IPsec VPNs for secure remote access

IPsec VPNs is also the foremost common technique for providing secure remote access from company-managed laptops, however they’re impractical on home PCs and not possible on public PCs. to handle the remote access desires of teleworkers, day extenders, and mobile employees a lot of effectively, several corporations are currently adopting SSL VPNs.

SSL VPNs are easier to deploy than IPsec as a result of they use the net browser already gift on most desktops and dynamic Java/ActiveX purchasers rather than put in VPN consumer programs. They use protocols that pass a lot of simply through perimeter firewalls and network address translation. They let the VPN server dictate tunnel security parameters rather than requiring client-side configuration. they provide safer support for common remote user authentication strategies like passwords and tokens. and that they will typically apply a lot of granular access rules — as an example, letting individual users reach selected applications or application objects (URLs, files, etc) rather than connecting remote hosts to entire networks.

In some cases, an SSL VPN’s granular access rules is also safer than IPsec. If a home computer has been infected with a worm, that worm is a lot of possible to propagate into your company network over an full-IP tunnel than an SSL-protected session to a particular application. If a public computer is infected with an overseas access trojan, that trojan cannot route IP traffic over an SSL session into your company network. several SSL VPN product will consider location and device — as an example, providing email-only access when Joe connects from an untrusted public computer, whereas allowing broader access when Joe connects from his trusted company-managed laptop.

For information privacy and integrity, IPsec and SSL tunnels will use several of constant security measures, like DH key exchange, AES encryption, and SHA1 hashed messages authentication. TLS 1.0 eliminates support for a few of the less secure algorithms included in SSL three.0, therefore ought to be used whenever attainable. Ultimately, security depends on how a VPN server is configured, therefore it’s essential to match your VPN product — IPsec or SSL — along with your desired security policy.

SSL VPNs do have sure security drawbacks. SSL VPN servers are inherently a lot of susceptible to TCP-based DoS attacks, and may be deployed behind a fringe firewall that gives robust DoS protection. SSL VPN purchasers could “leak” non-tunneled traffic or leave non-public information behind on public PCs unless more measures are used. And allowing any degree of access from unknown, potentially-compromised devices involves a lot of risk than allowing access solely by trusted devices.

To mitigate these risks, several SSL VPNs give endpoint security measures, either built-in or through integration with third party product. as an example, the Citrix Access Gateway that you just asked concerning will perform an endpoint security check when SSL VPN sessions are established, verifying anti-virus, personal firewall, and different endpoint resources before permitting remote access. It uses a Java-based VPN consumer that avoids split tunneling by default. It applies context-sensitive rules which will limit resource exposure in less trustworthy environments. as an example, “kiosk mode” transmits all application info as pictures, never sending any text that might doubtless be left on a public computer. you’ll conjointly limit kiosk users to chose screen-sharing applications like VNC or Windows Remote Desktop.

With regard to using transportable devices to more strengthen security, the foremost common VPN add-on is token or sensible card authentication. The Citrix Access Gateway are often used with SafeWord PremierAccess or RSA SecurID hardware tokens that neutralize vulnerabilities related to plain-text passwords. By requiring users to demonstrate that they possess one among these physical tokens when logging in, access credentials cannot be inappropriately shared with others or stolen by key loggers. To deploy either choice, you’ll have an identical authentication server somewhere within your company network, to be consulted by the VPN gateway whenever users try and connect. Alternatively, you’ll authenticate users by certificates, stored on USB sensible cards.

Another add-on security device that may interest you may be a transportable operating surroundings, like RedCannon Fireball KeyPoint. as an example, KeyPoint for Citrix is at USB storage device that mixes the Citrix Remote Access Suite with RedCannon’s endpoint security resolution. Remote users would carry a USB thumb drive containing the Citrix ICA consumer, a stealth browser, a spyware scanner, an RSA SoftID consumer, and a secure information vault. This thumb drive are often utilized in any Windows computer while not putting in drivers or software. This lets your users carry constant trusted operating surroundings with them as they move between home and public PCs.

For a wonderful in-depth SSL VPN study, browse my friend Joel Snyder’s December 2005 NWW article, SSL VPNs Dissected. That article provides a head-to-head comparison of eleven SSL VPN product. though Citrix isn’t among them, you’ll still notice a wealth of valuable SSL VPN info in Joel’s article.