SSL VPN

from Wikipedia, the free encyclopedia

As SSL VPN (English spelling: SSL VPN without by coupling hyphen) refers to systems that provide transportation of private data over public networks allow (see VPN ) and as encryption protocol TLS (old name: SSL).

Applications

In principle, SSL as an encryption protocol for VPN is suitable for both site-to-site and end-to-site VPNs. In the 1990s, there were systems that used SSL as a security layer for site-to-site VPNs. With the development of IPsec and increasing networking across organizational boundaries, standardized, interoperable IPsec has established itself as an alternative.

The decisive advantage of SSL-VPN over IPsec is the provision of network and application access for mobile users, since the configuration of the clients is easier than with a solution using IPsec.

Types

All common SSL-VPN systems today use TCP port 443 (HTTPS) for data transmission. Compared to IPSec and other VPN technologies, this has the advantage that it is easily compatible with network address translation and often also enables access through company proxies and firewalls . In addition to the resulting usability in third-party organizations (usually not possible with IPsec VPN due to the usual firewall configurations), many SSL VPNs can also be used for many functions without prior installation of client software.

There are essentially three different types of SSL VPNs today:

  1. SSL VPN systems that only allow access to web applications with a web browser but cannot provide applications that require the transmission of network protocols. These SSL VPNs do not require any client installation. The part of the name “VPN” for these systems is controversial, but common in the market.
  2. SSL VPN systems that work similarly to other VPN technologies ( IPsec , L2TP , PPTP ) but offer SSL for data transmission. With this variant, complete IP packets are encapsulated, which means that, from the user's point of view, the connection with the SSL VPN client behaves in exactly the same way as would be the case with an IPsec tunnel. The user can use local applications on his PC and access company servers through the SSL tunnel (e.g. for software distribution, DFS ).
  3. SSL VPN systems that allow both web application access and network access to the private network. These systems often have components that enable individual communication relationships to be tunneled (e.g. Outlook access to Exchange servers) without having to establish an IP tunnel (example: "Socket Forwarder" in Microsoft IAG 2007).

Mixed forms are common. A uniform nomenclature for the separation of the different types has not yet established itself in the market. However, the name is common for all VPN systems that use SSL / TLS as the encryption protocol and use TCP port 443 (HTTPS) for data transmission.

For most SSL VPNs, a session is started by logging into a website. Starting non-web applications is usually also done via this website (portal). However, this does not apply to SSL VPNs, which differ from classic VPNs only in the transmission protocol; these usually use a client that has to be installed and which is called to log on to the VPN.

technology

To provide web applications in such SSL-VPN systems that allow clientless access, the URL namespaces of the applications and servers provided are translated into a single URL namespace, so that these web applications can be accessed via a single host name. In particular, central authentication , authorization and content inspection for access can be implemented in this way .

SSL VPNs use different techniques to provide network-based client-server systems :

  • the provision of the application under its actual network address (such as IPSec), for example by a virtual network adapter or layered service provider (Windows)
  • the provision of the application under a loopback network address of the client. In order to redirect client applications, the DNS name is often redirected to this address by temporarily adapting the host table of the client system or a name service provider (Windows) is registered.
  • the provision of a local SOCKS server (on a loopback network address) and transmission of the network information within the SSL tunnel

The client-side components are usually implemented as ActiveX or Java components.

safety

As with other VPN technologies, there are typical security risks with SSL VPNs. The main advantage of SSL-VPN over other VPN solutions in many systems is the ability to use any web browser as a client in any network.

Authentication

Existing user directories are usually used for authentication with SSL VPNs. Typical authentication services supported by SSL VPNs are LDAP directory services , RADIUS , TACACS + , two-factor authentication systems such as SecurID and the use of certificates . Individual SSL VPN solutions are able to use several authentication services at the same time during registration. This can be particularly in connection with single sign-on for the provided applications of interest or for two-factor authentication (2FA), if one factor is the network password of the user and the second factor is a token code. Not all SSL VPN solutions have their own user administration.

Authorization

The use of group assignments of the user in an LDAP directory service, a 2FA service or RADIUS is common for authorization with SSL VPNs. Not all SSL VPN solutions have their own group management.

Client security

The use of any web browser (and thus any, in particular non-company-owned computer) as a client also creates special security risks, such as

  • leaving confidential information in the cache of the web browser (access data, documents, ...)
  • uploading malware into provided web applications (e.g. webmail)
  • spying on access data (e.g. passwords )
  • the unauthorized use of sessions that have not been closed (e.g. via the "Back" button of the browser)
  • the transmission of attacks on the provided applications (e.g. when accessing from a worm-infected PC)
  • The execution of XSS attacks against provided web applications on the client, provided that the attacker succeeds in publishing specially prepared content in a provided web application (e.g. by sending and opening a corresponding email message via Webmail) by watering down the DNS name-based scripting security model in browsers (in the case of SSL VPNs, which translate the URL namespaces of the application servers into a single external host name)

Some SSL VPN systems address these problems through

  • client-side components that check the presence of a virus scanner or a personal firewall .
  • client-side components that are intended to provide a virtualized, restricted and trustworthy desktop environment for working with the network connected via SSL-VPN
  • the integration of an intrusion prevention system
  • Precautions to make XSS attacks more difficult, for example in the form of a separate content inspection engine, encryption of the URL translation, path restrictions for translated cookies , or the evaluation of the referrer header.

Server security

In addition to the client-side security risks, attacks such as malware can also be transmitted within the VPN . Some SSL VPN systems integrate content inspection capabilities on the SSL VPN gateway to examine the requests and content transmitted.

In SSL-VPN systems, which also provide access to network-based (non-web) applications, the integration of packet filters within the VPN is also common. As a rule, however, in contrast to other typical VPN implementations, the packet filter set of rules is also enforced on the client.

See also

Web links

Individual evidence

  1. Example for using the term "VPN" in the sense of "Reverse Web-Proxy": Cisco ASA: Clientless SSL VPN (WebVPN) on ASA Configuration Example . Retrieved on October 20, 2013: “Clientless SSL VPN [...] A remote client needs only an SSL-enabled web browser to access http or https-enabled web servers on the corporate LAN. [...] A good example of http access is the Outlook Web Access (OWA) client. "
  2. Example of using the term "VPN" in the sense of "Reverse Web Proxy": Citrix Access Gateway: How to Configure Clientless VPN to Sharepoint Access . Retrieved on October 20, 2013: "Clientless mode VPN access to SharePoint provides a secure, feature-rich, and zero client footprint solution to accessing company resources."  ( Page no longer available , search in web archivesInfo: The link was automatically saved as marked defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Dead Link / support.citrix.com  
  3. Example of using the term "VPN" in the sense of "Reverse Web Proxy": Check Point: Access Web Portal Check Point Remote Access Solutions . Retrieved October 20, 2013: “The Mobile Access Portal is a clientless SSL VPN solution. [...] The Mobile Access Portal supplies access to web-based corporate resources. "
  4. Michal Zalewski: Full-disclosure SSL VPNs and security. derkeiler.com, June 8, 2006, accessed September 4, 2013 .