The answer to this question is a typical security-type answer: It depends. Security frameworks differ in cost and complexity, and as such, the level of security should be adapted to the assets they are supposed to protect. The best approach would be to conduct a security audit to assess the level of risk related to the way company assets are being accessed or exposed. For the assessment, it is important to include all peers that participate in extranet-type communication.
On the server side, some of the assessment questions to answer would be:
- What systems are being accessed?
- How is access granted?
- Which assets are being accessed?
- What level of depth into the network is required for that type of access?
- What would happen if things go bad?
- What would this mean for the business?
On the client side, the relevant questions to answer would be:
- What clients and client types will access the network?
- How will the VPN be used in terms of locations and access methods?
- What type and level of control do I want or need on the client side?
The client-side evaluation could potentially raise some red flags signaling that SSL VPN might not be the best choice due to the lack of client security, either from the browser or the client machine itself. A comprehensive assessment of all factors would highlight the potential weaknesses and reveals how relevant they may be to the network.
When choosing to use SSL VPNs, it is important not to overlook the level of client control which is one of the dangers of SSL VPN. It is suggested that security at the client end is a given, but even with endpoint protection, SSL VPNs are vulnerable from the client side. Client systems and browser applications should not be trusted blindly. Taking a proper management approach of the client and ensuring security and identity verification is vital to controlling who is coming inside the network.
There are two main scenarios that should make you think about using another type of VPN. First, if the security of your IT assets is a true concern and you will see a severely negative business impact if your data is exposed, lost or stolen. Second, if you want to exercise tighter client control to reduce your overall risk exposure or because of regulatory compliance reasons.
Email your VPN-related questions to email@example.com.
This was first published in December 2011