Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
SSL VPN : Understanding, evaluating and planning secure, web-based remote access

SSL VPN : Understanding, evaluating and planning secure, web-based remote access: Understanding, evaluating and planning secure, web-based remote access

eBook
$9.99 $32.99
Paperback
$54.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

SSL VPN : Understanding, evaluating and planning secure, web-based remote access

Chapter 1. Introduction to SSL VPN

History provides us with a map of how technology effectuates changes in the way we live and work. This technological transformation started with simple tools that then expanded to the internal combustion engine and now to the technology of computers and networks. One important example of this is transportation. Through a system of physical networks—roads, trains, airplanes, and so on—people can now work and live outside the congestion of large cities. Large parts of the population moved to 'suburb communities', and started the famous daily commute. In spite of high petrol prices, people stayed in their suburbs. Today, with the advent of the Internet, people can work almost anywhere. One of the technologies that allow the ubiquitous access required is a technology known as SSL VPN. This chapter starts you on the knowledge roads that will educate you about this technology. Nevertheless, before we get into too much detail, let's first understand how this technology will help you.

Many people work for what is now known as a 'virtual' organization. Workers in a virtual organization will not necessarily need an office, cube, or a parking space. More and more companies are letting staffers work remotely. The term used to describe these types of worker is teleworkers. As per the ITAC (International Telework Association and Council), the number of U.S. employees who work remotely has grown every year since 1999. The ITAC commissioned a study conducted by Dieringer Research Group (statistically based on teleworkers working at least one day per month), which shows teleworking has grown by nearly forty percent since 2001. What makes teleworking possible is the ability to connect your computer to the Internet from anywhere, anytime. This process of connecting remotely to the Internet is easy, and now with wireless, access is ubiquitous. Teleworking and remote computing is more than just working from poolside at your ranch house. It includes:

  • Drinking coffee while working on a laptop at the local coffee shop (wireless 802.11)

  • Reading your online mail while on a train to a customer

  • On a customer site, using their network to connect to your corporate network

  • Sitting on a flight to Frankfurt—updating your résumé, and posting it to an Internet-based job site

  • Accessing accounting data via the Internet café on 42nd street in New York

  • Playing online games sitting on your deck in the backyard (with your dog)

  • Working from your house with the white picket fence in the suburbs

Note

Wireless Network

A wireless LAN is just that—wireless. Computers and routers will connect to each other via a set protocol and via a Radio Frequency circuit. Much like TV or your cell phone, your home network can connect computers together without wires. The name of the wireless networking protocol is IEEE 802.11. This standard was developed to maximize interoperability between differing brands of wireless LANs (WLANs). The 802.11 technologies can work with standard Ethernet via a bridge or Access Point (AP) . Wireless Ethernet uses a Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)scheme, whereas standard Ethernet uses a Carrier Sense Multiple Access with Collision Detection (CSMA/CD) scheme. One of the biggest advantages the 802.11 standard is the ability for products from different vendors to interoperate with each other. This means that as a user, you can purchase a wireless LAN card from one vendor and a wireless LAN card from another vendor and they can communicate with each other, independent of the brand name of the card.

Now you can be online almost anywhere and anytime. There are very few limits to anywhere with wireless access in North America, Asia, and Europe, and soon you will be able to Google from anywhere in the world. So as you can see, all is happy and secure in the world of ubiquitous Internet access. OK, let us stop and review that last statement. We used the words: 'anytime' and 'anywhere'; so far, so good. The word secure is not always true. In fact, with today's Internet, the traffic is rarely secure. The days of the 9600-baud modem are gone, along with the naive attitude that "all is secure". Access to the Internet is no longer safe.

The Internet is the communication backbone for more than just e-commerce; today you can access the Internet for almost everything:

  • Playing online games, posting your résumé, and looking for new loves

  • Supporting your business:

    • B2B (Business to Business)

    • B2C (Business to Consumer)

    • B2E (Business to Employee)

  • Messaging and emailing (with all of that spam…)

The Internet

In order to understand the security issues of the Internet, you first need to understand what the Internet really is. The Internet is not just one network. The Internet includes thousands of individual networks. The communication core of these networks is two protocols known as Transmission Control Protocol and Internet Protocol (TCP/IP) . These historic protocols provide connectivity between equipment from many vendors over a variety of networking technologies. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host protocol in a packet-switched computer communication network. The Internet Protocol (IP) is specifically limited in scope to provide the functions necessary to deliver an envelope of data from one computer system to another. Each computer or device on a network will have some type of address that identifies where it is on the network.

