SSL sometimes gets a bad rap for making VPNs more vulnerable to cross-site scripting or buffer overflow attacks. But they still typically beat out IPSec-based VPNs when it comes to convenience (no client software required) and expandability.
Take James Richardson International, which is about to upgrade to a second phase of its Secure Sockets Layer VPN. JRI, which handles and processes grain and manufactures canola-based products, hopes to leverage more mobile devices for remote access for its distributed salesforce in the U.S. and Canada. It's currently beta-testing Aventail Corp. 's ST2 SSL VPN appliances alongside its existing model 1500 appliances.
The VPN currently supports 1,000 remote users at JRI and 100 of its business partners, which range from transportation companies to grain elevators. JRI is currently awaiting Aventail's final version of the Aventail ST2 SSL VPN platform, which ships this month, to go operational with the second generation of its VPN. JRI chose the SSL VPN because there was no client software and there weren't any firewall restrictions, as with IPSec. "If you can find a computer, you can connect to JRI," says Paul Beaudry, director of tech services for JRI. "But it's not for the average home user. It's for notebook users running local apps who need a network pipe."
One of the key new security features JRI will deploy is device watermarking, which will ensure that mobile devices accessing the VPN are legit, according to Beaudry. Each mobile device gets a digital certificate, so if a JRI sales rep loses his Trio, it gets blocked from the network but he can still log onto the network with his notebook computer, which has its own cert. "In the past, we didn't leverage mobile devices on the VPN," Beaudry says. "Now with these additional controls, we're more comfortable with providing mobile devices [access]."
The new version of the VPN also will let JRI expand secure access to its business partners with its so-called "nul authentication support," with more device-level authentication using certificates. "This bypasses authentication," he says. A trucking partner's application, for example, would automatically create a tunnel via their browser to a JRI app to share its shipping data. "It has an automated process to move data to us but bypasses a human logging onto a portal page." That will help JRI expand the VPN use to its business partners, he notes.
This feature is still a "work in progress" for Aventail, he says, and it would require issuing certs to its business partners and instituting some other access control functions. JRI is running two Aventail EX-1600s in test mode alongside its 1500s. The EX-1600 is priced at $9,995.
But what about security problems with SSL? Beaudry says he's comfortable with SSL security, although there's always the threat of a hacker grabbing session keys from one of his users. "But once that session has ended, there's new session and new hashes," so the attacker would have to start all over.
"My biggest risk is a user losing his or her notebook itself and all the files on it, versus someone [unauthorized] connecting to the company with a notebook. Our business isn't retail, so we're not dealing with credit cards and Social Security numbers. Were business-to-business, so it's a balance for our security and access."
And users only get access to the apps to which they are authorized. "The beautiful thing about the SSL VPN is it's so granular," he says. "Managers can see all the screens for their locations, and users just [see] the ones for the work they do."
Beaudry says he never seriously considered IPSec because of the client software and the fact that users couldn't just jump on the VPN from the road. JRI's network consists of Cisco Pix firewalls with Triple DES-encrypted tunnels and 10- to 100-Mbit/s pipes at its data center.
Kelly Jackson Higgins, Senior Editor, Dark Reading