Q

Are SSL VPNs secure enough for enterprise use?

In this Ask the Expert response, VPN expert Rainer Enders discusses how to determine whether SSL VPNs are a secure enough option for your enterprise.

Are SSL VPNs secure enough to use for my enterprise? How can I determine if I should use another type of VPN?

The answer to this question is a typical security-type answer: It depends. Security frameworks differ in cost and complexity, and as such, the level of security should be adapted to the assets they are supposed to protect. The best approach would be to conduct a security audit to assess the level of risk related to the way company assets are being accessed or exposed. For the assessment, it is important to include all peers that participate...

in extranet-type communication.

On the server side, some of the assessment questions to answer would be:

  • What systems are being accessed?
  • How is access granted?
  • Which assets are being accessed?
  • What level of depth into the network is required for that type of access?
  • What would happen if things go bad?
  • What would this mean for the business?

 On the client side, the relevant questions to answer would be:

  • What clients and client types will access the network?
  • How will the VPN be used in terms of locations and access methods?
  • What type and level of control do I want or need on the client side?

The client-side evaluation could potentially raise some red flags signaling that SSL VPN might not be the best choice due to the lack of client security, either from the browser or the client machine itself. A comprehensive assessment of all factors would highlight the potential weaknesses and reveals how relevant they may be to the network.

When choosing to use SSL VPNs, it is important not to overlook the level of client control which is one of the dangers of SSL VPN. It is suggested that security at the client end is a given, but even with endpoint protection, SSL VPNs are vulnerable from the client side. Client systems and browser applications should not be trusted blindly. Taking a proper management approach of the client and ensuring security and identity verification is vital to controlling who is coming inside the network.

There are two main scenarios that should make you think about using another type of VPN. First, if the security of your IT assets is a true concern and you will see a severely negative business impact if your data is exposed, lost or stolen. Second, if you want to exercise tighter client control to reduce your overall risk exposure or because of regulatory compliance reasons.

Email your VPN-related questions to editor@searchenterprisewan.com.

This was first published in December 2011

Dig deeper on VPN design

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchNetworking

SearchUnifiedCommunications

SearchTelecom

SearchSDN

Close