Much like computers, the Internet is a new concept for the world of communication. In 1973 Vinton Cerf, a UCLA (University of California, Los Angeles) graduate student who is also known as the Father of the Internet, and Robert Kahn, an MIT (Massachusetts Institute of Technology) math professor, developed a set of software protocols to enable different types of computers to exchange data. The software they developed is now known as TCP/IP. The base part of the protocol is called IP or Internet Protocol. While the IP part of the protocol transports the packets of data between the various computer systems on the Internet, the TCP part ports data to the applications. TCP is the mechanism that allows the WWW (World Wide Web) to communicate. (All of this will be discussed in detail later in this book.) Programs are built on top of this medium, which allows communication between server and client. A network can be connected with cables and/or wireless adapters. Basically the computer is connected via a Network Interface Card (NIC) . The NIC card's job is to place data into the network. All network data is crafted into packets and each packet has the information needed to find its target computer and knows where it came from.

The Internet


In order to understand the security issues of the Internet, you first need to understand what the Internet really is. The Internet is not just one network. The Internet includes thousands of individual networks. The communication core of these networks is two protocols known as Transmission Control Protocol and Internet Protocol (TCP/IP) . These historic protocols provide connectivity between equipment from many vendors over a variety of networking technologies. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host protocol in a packet-switched computer communication network. The Internet Protocol (IP) is specifically limited in scope to provide the functions necessary to deliver an envelope of data from one computer system to another. Each computer or device on a network will have some type of address that identifies where it is on the network.

Much like computers, the Internet is a new concept for the world of communication. In 1973 Vinton Cerf, a UCLA (University of California, Los Angeles) graduate student who is also known as the Father of the Internet, and Robert Kahn, an MIT (Massachusetts Institute of Technology) math professor, developed a set of software protocols to enable different types of computers to exchange data. The software they developed is now known as TCP/IP. The base part of the protocol is called IP or Internet Protocol. While the IP part of the protocol transports the packets of data between the various computer systems on the Internet, the TCP part ports data to the applications. TCP is the mechanism that allows the WWW (World Wide Web) to communicate. (All of this will be discussed in detail later in this book.) Programs are built on top of this medium, which allows communication between server and client. A network can be connected with cables and/or wireless adapters. Basically the computer is connected via a Network Interface Card (NIC) . The NIC card's job is to place data into the network. All network data is crafted into packets and each packet has the information needed to find its target computer and knows where it came from.

Reference Models


The process of creating data packets is based on two connection models—the OSI and DARPA reference models. The Open Systems Interconnection (OSI) model is a standard reference model for how network data is transmitted between any two points in a computer network. TCP/IP in its most basic form supports the Defense Advanced Research Projects Agency (DARPA) model of internetworking and its network-defined layers. Much like the DARPA model, the OSI was designed to connect dissimilar computer network systems. The OSI reference model defines seven layers of functions that take place at each end of a network communication:

OSI Reference Model

Layer

Description

Application (7)

This is the layer at which programs are identified; user authentication and privacy are implemented here.

Presentation (6)

This is a layer—usually part of an operating system—that converts incoming and outgoing data from one presentation format to another.

Session (5)

This layer sets up, coordinates, ends conversations, exchanges, and dialogs between the applications at each end of the dialog.

Transport (4)

This layer manages the end-to-end control and error checking.

Network (3)

This layer handles the routing and forwarding of the data.

Data link (2)

This layer provides error control and synchronization for the physical level.

Physical (1)

This layer transmits the bit stream through the network at the electrical and mechanical level.

TCP/IP also has a much simpler protocol model called the DARPA model:

DARPA Model

Layer

Description

Process (4)

This is the layer where higher-level processes such as FTP, SMTP, and HTTP are defined and executed.

Host to Host (3)

This is where TCP lives. This is the mechanism that actually ports the data to the correct application. TCP ports are defined here.

Internet (2)

IP addresses are used to direct packets to the correct destination. Routing protocols live here along with Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) .

