Layer (SSL) VPN appliances, which provide that application-level gateway by allowing remote access over the Internet to Web-friendly applications.

No-Hassle VPNs

While IPsec VPNs provide broad, flexible network-level access, SSL VPNs let remote users access specific applications over an intranet or the Internet using a Web browser. In its purest form, the SSL VPN is clientless, relying only on a Web browser to run any application that can present an HTML interface. In other cases, users may need to download a browser plug-in, such as a Java or ActiveX component, in order to access a specific application.

Like its IPsec counterpart, the SSL VPN establishes a secure channel of communication. But it terminates the session outside the corporate firewall, usually to a server or appliance in the DMZ (the "demilitarized zone" between the secure corporate network and the public Internet). The user sessions then pass through to various internal systems using the appropriate interfaces and protocols.

In contrast, IPsec VPNs typically require the installation and management of complicated client software. These setups can be difficult and expensive to manage, especially if client machines aren't under the IT organization's control, says David Thompson, a senior research analyst at Stamford, Conn.-based Meta Group Inc. And when it comes to remote access, users are frequently beyond IT's reach, using their personal systems at home or public systems like those at Internet cafes or airports.

In addition to the need to configure the client software, says Torre, "there are security policy issues and access issues you have to keep dealing with." In comparison, Virtual Instant Extranet, an SSL VPN appliance from Neoteris Inc. in Mountain View, Calif., proved to be fast and simple. "We got Neoteris running in less than an hour. Users just go with their browser," Torre says.

Performance is another potential problem with conventional VPNs. "We were running our Cisco VPN on a big box, and it was still slow," says Ward. Efforts to tweak the VPN had no affect, and users still couldn't reach the AS/400. Ward installed FirePass from uRoam Corp. in Sunnyvale, Calif., and that appliance improved performance while delivering access to both e-mail and AS/400 applications. The AS/400 applications required a one-time client download of an ActiveX component.

IPsec VPNs establish a network-level connection and therefore need to punch through the firewall. That's a problem when remote sites won't open their firewalls, notes Malvin Mize, hosting and access team leader at Acxiom Corp., a vendor of information management services in Little Rock, Ark. Using the SSL VPN capability supported in Tarantella Inc.'s thin-client software, however, Acxiom's remote customers can sit at any Internet-connected device and, via their browsers, connect to the company's Tarantella Enterprise 3 server, which provides secure thin-client access to the back-end Windows applications Acxiom hosts. There's no need to open another port in the firewall at the customer site, since all traffic passes through HTTP Port 80, Mize says.

The Downside

"IPsec is the mainstream approach, but it's not suitable for every remote access situation," says Jim Slaby, an analyst at Giga Information Group Inc. in Cambridge, Mass. But although an IPsec VPN increasingly isn't necessary for many remote access needs, it still has a role in most organizations. "SSL solves all the remote access issues except one:" providing access to client/server or other applications not accessible from a browser, Slaby says.

Unlike IPsec VPNs, SSL VPN appliances don't typically allow direct access to network file shares. One vendor, Seattle-based Aventail Corp., provides client software to access shared files on Windows servers. But that requires loading client software and doesn't support Network File System (NFS), which is commonly used on network-attached storage appliances.

With organizations increasingly Web-enabling their client/server and legacy applications, browser-only access is less limiting than it once was. But SSL VPN and application vendors have also come up with other work-arounds, such as adding client software or embedding proxy capabilities into appliances.

"Originally, the thinking around SSL VPN was to give every application a Web front end, but now you can just put in a gateway at the edge of the network," says Lisa Phifer, vice president of Core Competence Inc., a consulting firm in Philadelphia. The Web SSL session ends at the gateway, which then connects to whatever back-end application is requested. The gateway handles any necessary transformations or conversions and presents an application interface to the client.

On the back-end server side, Meta's Thompson identifies several possible gateways. They include Web proxies, which may dynamically rewrite Web addresses, masking internal addresses for security purposes; transactional proxies, which translate HTTP for use with File Transfer Protocol, SMTP and other applications; Socks-based proxy servers, which require client-side ActiveX controls or Java applets to enable access to client/server applications; screen scrapers, which reformat terminal-session displays for Windows or browser clients; and Windows thin-client systems, like Fort Lauderdale, Fla.-based Citrix Systems Inc.'s MetaFrame and its NFuse front-end software for Web browser access. Some functions may be embedded in SSL VPN appliances and associated client software, or a separate proxy server may be required.

Most users need access to a range of applications, so vendors have responded by putting different combinations of features into their products. Vendors also differ in the level of product manageability offered and in how easily their products can tie into an organization's existing directories for authentication and authorization.

With a proxy server, Java or ActiveX client components may be downloaded automatically the first time the user accesses the resource. This is how remote users typically access e-mail with Microsoft Exchange or Lotus Notes. On the back end, some sort of transactional proxy, such as Microsoft's Outlook Web Access server for Exchange Server, may be required. And companies that need to provide remote users with only e-mail access may find that newer products, such as the forthcoming Exchange Server 2003, include their own SSL VPN services.

By using thin-client intermediaries such as NFuse, users can access back-end Windows applications. Both Tarantella and Citrix also offer their own SSL-encrypted remote access options for their thin-client products. (Citrix also recently announced its own SSL VPN software offering, called Secure Access Manager.) But not all companies want the extra complexity and expense of adding a thin-client layer to their IT infrastructures just to allow remote access to client/server and Windows applications.

The SSL VPN market continues to expand as vendors rush into the space, but the future of many of them is questionable, analysts say. "The market will coalesce around a few," says Slaby, who expects large network-equipment and IPsec VPN vendors to sweep into the SSL VPN market.

Eventually, SSL VPN functionality may simply be incorporated into other network security products. "There will be consolidation of the infrastructure at some point," says Thompson, and users may see SSL VPN features merge into firewalls, portal gateways or other network-edge devices.

An SSL VPN appliance makes secure remote access easier, but it's not indispensable. "Much of the functionality of remote access can be achieved with the use of tools that many organizations already use in their customer-facing applications," Thompson says. By using security tools, portals, Web access control tools and SSL-enabled applications, some companies might avoid buying SSL VPNs altogether.

Radding is a freelance writer in Newton, Mass. You can reach him at alanradding@attbi.com.


Anatomy of an SSL VPN

SSL VPN appliances provide remote access to Web-enabled applications and resources without requiring VPN client software to be installed or firewalls to be modified. Clients use only a Web browser, and encrypted HTTPS traffic passes transparently through firewalls. Access to client/server applications requires a browser plug-in. Some vendors also provide access to file shares, but that requires agent software to be installed on the client.

Anatomy of an SSL VPN
SSL VPN Appliances

Client-free setup

Easier to configure and manage than traditional VPN products

Faster deployment


Work best with applications accessible through a Web browser

Puts another box in crowded security perimeter

SSL VPN access features are already built into some applications


Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon