IPsec VPNs for secure remote access

To address the remote access needs of teleworkers, day extenders, and mobile workers more effectively, many companies are now adopting SSL VPNs.

IPsec VPNs may be the most common method for providing secure remote access from company-managed laptops, but they are impractical on home PCs and impossible on public PCs. To address the remote access needs of teleworkers, day extenders, and mobile workers more effectively, many companies are now adopting SSL VPNs.

SSL VPNs are easier to deploy than IPsec because they use the web browser already present on most desktops and dynamic Java/ActiveX clients instead of installed VPN client programs. They use protocols that pass more easily through perimeter firewalls and network address translation. They let the VPN server dictate tunnel security parameters instead of requiring client-side configuration. They offer more secure support for common remote user authentication methods like passwords and tokens. And they can usually apply more granular access rules -- for example, letting individual users reach selected applications or application objects (URLs, files, etc) instead of connecting remote hosts to entire networks.

In some cases, an SSL VPN's granular access rules may be MORE secure than IPsec. If a home PC has been infected with a worm, that worm is more likely to propagate into your company network over an full-IP tunnel than an SSL-protected session to a specific application. If a public PC is infected with a remote access trojan, that trojan cannot route IP traffic over an SSL session into your company network. Many SSL VPN products can factor in location and device -- for example, providing email-only access when Joe connects from an untrusted public PC, while permitting broader access when Joe connects from his trusted company-managed laptop.

For data privacy and integrity, IPsec and SSL tunnels can use many of the same security measures, like DH key exchange, AES encryption, and SHA1 hashed messages authentication. TLS 1.0 eliminates support for some of the less secure algorithms included in SSL 3.0, so should be used whenever possible. Ultimately, security depends on how a VPN server is configured, so it is essential to match your VPN product -- IPsec or SSL -- with your desired security policy.

SSL VPNs do have certain security drawbacks. SSL VPN servers are inherently more vulnerable to TCP-based DoS attacks, and should be deployed behind a perimeter firewall that offers strong DoS protection. SSL VPN clients may "leak" non-tunneled traffic or leave private data behind on public PCs unless further measures are used. And permitting any degree of access from unknown, potentially-compromised devices involves more risk than permitting access only by trusted devices.

To mitigate these risks, many SSL VPNs provide endpoint security features, either built-in or through integration with third party products. For example, the Citrix Access Gateway that you asked about can perform an endpoint security check when SSL VPN sessions are established, verifying anti-virus, personal firewall, and other endpoint resources before allowing remote access. It uses a Java-based VPN client that avoids split tunneling by default. It applies context-sensitive rules that can limit resource exposure in less trustworthy environments. For example, "kiosk mode" transmits all application information as images, never sending any text that could potentially be left on a public PC. You can also limit kiosk users to selected screen-sharing applications like VNC or Windows Remote Desktop.

With regard to using portable devices to further strengthen security, the most common VPN add-on is token or smart card authentication. The Citrix Access Gateway can be used with SafeWord PremierAccess or RSA SecurID hardware tokens that neutralize vulnerabilities associated with plain-text passwords. By requiring users to demonstrate that they possess one of these physical tokens when logging in, access credentials can't be inappropriately shared with others or stolen by key loggers. To deploy either option, you'll need a matching authentication server somewhere inside your corporate network, to be consulted by the VPN gateway whenever users try to connect. Alternatively, you could authenticate users by certificates, stored on USB smart cards.

Another add-on security device that might interest you is a portable operating environment, like RedCannon Fireball KeyPoint. For example, KeyPoint for Citrix is at USB storage device that combines the Citrix Remote Access Suite with RedCannon's endpoint security solution. Remote users would carry a USB thumb drive containing the Citrix ICA Client, a stealth browser, a spyware scanner, an RSA SoftID client, and a secure data vault. This thumb drive can be used in any Windows PC without installing drivers or software. This lets your users carry the same trusted operating environment with them as they move between home and public PCs.

For an excellent in-depth SSL VPN study, read my friend Joel Snyder's December 2005 NWW article, SSL VPNs Dissected. That article provides a head-to-head comparison of 11 SSL VPN products. Although Citrix is not among them, you will still find a wealth of valuable SSL VPN information in Joel's article.

Dig Deeper on Enterprise mobility strategy and policy