Network Interface (1)

This is the physical connection to the network: Ethernet, token ring, and so on. The packets are placed onto the network at this point.

Introducing Hacker Bob


Network architecture is discussed in detail in Appendix A. It is important for you to understand network architecture, since hackers understand it! Hacking into computers can include TCP port scanning, fake emails, trojans, and IP address spoofing. The essence of TCP port surfing is to pick out a target computer and explore it to see what ports are open and what a hacker can do with them. If you understand ports then you can understand what hackers can do to you and your systems. With this knowledge you can understand how to effectively keep your computers and networks secure.

Next is our introduction to Hacker Bob.

The above figure shows how Hacker Bob uses his evil hacker tools (and experience) to monitor your network.

Remember those packets and TCP ports? Hacker Bob can monitor the Internet and copy packets into his evil network. Once he has the copied packets, then he can analyze them and extract your sensitive data as explained below:

Trapping Your Data

Once Hacker Bob has your data then he can use a simple tool to review and analyze it. The following example shows how Hacker Bob could analyze your IP packet:

  1. 1. The user launched a browser and entered the following site: http://www.HR_Data_the_company.xyz.

  2. 2. Hacker Bob was monitoring the Internet with a network packet capture utility.

  3. 3. Bob was able to use a filter to view just port 80 packets (HTTP only).

  4. 4. Bob then viewed the IP packet payload.

In this example below, the data section is 1460 bytes. This payload is transferred in ASCII text using HTML. As a result, it is easy for Hacker Bob to read the data:

</font><b><font color="#424282">@This data is a Secret</font>

Now in the hacker's words "That data is mine."

Basic HTTP Authentication

To make things worse, at some point, during your normal Internet browsing activities, you have likely received one of these types of pop-up windows from your browser:

Typically the username is some name that an administrator (or software utility) has assigned to you or you have assigned yourself. The Web is full of places that require a username. The username is a mechanism that identifies who you are in relation to the program or data you are trying to access. The password is the key that proves that you have the authority to use that username. This is a simple and effective mechanism to access controlled data. In Basic HTTP Authentication, the password passed over the network is neither encrypted nor plain text, but is 'uuencoded'. Anyone watching packet traffic on the network will see the password encoded in a simple format that is easily decoded by anyone who happens to catch the right network packet. Therefore, our friend Hacker Bob could just extract the right packet and he has your username and password. All Hacker Bob had to do was to read RFC2617 (http://www.ietf.org/rfc/rfc2617.txt) for all the information he needed.

Keeping Hacker Bob Out of Your Data

Here is the scenario: you are the network manager of a large worldwide enterprise company. You know that you must provide secure access from about 50 sites from around the world to your corporate networking at your headquarters in Dallas. In addition, each site will have a local network with about 10-12 computers each. Making your task a bit harder, the CIO of your company has mandated that you must save money and, at the same time, quickly get the network service up and running. How can you do this? One answer to this problem would be to set up direct connect circuits to each site, also known as a private network. However, this can be a really expensive solution. So, the solution to this quagmire is obvious—you can create a Virtual Private Network (VPN) .

VPNs


You now ask: "So what is a VPN?" The most basic definition of a VPN is "a secure connection between two or more locations over some type of a public network". A more detailed definition of a VPN is a private data network that makes use of the public communication infrastructure. A VPN can provide secure data transmission by tunneling data between two points—that is it uses encryption to ensure that no systems other than those at the endpoints can understand the communications. The following diagram shows a basic example:

Traveling sales people will connect to the Internet via a local provider. This provider can be AOL, EarthLink, a local community Internet Service Provider (also known as a POP—Point Of Presence). The diagram above shows the concept of the VPN. The VPN now hides, or encrypts, the data, thus keeping Hacker Bob out of your data.

Remember your challenge from the CIO—"secure access from 50 sites around the world into the corporate network and each site having about 10-12 computers?" We have the answer for you. Let's look at two examples:

  • Connecting one computer to the company corporate network

  • Connecting networks together (your answer)

One Computer to the Corporate Network

In the example, below, a traveling user is able to connect securely to the corporate network via the VPN. The user will connect to the VPN via a local Internet service provider, then that traffic will be routed to the corporate network. At this point the VPN traffic from the end user will terminate into a VPN receiving device or server.

