What is SSL?

SSL stands for Secure Sockets Layer - it is also used interchangeably with TLS (Transport Layer Security). SSL/TLS is a protocol for encrypting traffic between a client and a server system. SSL is built into pretty much every browser, and is used to view sensitive information - such as on-line bank accounts or other enabled applications. SSL for viewing web pages is via HTTPS. This commonly uses TCP port 443 (though others can be used). SSL is also a cross platform environment, with most vendors supporting WIndows, Linux and MacOS clients

TLS/SSL offers more possibilities than just encryption of web pages. Current sophisticated appliances, known collectively known as SSL-VPN systems, can allow businesses to replace current IPsec VPN systems - simplifying management, opening up systems to more than just employees, and enforcing end-point security measures prior to connection.

Certificates

Before moving on to the SSL systems themselves, a short word on Certificates. SSL sessions are set-up using certificates. Certificates provide the validation and key exchange functions required for the client and server to establish their encrypted session. Organisations either used internally generated certificates or, as we tend to recommend, buy certificates from the main Trusted Certificate Authorities (or Root Authorities), such as Thawte or Verisign. The Root Authority "vouches" for the system offering the SSL session. If certificates are not correctly validated and matched to the server, then users will typically have errors generated while connecting to the server - this can cause confusion.

SSL-VPN Appliances

A number of vendors offer SSL-VPN systems in the marketplace. There is a GPL version - OpenVPN, and even Microsoft has an offering - showing SSL-VPN has defiantly come of age. Which ever vendor you choose you have essentially 3 choices on how to deploy SSL-VPN:

• SSL-VPN software running on General purpose Server platform (eg Intel Windows 2003 server)
• Some vendors integrated SSL into firewall's and offer hybrid IPSec/SSL-VPN approach.
• Some vendors offer dedicated SSL-VPN appliances (with or without hardware SSL acceleration)

1st Advance's recommendation is the appliance route. Encrypt/Decrypt takes a lot of CPU to perform, hence Server, in our experience do not offer the best performance, Hybrid firewall's offer the drawback that CPU activity may slow down other firewall activities meaning slower access for all, or a much bigger system to accommodate.

Juniper Networks

Juniper Networks, with the aquisition of Neoteris hold the market leading position for SSL-VPN systems. The key differtniators for Juniper are: Web page re-writing - providing excellent ssecurity, host and other malware checking facilities, Secure meeting. A point to note is that when the VPN end-point is any browser on any system, you need to be sure you are not opening up your business to unnecessary risks - this is Juniper's sweetspot. [read more]

 

Sonicwall

Sonicwall SSL-VPN 200, 2000, and 4000 systems are verly low cost, yet functional systems that deliver SSL capabilities. The SOnicwall systems lack the re-writing and host checking functionality of the Juniper systems, but still provide a good solution to Sonicwall equipped networks or clients who need SSL, but have very low (sub £1000) budgets [read more]

 

Copyright © 2002-2010 1st Advance Ltd Terms of Use

Thursday, 11th March 2010