The article covers

• SSL-VPN- secure socket layer virtual private network
• SSL Techniques
• Setup of SSL VPN

SSL VPN – Secure Socket Layer Virtual Private Network

SSL was introduced in 1994 and is a de facto standard for e-commerce transaction security. It uses two keys to encrypt data – a public key and a private key. The private secret key is known only to the receiver. A SSL certificate on the secure server is used to encrypt data and identify the IP address of the site. The encryption used by SSL is developed by RSA (Rivest-Shamir-Adleman). It consists of 128 bits. The increase in the time required to crack or break the encryption code makes it more secure.

IETF-(Internet Engineering Task Force) is involved in the development and management duties for SSL. For VPN, SSL/TLS (Transport Layer Security) is the most widely deployed protocol. It was tightly coupled with specific applications and so confusion still exists as to whether it is really VPN. Two hosts can communicate using a single application or protocol. HTTPS in the web browser is the most popular.

Netscape and Internet explorer use this protocol to obtain confidential user information (credit card information) for web commerce. SSL tunneling is a way of implement SSL encryption on VPN’s. You do not need any special VPN client software to run SSL VPN and are therefore called clientless VPN’s. SSL VPN works in the session’s layer of the OSI model and uses digital certificates for server authentication. Multiple protocols have never been implemented using SSL.

SSL Techniques

SSL has existed since the early 90’s and SSL gateways have been providing a corporate application to application access. This does not measure up to the definition of a VPN. The methods implemented by SSL so far have been,

Proxy

ALG – (Application Layer Gateway) is the name given to devices that adopt proxying.
They are also called Web proxy. In this process ‘proxy’ is an intermediary that pretends to the end-points of communication between the same applications on two different machines. It accepts a clients request and rewrites it and sends it to the server. It similarly handles return communication as well. This method is a bit slow and works well for web based protocols. Combined with authentication it is more secure and intranet-to-remote connections can be made. Every protocol requires a new proxy and site-to-site connectivity for arbitrary traffic cannot be established with this.

Application Translation

This requires a special translator for any internal protocol. The internal protocol is translated into the clients Web Browser’s protocol (HTML or HTTP). The trouble is in developing a translator for every additional protocol. Many services cannot be handled by the translator as it is specific to protocol. The advantages of Application translation are that FTP and other file sharing applications can adapt to it.

Port Forwarding

This is also regarded as tunneling. This is basically done by Firewalls and considered by many as another type of VPN operation. In port forwarding incoming traffic on the port of a given machine (usually the gateway) is redirected to the port of a different machine. This is done by allowing an external user on an external address using a NAT (Network Address Translation) enabled router to reach a port on a Private IP address (inside the LAN). This requires fixing the port address and their functions on these respective machines. It requires the installation of software on the client machine. The problem that may occur with this protocol is related to ports since many protocols do not used fixed ports. Also site-to-site connectivity for arbitrary traffic cannot be provided.

Network Extension

This is the only method that is comparable to the definition of a VPN. For both port forwarding and network extension the client requires more administrative access to the server machine. This SSL implementation make the client look like a virtual node on the corporate network and provide functionality for all protocols. This provides functionality for multi-connection application protocols as well.

Hybrids

Many applications are listed and marketed as SSL VPN’s. All of these are not truly VPN’s and some are not entirely SSL based. Some SSL’s provide access to web based application using SSL but later use IPSec as access for network extension. Comtinue to: Setup of SSL VPN