Breathing new life into SSL VPNs: Making the most of the security benefits
Network security has been in an accelerated arms race for over a decade, with IT managers constantly adding new technologies to secure various network resources in an attempt to stay ahead of the bad guys. While the newer technologies can certainly help improve the overall security profile and reduce risks, there are also additional security benefits to be gained by creatively leveraging products you probably already have in your network.
Take SSL VPNs, for example. Long a mainstay of the security arsenal, SSL VPNs are normally deployed to provide secure access for remote and mobile workers. This technology has become nearly ubiquitous, with the result that many IT managers regard SSL VPNs as just a commodity – and about as exciting as watching paint dry.
With a little outside-the-box thinking, an SSL VPN can augment your security strategies, reduce risk and even improve user experience. The following maps out a sampling of ideas to make sure you are getting the most out of your SSL VPN.
Proxy
Most enterprise-class SSL VPN appliances can proxy connections to application servers running behind them. In the case of BYOD, with unmanaged devices accessing network resources, this capability can help ensure the security of critical applications like Microsoft Exchange. Proxying eliminates the need to open firewall ports to the servers (usually ports 80 or 443), and doesn’t expose server ports to the public. Furthermore, most SSL VPN products allow the definition of multiple rule structures so user-owned mobile devices can be subjected to additional scrutiny before admission onto the corporate network.
Centralized IT portal
In a busy IT department, it’s not uncommon for staff to need access in order to manage network resources from a remote location (home office, branch office, etc.). Using an SSL VPN appliance, a separate secure portal can be set up specifically for authorized IT staff that includes links to Web-based applications (via proxy), and to proxy RDP connections that have been statically assigned in compliance with internal policy.
In addition, IT-specific network tools that require only infrequent remote access can be published on the IT portal for ease of use. Multifactor authentication and single sign-on can add an additional layer of security to meet internal security policies, and the SSL VPN’s monitoring capabilities can be used for event logging to meet internal requirements.
Secure sensitive information in the field
Financial institutions, social services organizations and others often need to interact with customers and clients outside of the office and after office hours. However, in order to work effectively, employees may need to access private account information, personal identification numbers, and other confidential information. A number of SSL VPN appliances offer add-on software or modules to allow secure access to a work PC from any location or device, and allow employees to view applications and customer data just as if they were in the office.
This approach maintains security of confidential data by allowing remote devices to view applications and data – without transmitting this sensitive information across the public network. This also means that data does not remain on the mobile laptop or smart device. In the event of loss or theft, sensitive customer or client data is thus not vulnerable.
Streamlining multifactor authentication
If your organization has multiple, dispersed offices, deploying two-factor or multifactor authentication can quickly become unmanageable if appliances need to be installed at each server that will be accessed remotely. By consolidating multifactor authentication at a single point – an SSL VPN appliance, of course – users can securely authenticate at just one location, and the connections will be proxied out to the appropriate back-end resource no matter where it physically resides in the network.
This approach offers at least two benefits: management of the authentication appliance or service is greatly simplified for the IT team and end-users find it much easier to use just one location and one process for access, regardless of their physical location. By reducing complexity for end users, acceptance and adoption usually follow as a natural progression.
It should be noted, too, that SSL VPN products usually support at least some type of authentication scheme beyond user passwords. A one-time password is a typical offering; the password is generated by the SSL VPN appliance, and sent to the user’s mobile device to use in authentication.
Consistent branding
This may not fall under features that offer a direct benefit to IT staff, but often it’s desirable (or requested) to use a custom “skin” for corporate application. Rather than spending thousands of dollars to have a custom-branded interface for each Web-based application (like Outlook, SharePoint and others), the SSL VPN appliance’s portals can be easily modified to reflect the corporate logo, color scheme, etc. This method provides a very user-friendly and easily recognizable access point for corporate applications.
While securing remote and mobile access to network resources will always be the primary mission for an SSL VPN product, modern solutions offer additional capabilities that can make life easier for the IT team, and help secure network resources more effectively.