In most cases users take advantage of the facts that traffic sent to TCP port 443 is opaque to the firewall and the firewall has limited visibility into HTTP traffic.

Some bypass methods used:

• Software tunneling applications.
• Anonymous web proxy sites.
• Tunneling Proxy Servers.
• Remotely accessing a computer.
• Cache websites.
• Access sites via email.

Software tunneling applications

There are many software applications, either browser add-ons or standalone applications, that users can install and use to tunnel their web traffic through the firewall. To name a few:

• UltraSurf.
• Tor.
• JonDo.
• Identity Cloaker.
• Various VPN services, some based on OpenVPN.

Some of these can tunnel traffic through the corporate web proxy too, even if it requires authentication. Note that the users’ traffic can be encrypted in the process.

To understand how many applications, for example alternatives to UltraSurf exist, you can visit: http://alternativeto.net/software/ultrasurf/.

Anonymous web proxy sites

When users cannot install any software on their machines, they use their browsers and access anonymous proxy web sites. On these sites, they enter the URL of the destination they want to visit, and they will access this destination through the proxy.

Some popular such web sites:

• Proxify.
• Hide My Ass.

A list of anonymous proxy web sites can be found at: https://proxy.org/cgi_proxies.shtml.

Note that users can buy themselves a domain and host a web site using Glype, CGIProxy or PHProxy to achieve the very same thing.

Tunneling Proxy Servers

Users can setup HTTP or SSL tunnel channels; through these channels SSH can be tunneled. Over SSH users can browse the web.

• Tunnel through HTTP requests; e.g. httptunel utility.
• Tunnel through SSL; e.g. stunnel utility.
• Tunnel through the corporate HTTPS proxy in case one exists; e.g. corkscrew or Proxytunnel utilities. The HTTPS proxy is an HTTP proxy that supports CONNECT requests.
• Use either SSH, OpenVPN or proprietary protocols directly over TCP port 443 through the firewall.

Remotely accessing a computer

Users can access their own computers at home with software normally used for the remote administration of a PC/ server. From the home computer they can browse freely the web. To name a few remote access applications:

• LogMeIn.
• TeamViewer.
• GoToMyPC.
• Remote Desktop Web Connection.

Some of them require the installation of a client, some not(e.g. use Broswer+Java).

Cache websites

Certain sites cache web content(e.g. search engines like Google have an option to display the cached content of an URL) and others archive web sites to preserve them at a unique moment in the past(e.g. Internet Archive: Wayback Machine).

When accessing the content of a needed web site, the content will not be served from the original site; instead it will be served from the caching site(Google Cache) or from the archive sites. This means that your URL filtering policy for destinations will not apply anymore.

Access sites via email

Some services like Web2Mail allow users to receive web pages or to search the web by email.

SSL VPN bookmarks – what are they?

Form the users’ perspective, bookmarks are objects that enable them to easily access web, FTP, RDP or other services on the remote corporate network. Typically remote users log into SRA’s Virtual Office web-based portal(or custom portals) and gain access to pre-configured bookmarks(for services that they access frequently). If allowed by the administrator they can add new personal (user-level) bookmarks.

From the administrator’s perspective, bookmarks are objects enabling them by the use of a simple web based management interface to easily make available to remote users various corporate resources through the SSL VPN portal. The administrator can create both group and user bookmarks which will apply to applicable users.

SRA Available Bookmarks

There are a couple of bookmark types available depending on the services needed to be accessed, e.g. web applications(OWA, SharePoint, etc.), file shares(FTP, CIFS) or terminal services to name a few; the bookmarks available as writing for SRA SSL VPN 5.5.0.0 are listed in the below image.

Note that the bookmark’s usability can vary per client type, e.g. the RDP ActiveX-based bookmark is only supported with Internet Explorer browsers while the RDP Java applet-based bookmark is supported with all browsers and platforms compatible with SonicWALL SRA SSL VPN.

Bookmarks options

Some bookmarks have their own configurable options specific to the service provided(e.g. RDP bookmarks have many options), while others(e.g. Telnet bookmark) don’t have any.

Some options, like Single Sign-On(SSO) for the supported bookmarks can be globally set if global bookmarks are used.

Bookmarks look and feel

For example the File Shares(CIFS) bookmark provides remote users with a secure Java applet or HTML-based interface; the File Shares Java applet had more functionality but requires Java to be installed on the client side.

• The HTML-based interface is similar in style to Microsoft’s My Network Places, allowing users with appropriate permissions to browse network shares, rename, delete, retrieve, and upload files.

