By Joel Snyder
Network World, 01/12/04
Original Article on Network World Web Site
The Secure Sockets Layer VPN market brings together many technologies to accomplish the goal of secure remote access. Understanding the strengths and limitations of SSL VPNs means knowing the meaning of four critical terms: proxying, application translation, port forwarding and network extension.
SSL VPN devices all start with at least one function: proxying Web pages. For the SSL VPN system that means connecting to a Web server, downloading a Web page and shipping it back over an SSL connection to the end user's browser. The devil is in the details, but it's pretty easy to understand.
Things get complicated when you start talking about anything other than a Web page. The next step up in complexity involves application translation. A good example of this is how SSL VPN devices treat file servers. The SSL VPN device will talk the native file server protocol, such as Microsoft's CIFS or FTP. But the application protocol is translated by the SSL VPN device from FTP or CIFS on the inside, to HTTP and HTML on the outside so that the end user sees the file server as if it were a Web page, in effect "Webifying" the application.
Application translation works for some things, but not for others. Some applications, such as Microsoft Outlook or instant-messaging tools, have a particular look and feel that is lost during the translation to a Web-based interface. This brings us to port forwarding, a technique that works for well-defined applications. Port forwarding requires a very small application that runs on the end user's system, often a Java or ActiveX tool. The port forwarder listens for connections on a port that are defined for each application. When packets come in on that port, they are tunneled inside of an SSL connection to the SSL VPN device, which unpacks them and forwards them to the real application server. To use the port forwarder, the end user simply points the application he wants to run at his own system rather than the real application server.
Port forwarding is a very effective technique, but it also has some severe limitations. For port forwarding to work, the applications need to be well-behaved and predictable in their network connectivity patterns and needs. Although there are port-forwarding tools written in Java that work across platforms, our experience was that port forwarders tend to be platform-specific.
The fourth technology some vendors are including in their products is network extension. SSL VPN network extension connects the end user's system to the corporate network, with access controls only based on network-layer information, such as destination IP address and port number.
Network extension also moves completely away from operating system independence and requires administrative access to the local system. SSL VPN network extension runs on top of the SSL protocol, trading off the higher security of IP Security for simplicity of management and greater robustness in the face of different network topologies, such as firewalls and network address translation.