As you can see, Hacker Bob cannot read and/or trap your data—he is stopped.

Note

In this example above Hacker Bob may still be able to trap a copy of each packet, but the encrypted data will not be readable.

Remote Office Network Connected to the Main Office

In the example below, a remote office will be able to connect to the computers and servers in another office via the Internet. An end user on the remote network will access one of the corporate network services. The traffic will route from the remote office to a VPN device, travel securely over the Internet, and into the VPN device on the corporate network. Once on the corporate network the end user will have the potential to access any of the corporate services or servers. As shown below, Hacker Bob is thwarted once again and cannot read your sensitive data:

Now your problem is solved; your company is able to provide access to its corporate office computers from anywhere in the world. And the final result—Hacker Bob will be looking elsewhere to launch his evil plan.

VPN Examples


Let's look at some of the different protocols for creating secure VPNs over the Internet:

  • L2TP: Layer-2 Tunneling Protocol

  • IPsec: IP Security Protocol

L2TP or Layer-2 Tunneling Protocol is a combination of Microsoft's Point-to-Point Tunneling Protocol (PPTP) and the Cisco Layer-2 Forwarding (L2F) . L2TP is a network protocol and it can send encapsulated packets over networks like IP, X.25, Frame Relay, Multiprotocol Label Switching (MPLS) , or Asynchronous Transfer Mode (ATM) .

IPsec will encrypt all outgoing data and decrypt all incoming data so that you can use a public network, like the Internet, as a transportation media. IPsec VPNs normally utilize protocols at Layer 3 of the OSI Model. This is effectuated by using two different techniques:

  • Authentication Header (AH)

  • Encapsulating Security Payload (ESP)

The Authentication Header provides two-way device authentication, which can be implemented in hardware or software, and in many cases provide user authentication via a standard set of credentials—user ID and password. You may also see implementations using a token, or an X.509 user certificate.

The Encapsulating Security Payload protocol provides the data encryption. Most implementations support algorithms such as DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), or AES (Advanced Encryption Standard). In its most basic configuration, IPsec will implement a handshake that requires each end point to exchange keys and then agree on security policies.

IPsec

IPsec can support two encryption modes:

  • Transport: encrypts the data portion of each packet, but leaves the header unencrypted. The original routing information in the packet is not protected from being viewed by unauthorized parties.

  • Tunnel: encrypts both the header and the data. The original routing data is encrypted, and an additional set of routing information is added to the packet to be used for routing between the two endpoints.

IPsec supports a protocol known as the Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley) . This protocol allows the receiver to obtain a public key and authenticate the sender using digital certificates. The basic process of a key-based cryptography system provides a method of exchanging one key of a key pair. Once the keys are exchanged, the traffic can be encrypted. IPsec is described in many RFCs, including 2401, 2406, 2407, 2408, and 2409. Also see RFC 3193 for securing L2TP using IPsec.

The downside to a client-based VPN (such as those using IPSEC or L2TP) is that you need to configure and/or install some type of software. Yes, there is code that is built into Windows for a VPN, but you still need to configure the client. In some cases you may even need to install a client certificate. In addition, personal firewalls, anti-virus software, and other security technologies may be necessary. The basic configuration for an IPsec VPN is a central site hub device and a remote client computer. Once the connection has been established then a tunnel is created over the network (private or pubic). This encrypted tunnel will secure the communication between the end points, and once again our best buddy Hacker Bob is not able to read our communications.

Note

Secure VPNs

VPNC (Virtual Private Network Consortium) supports three protocols for secure VPN (L2TP, IPsec, and SSL/TLS) and another two protocols for trusted VPNs (MPLS and Transport of layer 2 frames over MPLS). For securing L2TP using IPsec (see http://www.vpnc.org/rfc3193).

SSL VPN

Another option that is available to secure traffic on the Internet is Secure Socket Layer (SSL).SSL is a protocol that provides encryption for network-based traffic. SSL is a network protocol with responsibility for the management of a secure, encrypted, communication channel between a server and a client. SSL is implemented in the major Web browsers such as Internet Explorer, Netscape, and Firefox. One of the most basic functions of SSL is message privacy. SSL can encrypt a session between a client and a server so that applications can exchange and authenticate user names and passwords without exposing them to eavesdroppers. SSL will block Hacker Bob's attempts to read our data by scrambling it.