  

• The File Shares Java applet mimics Windows Explorer navigation and provides functionality not available in HTML-based File Shares, like the ability to overwrite existing files and upload directories.

  

HTTP(S) bookmarks

HTTP(S) bookmarks are used to provide access to web-based applications running on servers within the intranet; like access to enhanced versions of commonly-used web mail applications, such as Microsoft OWA Premium and Domino Web Access 7.

HTTP(S) bookmarks use an HTTP(S) reverse proxy; the proxy intercepts the HTTP(S) requests and responses between clients and the backend server.

URL rewriting is used with HTTP(S) bookmarks; URL rewriting can be a difficult process with complex web applications. Due to that some web applications’ features may not be usable or available.

With SRA SSL VPN 5.5.0.0 the HTTP(S) bookmarks have been tested and verified to support the following web applications:

• Microsoft Outlook Web Access 2010
  Microsoft Outlook Web Access 2007
  Microsoft Outlook Web Access 2003
• Windows Sharepoint 2007
  Windows Sharepoint Services 3.0
  Windows Sharepoint Services 2.
  (the client integrated features of Sharepoint are not supported)
• Lotus Domino Web Access 7.0.
• Novell Groupwise Web Access 7.0.
• ActiveSync with Microsoft Exchange 2010
  ActiveSync with Microsoft Exchange 2007
  ActiveSync with Microsoft Exchange 2003

Currently Sharepoint 2010 is not supported with HTTP(S) bookmarks.

Summary

Bookmarks provide a simple way for users to access web, FTP or other services on the remote network.

SSL VPNs serve mission critical operations. Remote workers must be able to access all the time various services. Although SonicWALL SRA appliances are very reliable, a single SSL VPN appliance alone cannot ensure 24x7 uptime. To help enterprises avoid a single point of failure and deal with network layer connectivity(e.g. physical or logical link failure), with power loss, etc., SonicWALL SRA series incorporate a high availability feature.

The high availability option is a standard feature of the SonicWALL SRA 4200 appliances (running SonicWALL SSL VPN 5.0 or higher); it’s not available for the SRA 1200 model.

How High Availability works

To provide redundancy and availability for services, a pair of identical SRA 4200 appliances is deployed. One serves as the primary device being active and serving connections, while the second device serves as the backup one being in an idle state. SRA’s X3 interface is the default port used for HA control traffic(the HA link connects the X3 ports of the SRA 4200 HA pair).

For example, when the primary device loses network connectivity, the backup device transitions to the active state and begins to serve connections.

The High A vailability feature provides administrators with:

• Firmware image, settings and session data synchronization between the HA pair.
• LAN and WAN connection monitoring.
• Interface and path monitoring.

Summary

High Availability (HA) allows two identical SRA 4200 appliances to provide reliable, continuous secure remote access, remote PC support or protection of web applications from web-based threats.

The SonicWALL SRA Series SSL VPN solutions have a User License model based on the number of concurrent users. It applies to both portal users and NetExtender users.

The User License Model

The model counts the number of concurrent or active users connected to the SRA appliance at any one time. This means that the total number of remote users is unlimited but at any time no more than the maximum number of users specified by the license are allowed to be connected to the SRA appliance.

Example of the SRA User License Model

To better understand the SRA User License model, below we will exemplify it for an organizations with a variable number of remote workers and an expected number of 7-8 remote users active at a time.

The Spike License

The Spike License(Temporary Capacity Upgrade) increases the allowed number of active users in case there is a sudden spike in remote access needs, such as in the event of a disaster. The Spike License is valid for a given number of users and days. The given number of users is the total number of users who are supported when the Spike License is activated, not a number in addition to the base license number. The use of the license can be suspended and resumed as needed(for increased efficiency). Time decrements are made to the Spike License in the granularity of one-day time periods.

The scope of the Spike License is to help organizations to ensure business continuity in case of natural calamities(hurricanes, etc.), power outages, transit strikes or any other potential business disruption events enabling the workforce to perform mission critical activities remotely.

Can multiple SonicWALL SRA appliances be cascaded to support more concurrent connections?

No, this is not supported. Of course, for example, multiple SRA appliances can be used at a time, each serving various departments of your business independently.

Consider a common scenario where a remote worker stops at a coffee shop with a free wireless hotspot from where he can browse the Internet. Since the worker found a place with Internet connectivity, it would be nice to VPN into the corporate network and perform some work duties; Internet connectivity means work productivity.

The user fires up the IPsec-based VPN client and attempts to establish a VPN connection to the office. He fails to connect as often from such hotspots only HTTP and HTTPS are allowed outbound.

