VPN Functionality with Greater Convenience and Lower Cost
Classic IPSec VPNs were designed to offer remote access via encrypted channels over the public Internet. With the advent of the world-wide-web, and the proliferation of SSL-encryption-enabled web browsers to the point of ubiquity, complicated clients are no longer needed in order to establish secure channels across the Internet. With simple web browsers users can utilize standard and secure SSL tunnels to achieve remote access to a vast number of applications. From a business standpoint SSL VPNs offer three significant benefits over classic IPSec VPNs:
They typically cost far less to implement and manage,
They offer greater convenience to users leading to better employee productivity, and
They are more secure.
Of course, offering access from "anywhere" includes allowing access from Internet kiosks and other machines not known to be secure. Although an organization may be willing to extend network connectivity from the organizational LAN to trusted company-owned laptops (as is done with IPSec VPNs), no security-conscious enterprise would ever place "a long Ethernet cable" from Internet kiosks to its corporate LAN!
SSL VPNs can provide secure access from a single homepage to:
employee benefits information, email, files and legacy applications.
As such, SSL VPNs - which are supposed to give access from anywhere (including Internet kiosks) - must not mimic the connectivity functionality of IPSec VPNs, but rather establish secure access to applications from anywhere - by protecting against the threats created when offering access from insecure computers. These threats include problems of data remaining on machines after usage, session re-reinstatement, and other serious concerns. If these threats are properly mitigated against, then SSL VPNs can offer cost savings and greater convenience than their IPSec counterparts. Of course, if these threats are not addressed, users will need to use company-owned laptops for access - defeating the benefits of the SSL VPN.
When SSL VPNs are implemented appropriately, they typically offer cost savings when compared to classic IPSec VPNs because there are no clients to maintain, and the simplicity of browser access yields a far smaller demand on organizational helpdesk resources.
Among the costs of classic VPNs that are greatly reduced when utilizing an SSL VPN such as the e-Gap Remote Access appliance are:
Hardware costs of providing employees with laptops and home computers, as well as ongoing maintenance of these machines
Deployment costs, including the purchase and installation of client software on all employees' computers
Personal security software purchase and management (e.g. personal firewalls, anti-virus software)
VPN management and maintenance costs including software upgrades, training, help-desk costs, connectivity (e.g., dial-up) costs, and more.
As for convenience and user experience: SSL VPNs free employees from being bound to particular locations, laptops, or devices for the purpose of accessing internal resources. Users access all of their internal resources through a single, convenient customizable "portal" web page--from any web browser, anywhere, anytime. Employees can travel without having to carry laptops, and the IT staff has fewer support nightmares. Your workers will thank you - and be more productive! (Of course, this is all contingent upon the aforementioned browser-side security risks being addressed.)
Because SSL VPNs allow remote access to applications without attaching the user's computer to the internal network, they eliminate the serious security problems associated with having infected PCs attached to the enterprise LAN via a VPN. When properly implemented, SSL VPNs can filter requests to ensure no worms or viruses can tunnel through it to internal systems.
An SSL VPN requires specialized capabilities to allow remote access to internal applications. For example, it must allow access to multiple back-end systems through the use of a single hostname, and be able to translate internal references -- such as internal host names and IP numbers found in URLs, JavaScript, cookies, headers, and parameters -- so that they will work from the Internet. (Of course, this should be done without disclosing information about the internal network topology to users in public locations.) SSL VPNs should support strong authentication before allowing users to access any internal systems, and obviously must provide single-sign-on capabilities to multiple back-end systems. They should also provide access to files so remote users can access shared drives on their corporate LANs. Of course, ideally, SSL VPNs should work without any Active/X or Java clients being downloaded to the web browser -- as such clients severely limit the usability of the SSL VPN from many locations and devices where such software cannot be run.
Some users may need access to Client/Server applications (e.g. Lotus Notes Client, legacy CRM systems, etc.). To deliver such access without forcing users to use the SSL VPN from machines with clients installed (which would undermine the benefits of SSL VPN technology), SSL VPNs should integrate with terminal-services systems (such as Citrix products). Such integration allows users to access their client/server applications from anywhere -- even from machines on which they do not have client software installed.
The e-Gap Remote Access Appliance, the leading SSL VPN on the market today, addresses these functionality and security concerns. With its robust feature set and military-grade Air Gap security, e-Gap Remote Access allows organizations to achieve the benefits of an SSL VPN with great ease, and without sacrificing security.