One of the most powerful features of SSL is the ability for the client and server to prove their identities by exchanging certificates. All traffic between the SSL server and SSL client is encrypted using a shared key and a negotiated encryption algorithm. This is all effectuated during the SSL handshake, which occurs at session initialization. Another feature of SSL protocol is that SSL will ensure that messages between the sender system and receiving system have not been tampered with during the transmission. The result is that SSL provides a secure channel between a client and a server. SSL was basically designed to make the security process transparent to the end user. Normally a user would follow a URL to a page that connects to an SSL-enabled server (see RFC1738—http://ds.internic.net/rfc/rfc1738.txt). The SSL-enabled server would accept connect requests on TCP port 443 (which is the default port for SSL). When it connects to port 443 the handshake process will establish the SSL session.

Several years ago there was a creative advertisement showing one person walking down the street eating chocolate and another person walking down the street eating peanut butter: they run into each other and now we have a product that comprises chocolate and peanut butter together. This is exactly what happened with the SSL VPN.

This combination of SSL and VPN provides us with the following benefits:

  • This combination of SSL encryption and proxy technologies can provide very simple access to Web and corporate applications.

  • The marriage of technologies can provide client and server authentication with data encryption between each party.

  • Overall, it can be easier to set up an SSL VPN than to set up and manage an IPsec VPN.

More benefits of SSL VPN technology will be discussed in the next chapter.

In some respects, the SSL VPN implementation will be similar to that of IPsec. SSL VPNs will also require some type of a hub device. Also the client will require some type of communication software, namely an SSL-enabled web browser. As most computers have an SSL-enabled browser that includes root SSL certificates from certified public Certificate Authorities (CA), by default SSL VPN access is available from the client. Additional client software can be downloaded automatically during SSL VPN sessions (typically this software is in the form of an applet plug-in). The central hub device and the software client will encrypt the data over an IP network. This process of encryption will make the data unreadable to Hacker Bob.

Note

A full discussion of public and private CA can be found in The Internet Security Guidebook: From Planning to Deployment available at: http://www.amazon.com/exec/obidos/tg/detail/-/0122374711/102-0386261-4698507?v=glance.

IPsec Vs. SSL VPN


Most IPsec VPNs will use custom software at each of the end points—the hub device and client. If you think about this for a bit then you will see that this process provides a high level of security. Each end point requires some type of setup steps, potentially adding more human intervention into the process.

The SSL VPN normally will not require any special client software. The overall security is the same as that of the IPsec solution. As far as setup goes, if the browser is up-to-date then the process is automatic.

Both IPsec and SSL VPNs can provide enterprise-level secure remote access. Both these technologies support a range of user authentication methods, including X.509 certificates. IPsec overall is more vulnerable to attack, unless certificates are used. SSL Web servers always authenticate with digital certificates, even in the one-way based authentication that native SSL uses. SSL will determine if the target server is certified by any of the CAs. SSL provides better flexibility in cases where trust is limited or where it is difficult (or unwise) to install user certificates (for example, on public computers)

Trusted Networks


A Trusted Network of a company is a network that the company uses to conduct its internal business. In many cases, the Trusted Network is by default defined in the organization as 'Secure'. The Trusted Network typically supports the backend systems, internal-only intranet web pages, data processing, messaging, and in some cases, internal instant messaging. In many companies the Trusted Network is allowed to interact between systems directly, without encryption. The problem with the definition above is that many assumptions are being made at these companies. A Trusted Network is not always a secure network. In fact, in many cases the Trusted Network cannot be trusted. The reason is that an internal network comprises many different networks. These include new acquisitions, old acquisitions, international access points, and even several access points to the outside world. A common practice is to define the Trusted Network as the network that internal employees use when at the office or via a secure controlled dial-in mechanism. A single access point is established to the outside world via a mechanism called the Demilitarized Zone (DMZ) .