Same scenario with SSL VPN

One feature of SSL VPNs is the clientless access mode which uses the browser as the VPN client.
On the SSL VPN gateway a site called portal is hosted; this acts as a virtual office from where users can securely access many web-based applications(like email, collaboration software, content management, web-based interfaces for CIFS or FTP file shares, web-based RDP, etc.) and more.
Since HTTPS is usually allowed from hotspots and the portal looks like an ordinary secure web site the remote worker will be able to successfully connect and obtain access to many corporate applications.

Furthermore on-the-fly downloadable Java applets or ActiveX controls provide remote users with emulated popular application clients(Telnet, SSH, VNC) to extend the level of access.
Even network level access with the SSL VPN based client(downloadable too from the portal) might be possible.

Conclusion

Today the office of remote workers can be any place with Internet connectivity. Traditional IPsec-based VPNs provide only limited connectivity since many locations(like coffee shop or public wireless hotspots) typically allow only web and secure web browsing. SSL VPNs can overcome the connectivity issues since they use one of the universally allow outbound port, TCP 443(HTTPS), and provide a virtual office portal accessible with a regular browser.

Technical Specs

Product Images

Click on the image below to zoom in for a better look.

Who Uses The SonicWALL SRA 1200?

Small organizations with less than 50 remote workers.

Major Problems Solved with SonicWALL SRA 1200

• The need for ubiquitous secure remote access to corporate resources without requiring a pre-installed fat client software.
• The need to increases users’ work productivity and lower administrative costs.

Top Standard Features on the SonicWALL SRA 1200

• Broad access to resources: intranet, file, desktop and terminal resources; virtually any TCP/IP based resource.
• Clientless Access: through the use of a standard browser; no pre-installed fat client software required.
• Network Level Access: with SonicWALL NetExtender(support for Multiple IP Ranges and Routes).
• Virtual Office: a customizable web-based portal.
• Mobile device support: Windows Mobile, Google Android, Apple iPhone, Apple iPad and Symbian.
• Reverse Proxy: OWA Premium Version and Lotus Domino Access support.
• Unified Policy: Display granular bookmarks and policies in one centralized page, streamlining configuration, troubleshooting and administrative overhead.
• Management: Easy-to-use web management interface.
• No More Weak Passwords: with SRA One-Time Passwords; included tokenless two-factor authentication capability.

Top Optional Features on the SonicWALL SRA 1200

• Remote support: with Virtual Access; an anywhere, anytime remote PC control solution.
• Remote PC control: with Virtual Assist; an anywhere, anytime remote support solution.
• PCI compliance: with the Web Application Firewall(WAF) module which offers protection for web applications(against all OWASP Top 10 web application security risks) and Data Leak Protection(DLP).
• Spike Licensing: A temporary-capacity add-on license that allows you to increase the remote user count immediately.
• ViewPoint: An easy to use web-based reporting tool.
• Enhanced security with Clean VPN: Deploy the SRA appliance alongside a SonicWALL firewall to achieve a multi-layered protection solution.

Appliance Type

Hardware-based hardened security appliance.

A VPN gateway can be integrated into a Unified Threat Management(UTM) appliance or Next Generation Firewall(NGFW). UTM or NGFW are multifunction security appliances that share many characteristics. What makes NGFW different is the visibility it provides into the application layer, visibility that enables administrators to control and manage applications and their features.

The idea behind them is to offer an integrated security solution, all-in one security in a single appliance, eliminating the need to manage individually multiple security devices.

Benefits of a VPN Firewall

Using the VPN feature of an UTM or NGFW has several advantages along with some of the SSL VPNs’ ones. Note that due to possible performance impact not all the features of a SSL VPN appliance may be present on the integrated VPN gateway; still it will retain important ones.

• Streamlined deployment, configuration and management; the VPN gateway being integrated, there is no need to deploy another appliance and manage it separately.
• Solid network level access using SSL VPN.
• Excellent connectivity(users can even connect behind web proxies).
• Simplified SSL VPN client deployment and management; the portal functionality is rather used to easily and safely deploy the SSL VPN client.
• On the fly creation of client connection profile(once downloaded from the portal, the SSL VPN client will create a connection profile recording the SSL VPN server name, and optionally the username and password).
• Mobile device support; typically the SSL VPN client is supported on many mobile platforms(Apple iPhone, Apple iPad, Android, Windows Mobile, etc.).
• Clean VPN; over the client’s VPN traffic multiple inspections can be applied(IPS, Antivirus, Content filtering, etc.).

SonicWALL VPN Firewall solutions SonicWALL offers both UTM and NGFW solutions with SSL VPN support.

