What is Web SSL VPN?
Web SSL VPN, as the name implies, is a Web-based VPN client. While this might not sound much to many people, it's actually a revolution in VPN technology. By moving from a program-based VPN client (as was discussed in the previous tip of this series, A history of VPN: Disadvantages of early virtual private networks) to a Web-based VPN client, the operating system (OS) is no longer a problem. You can download, install and run your Web-based VPN client on any operating system without experiencing the same problems as earlier VPNs. See this tip on IPsec vs. SSL VPNs here for more information.
Web SSL VPNs work by communicating over the standard HTTPS (SSL) protocol, allowing traffic to pass through almost any proxy or firewall that might be limiting your access. Once connected, a small Java-based client is downloaded to the computer's Web browser, which creates a virtual connection between your computer and VPN concentrator or firewall providing the service.
The great part about Web SSL VPN is that it will automatically download onto your user's computer and install itself when needed. Once the end user session is over, it can be configured (by the administrator setting up the VPN service) to automatically delete itself from the computer, leaving no trace of the VPN client. This means that by using Web SSL VPN, clients can safely log on to their corporate network from another computer, without requiring special certificates installed or group passwords at the user end. All they need to know is their own credentials and the URL to your Web SSL VPN concentrator.
Another big Web SSL VPN advantage is that it supports split tunnelling natively. Split tunnelling is a technique where, when connected to a VPN network, only traffic destined to that network is encrypted and passed over the tunnel.
All other traffic (i.e., Internet browsing) bypasses the tunnel and is sent directly to the Internet like any normal connection. Split tunnelling is a wonderful feature that allows users to do necessary work through the VPN but also maintain a direct Internet connection. Of course, as the network administrator of the VPN concentrator, you can easily disable this feature.
Can Web SSL VPNs protect against hackers and Web attacks?
Fortunately, Web-based VPN connections do not suffer from the same vulnerabilities that affect websites and Web servers. The technology might use the same protocols (HTTP and HTTPS), but the Web SSL VPN implementation is completely different for most vendors. The non-Web-server-based solution of Web SSL VPN offers a much more secure approach and is generally considered safe. The main difference here is that you've got a dedicated appliance offering a Web service and not a dedicated machine with a buggy operating system and a Web server full of exploits.
Web SSL VPNs are considered to be very secure and capable of encrypting your user sessions so that no data is compromised over the VPN. View this clientless SSL VPN vulnerability tip for more information.
Client-side security of Web SSL VPN
The latest Web SSL VPN solutions offered have certainly improved in both performance and security requirements for the end user. They are now capable of checking a number of parameters on the host's side to decide whether or not they should be installed. Administrators can create their own policies that would allow the Web SSL VPN client to install on a host's PC only if the host has a firewall installed and operating on its system, or if the host has a valid up-to-date antivirus. If any of these requirements are not met, the Web SSL VPN client can fail to install. Learn about client-side security considerations for SSL VPNs, in this tip.
VPN application support for Web SSL VPN
Early Web SSL VPNs, or first-generation Web SSL VPNs, supported fewer features and protocols and provided secure access mainly to Intranet Web-based application services. Their limited functionality and immaturity did not allow many companies to see them as an alternative to the well-known VPN client program. The advent of second-generation Web SSL VPNs brought full support for all IP-based applications. Intranet Web services, file services, ERP services and pretty much anything you can think of is now capable of running through a second-generation Web SSL VPN. This is also called a true SSL VPN solution as it completely replaces the IPsec-based VPN client used until now. Today, all solutions offered by leading vendors fall into the second generation of Web SSL VPNs.
Continue learning about SSL VPN in this tip, Web SSL VPN advantages, or skip to sections you are interested in, using the table of contents below:
TABLE OF CONTENTS
About the author: Chris is the founder and senior editor of Firewall.cx -- one of the few websites recommended by Cisco Systems in its world class Cisco Academy program. Firewall.cx is also the only official Cisco Press reviewer in the world. Today, www.Firewall.cx with over 1,500,000 page views per month, is amongst the most popular and respected network portals in the world, covering Cisco networking, security VPN, routing, switching and VoIP Call Manager Express technologies. Firewall.cx analyzes over 450 topics, with over 35,000 answered forum questions and offers free Cisco training via their world-first free Cisco lab.
This was first published in April 2010