The DMZ


The DMZ is an isolated network placed as a buffer area between a company's Trusted Network and the Non-trusted Network. The Internet is always defined as untrusted. By design, the DMZ prevents outside users from gaining direct access to the Trusted Network. The following figure shows a generic DMZ:

Most DMZs are configured via a set of rules that are controlled by the Policies and then implemented via the Procedures for your organization. One of the most common rules is that a single port number (like 80) cannot traverse the DMZ. So if you are attempting to access an application on a DMZ via HTTP on port 80, then that port cannot terminate into the trusted network via the DMZ. This is what the DMZ does; it keeps untrusted traffic from entering the Trusted Network. It is the job of the DMZ to filter the traffic and limit access to the Trusted Network via filtering and authentication, and even to completely block traffic if needed. Here are a few examples of what the DMZ can do:

  • Block port scans of your Trusted Network

  • Block access to the Trusted Network via a single TCP port

  • Block Denial of Service Attacks (DoS) from your trusted network

  • Scan email messages for virus, content, and size

  • Block passive eavesdropping/packet sniffing

SSL VPN Scenarios

So, how does SSL VPN fit into corporate network infrastructure? Below are a couple of examples of SSL VPN access.

  • SSL VPN access to selected devices via the use of an SSL VPN hub (access from the Internet)

  • SSL VPN access to a special network that uses an SSP VPN hub sitting between the trusted network and the special network

SSL VPN—Hubs

One of the key security elements of a DMZ is the ability to terminate the IP connection at various points in the DMZ and the trusted network. The example below shows a client connection on the Internet (untrusted) to an SSL VPN hub on a trusted network.

The traffic is routed into the DMZ, and then is terminated at the router. The IP address is now translated to a DMZ IP address, for example 10.10.10.10. The DMZ can then provide some authentication and allow the traffic to route to the trusted side of the DMZ. At this point the IP address can be translated to another IP address, like 192.168.10.12. The packets are then routed to the SSL VPN device (hub).

The SSL VPN will execute additional checks on the traffic. If all tests are passed then, based on a set of rules and authentication, the traffic could be routed to the HTTP messaging server. In this example you could have a CxO (CEO, CIO, CTO, etc.) on vacation, checking out the Lion King playing on 42nd street. Before sitting down, the CxOwalks into the Internet Café next door and checks his or her email. Now the CxO can feel secure that Hacker Bob will not be able to read those important corporate emails.

Network architectures used to support SSL VPN access from the Internet will be discussed in detail in Chapter 4.

SSL VPN—Private Network

Many large enterprise companies will have private networks. These private networks can span not only just their home country, but can also span the globe. In many cases, these private networks will interconnect via several Internet Service Providers (ISPs). Also some companies will not only have a private network at their local office, but will also have a Point of Presence (POP) to the Internet. This can add additional challenges to keeping the private network secure; each POP is an opportunity for Hacker Bob to enter the network. Additionally, not all corporate employees and contractors are necessarily honest; some may also pose a threat to internal resources. As a result, large companies often regard their trusted private network as untrusted. The risk is that there can be unauthorized access into the private network at several points—not only from the POPs, but also from the ISP. The example below shows where SSL and/or SSL VPNs can be used to provide secure access where the network is NOT trusted:

In the above example, the end user is hosted on the corporate trusted network. The end user may want to access a web page, messaging, or even their file server. Traffic will originate at the end user's computer and will be routed via the trusted network basic address, for example, 192.168.10.22. Packets are terminated in the SSL VPN hub; at this point the data is then routed to each service. Now, a worldwide organization can determine that its data transfers are secure, and not readable by bad old Hacker Bob.

Summary


This chapter served as an introduction to understanding the world of SSL VPN. We discussed TCP/IP networking, the Internet, how VPNs keep communications secure over insecure networks, and looked at different VPN technologies.

The remainder of this book discusses the details of SSL VPN—what it is, how it works, how to secure it, why it makes sense business wise, and more.