• for small sized business: the SonicWALL TZ UTM series and NSA UTM series.
• for medium sized business: the SonicWALL NSA UTM series.
• for the enterprise: the SonicWALL E-Class NSA NGFW series.

To mention some features of SonicWALL UTM or NGFW: DPI firewall, IPS, content and URL Filtering, gateway antivirus, WLAN capabilities, easy to use management interface, encrypted traffic inspection, application control, Geo-IP & Botnet Filter.

Conclusion

Using the SSL VPN feature of an all-in one security appliance allows organization to benefit from solid and secure network level access along with streamlined deployment, configuration and management.

Plug-and-play deployment experience

Normally the process of building a VPN server includes many steps an administrator must consider.
Steps like: evaluating the hardware to ensure compatibility, stability and performance; install the OS, configure and harden it; install the VPN software. Then the admin will likely have to maintain and update each component(OS, VPN software, drivers, etc.) separately.

An appliance is an integrated hardware solution; all software, including hardened operating system, comes preloaded on the platform. It offers an easy to use (web) management interface.

The end result is a plug-and-play deployment experience. The administrator can focus on the planning, deployment and management phases.

And the planning and deployment phases can be quite straightforward as little modifications may be required to the existing infrastructure.

The easy to use management interface simplifies configuration and maintenance.

Feature-rich

The SSL VPN appliance is a secure remote access gateway; it's a specialized device concerned with inbound remote access traffic. It offers broad access(either web based through the portal or network level access) to resources, either intranet, file, desktop or terminal resources; virtually any TCP/IP based resource. Both clientless and client based modes of access are supported.

It may provide transparently downloadable Java or ActiveX based clients for various popular applications along with custom remote support and remote PC control solutions.

Can enhance the user experience with SSO(Single Sign On) capabilities; the portal acts as virtual office, one place to access a multitude of resources.

Security and performance

The OS is already hardened reducing the attack surface and eliminating any administrator configuration mistakes during the hardening process. Because it is only concerned with remote access traffic deeper application inspection will be performed(e.g. a Web Application Firewall module can be available to enhance the security of web applications).

As SSL VPN appliances offer a high level of application inspection, the administrators will be provided with granular control per user over the traffic flow.

Additionally a hardware cryptographic module can be available to offload SSL operations(this module also protects better the keys).

SonicWALL SRA Series

SonicWALL offers through the SRA series feature-rich easy to manage and deploy SSL VPN appliances destined to small and medium sized organizations.

Both the single arm and two arm modes of deployment are supported; the SRA appliances can be easily integrated into various exiting infrastructure. Furthermore a SRA appliance can be deployed alongside a SonicWALL NSA firewall to achieve layered security(SonicWALL Clean VPN).

Conclusion

A dedicated SSL VPN appliance is easy to deploy and manage, offers many features that enhance functionality and user experience along with strong security and performance.

Virtualization enables multiple operating systems, each running its own virtual machine, to use the same physical platform sharing the hardware resources. A virtual machine behaves exactly like a physical computer and has its own virtual hardware.

Virtualization is being used by organizations to reduce power consumption and the building space part of the cutting costs strategy. Virtualization also provides high availability, real-time migrations and speeds application or server deployments.

SSL VPN Virtual Appliance

A virtual appliance is a ready-to-use virtual machine image usually intended to run on a specific virtualization platform(optimized for better performance). It includes an already installed, hardened, and configured operating system along with ready-to-run software.

It provides a way to try, use and buy software by simply downloading the virtual appliance and evaluate it; when ready it can be moved into the virtualized production environment.

Benefits of a SSL VPN Virtual Appliance

• Enables a plug-and-play deployment as the administrator does not have to create the virtual machine, install the operating system, VPN software and harden the VM; simply downloads the virtual appliance and prepares the virtual infrastructure to accommodate it.
• Preserves some of the advantages of the dedicated hardware appliance as it is a feature-rich secure remote access gateway concerned with inbound remote access traffic.
• Delivers a high level of application inspection intelligence and an easy to use (web) management interface.
• It offers broad access(either web based through the portal or network level access) to resources, either intranet, file, desktop or terminal resources; virtually any TCP/IP based resource. Both clientless and client based modes of access are supported.
• Provides advantages in terms of flexibility and agility due to the virtual infrastructure; streamlined deployment, better disaster recovery, live migrations and snapshots to name a few.
• A state of a VM can be restored with a snapshot.
• If the hypervisor experiences problems, another one can take over.

SonicWALL SRA Series

SonicWALL offers through the SRA series a feature-rich easy to manage and deploy virtual SSL VPN appliance ideal for small and medium sized organizations. The virtual appliance has been preinstalled and pre-configured for VMware environments.

