SSL VPN Overview

Today’s remote-access VPN deployments require the capability to safely and easily extend corporate network access beyond managed desktops to different users’ devices, while protecting these endpoints and key corporate resources from ever-evolving threats. SSL VPN solutions can be customized for companies of any size and deliver remote access connectivity features and benefits such as the following:

• Lower desktop support costs through web-based access without preinstalled desktop software, which facilitates customized remote access.

• Threat protection provided by integrated security in the platform protects against viruses, worms, spyware, and hackers.

• Flexible and cost-effective licensing.

• Reduced cost and management complexity—both an SSL VPN and IPsec VPN on one device means you do not need other security devices.

SSL-based VPNs provide remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. It does not require any special-purpose client software to be pre-installed on the system; this makes SSL VPNs capable of “anywhere” connectivity from company-managed desktops and noncompany-managed desktops, such as employee-owned PCs, contractor or business partner desktops, and Internet kiosks. Any software required for application access across the SSL VPN connection is dynamically downloaded on an as-needed basis, thereby minimizing desktop software maintenance.

SSL VPNs provide two different types of access: clientless and full network access. Clientless access requires no specialized VPN software on the user desktop. All VPN traffic is transmitted and delivered through a standard web browser; no other software is required or downloaded. Because all applications and network resources are accessed through a web browser, only web-enabled and some client/server applications, such as intranets, applications with web interfaces, email, calendaring, and file servers, can be accessed using a clientless connection. This limited access, however, is often a perfect fit for business partners or contractors who should have access to only a limited set of resources on the organization’s network. Furthermore, delivering all connectivity through a web browser eliminates provisioning and support issues because no special-purpose VPN software must be delivered to the user desktop.

SSL VPN full network access enables access to virtually any application, server, or resource available on the network. Full network access is delivered through a lightweight VPN client dynamically downloaded to the user desktop (through a web browser connection) upon connection to the SSL VPN gateway. This VPN client, because it is dynamically downloaded and updated without any manual software distribution or interaction from the end user, requires little or no desktop support by IT organizations, thereby minimizing deployment and operations costs. Like clientless access, full network access offers full access control customization based on the access privileges of the end user. Full network access is a natural choice for employees who need remote access to the same applications and network resources they use in the office or for any client/server application that cannot be delivered across a Web-based clientless connection. Figure 9-12 illustrates the flexibility available using SSL VPNs and the many ways they can be used more securely and flexibly than IPsec client-based VPNs.

Figure 9-12 SSL VPN Deployment Options