Left arrow icon Right arrow icon

Key benefits

  • Understand how SSL VPN technology works
  • Evaluate how SSL VPN could fit into your organisation?s security strategy
  • Practical advice on educating users, integrating legacy systems, and eliminating security loopholes
  • Written by experienced SSL VPN and data security professionals

Description

Virtual Private Networks (VPNs) provide remote workers with secure access to their company network via the internet by encrypting all data sent between the company network and the user?s machine (the client). Before SSL VPN this typically required the client machine to have special software installed, or at least be specially configured for the purpose. Clientless SSL VPNs avoid the need for client machines to be specially configured. Any computer with a Web browser can access SSL VPN systems. This has several benefits: Low admin costs, no remote configuration Users can safely access the company network from any machine, be that a public workstation, a palmtop or mobile phone By pass ISP restrictions on custom VPNs by using standard technologies SSL VPN is usually provided by a hardware appliance that forms part of the company network. These appliances act as gateways, providing internal services such as file shares, email servers, and applications in a web based format encrypted using SSL. Existing players and new entrants, such as Nokia, Netilla, Symantec, Whale Communications, and NetScreen technologies, are rushing our SSL VPN products to meet growing demand. This book provides a detailed technical and business introduction to SSL VPN. It explains how SSL VPN devices work along with their benefits and pitfalls. As well as covering SSL VPN technologies, the book also looks at how to authenticate and educate users ? a vital element in ensuring that the security of remote locations is not compromised. The book also looks at strategies for making legacy applications accessible via the SSL VPN.

Who is this book for?

This book aimed at IT network professionals and managers who are currently evaluating SSL VPN technologies. It requires a broad understanding of networking concepts, but does not require specific and detailed technical knowledge of protocols or vendor implementations.

What you will learn

  • How SSL VPN technology works, and how it fits into existing network architectures
  • Evaluating SSL VPN for your organization
  • Understand what to look out for when talking to vendors
  • How to plan an SSL VPN implementation for your business
  • Educate staff to maintain SSL VPN security
  • Strategies for providing access to internal legacy applications via SSL VPN
  • A heads-up on likely trends and possibilities for the future of SSL VPN

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Mar 09, 2005
Length: 212 pages
Edition : 1st
Language : English
ISBN-13 : 9781904811077
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Mar 09, 2005
Length: 212 pages
Edition : 1st
Language : English
ISBN-13 : 9781904811077
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 153.97
OpenVPN: Building and Integrating Virtual Private Networks
$65.99
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
$54.99
DNS in Action
$32.99
Total $ 153.97 Stars icon
Banner background image

Table of Contents

8 Chapters
Introduction to SSL VPN Chevron down icon Chevron up icon
SSL VPN: The Business Case Chevron down icon Chevron up icon
How SSL VPNs Work Chevron down icon Chevron up icon
SSL VPN Security Chevron down icon Chevron up icon
Planning for an SSL VPN Chevron down icon Chevron up icon
Educating the User Chevron down icon Chevron up icon
Legacy Data Access Chevron down icon Chevron up icon
The Future of SSL VPN Technology Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.8
(4 Ratings)
5 star 50%
4 star 25%
3 star 0%
2 star 0%
1 star 25%
C.Rini Mar 05, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Easy to understand. Good reference to have in your library.
Amazon Verified review Amazon
Jeanne Boyarsky Jun 01, 2005
Full star icon Full star icon Full star icon Full star icon Full star icon 5
"SSL VPN - Understanding, evaluating and planning secure, web-based remote access" - the only thing wordy about this book is its title. The rest of the book delivers information clearly and concisely through text, diagrams and examples. "Hacker Bob" animates key passages to keep things from getting dry.As expected, the audience for this book is techies. Basic network concepts are explained, so anyone with a technical background will understand. Any network fundamentals quickly lead to SSL VPN applications.The authors are good about explaining "why" and providing the pros/cons of a decision. Key criteria are also provided for both technical and business decisions. I found one of the most valuable parts to be about bad architectures. The authors illustrate several common architectures and point out weaknesses. The focus on diagrams and flow was quite useful.
Amazon Verified review Amazon
Amazn Customer 1028 Nov 15, 2017
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Not up to date, but still a good primer on SSL VPN.
Amazon Verified review Amazon
Peppergirl Mar 06, 2012
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
This book was a huge disappointment. I know a number of computer languages, worked with servers and the web, so I wasn't afraid of tackling something new. Unfortunately, getting this book was like getting a consultation. It tells you all about it, what you need, and why it works, but something critical is left out WHAT to do, HOW to do it. I put it down still having no clue how to implement it. When I move to a new office, I will leave it behind to gather dust.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.