The SonicWALL SRA Virtual Appliance provides an optimized, non-tamperable software and hardware architecture.

Conclusion

A SSL VPN appliance delivers a feature rich SSL VPN solution enabling organizations to reduce costs and offers advantages in terms of flexibility and agility due to the virtual infrastructure.

SSL VPN Appliance

An appliance is an integrated hardware solution; all software, including hardened operating system, comes preloaded on the platform.

• Removes the responsibility from the administrator of installing the VPN software on a server and hardening that server.
• Typically is remote access oriented concerned with associated VPN inbound traffic; cannot be used by local corporate hosts as default gateway.
• Likely deployed along with an existing network firewall.
• Has limitations imposed by underlying hardware(e.g. throughput) or firmware(e.g. supported number of users).
• Can include a hardware cryptographic module to offload SSL operations.
• Sometimes upgrades may result in a box replacement.
• Offers a high level of application inspection intelligence and it is feature-rich.

SSL VPN Virtual Appliance

A virtual appliance is a ready-to-use virtual machine image usually intended to run on a specific virtualization platform(optimized for better performance). It includes an already installed, hardened, and configured operating system along with ready-to-run software.

• It provides a way to try, use and buy software by simply downloading the virtual appliance and evaluate it; when ready it can be moved into the virtualized production environment.
• Removes the responsibility from the administrator of creating the virtual machine, installing the OS, VPN software and hardening the VM.
• Typically is remote access oriented concerned with associated VPN inbound traffic; cannot be used by local corporate hosts as default gateway.
• Likely deployed along with an existing network firewall(this may be virtualized too).
• Has limitations imposed by the hypervisor and its underlying hardware(e.g. throughput) or firmware(e.g. supported number of users).
• The VM can be moved from one hypervisor to another(live migration) if needed(e.g the underlying physical hardware becomes over utilized).
• In case of upgrades when VM replacement is needed, the process is simpler and cheaper since it may not require any physical hardware changes.
• Offers a high level of application inspection intelligence and it is feature-rich.

The hardware appliance and virtual appliance are very much alike; a SSL VPN appliance(either hardware or virtual) is a secure remote access gateway.
The virtual infrastructure offers advantages in terms of flexibility and agility(e.g. if the VM crashes for some reasons, it can be easily restored using a snapshot; or if the hypervisor experiences problems, another one can take over meaningless if the appliance itself supports or not high availability).
The hardware appliance can achieve greater throughput taking advantage of hardware encryption and may offer greater security(e.g. by not depending on the security of the hypervisor or due to SSL cryptographic operations being done in hardware).

VPN Firewall

The VPN gateway can be integrated into a firewall(or UTM, router).
The idea behind this is to offer an integrated security solution, eliminating the need to manage individually multiple security devices.

• The firewall, UTM or router normally is a hardware appliance; but can also be a virtual appliance(popular these days) or software installed on top of an OS.
• Advantages of such solutions are: simplicity, streamlined installation and management.
• The disadvantage is the solution being a single point which needs to process data at wired speed.
• Due to the possible performance impact not all the features of a SSL VPN appliance may be present on the integrated VPN gateway.
• The SSL VPN option can be offered along with traditional remote access VPNs(IPsec-based or PPTP) and rather providing network level access through a SSL VPN client; the portal functionality may be limited or absent.
• Typically a lower level of application inspection intelligence is offered.
• Has limitations imposed by the underlying hardware(e.g. throughput) or firmware(e.g. supported number of users).
• Sometimes upgrades may result in a box replacement(or VM respectively).

SonicWALL Approach

SonicWALL offers:

• Through the SRA series dedicated feature-rich SSL VPN appliances(either hardware or virtual).
• Through the NSA series SSL VPN firewall.
• Furthermore a SRA appliance can be easily integrated into a network protected by a SonicWALL NSA firewall to achieve layered security(SonicWALL Clean VPN).

Conclusion

The SSL VPN hardware and virtual appliances are both feature-rich secure remote access gateways offering a high level of application inspection.

The hardware-based one is security and performance oriented while the virtual one provides flexibility and agility at a lower cost.

The VPN firewall is an integrated security solution usually offering limited SSL VPN features.

SonicWALL SRA Series Model Lineup
	Easy to deploy, use and manage hardware appliance providing small to medium sized businesses with an affordable secure remote access solution that requires no pre-installed fat client software.
	Easy-to-use, powerful and cost effective hardware appliance that provides medium-sized businesses with high availability secure access to corporate resources without requiring pre-installed fat client software
	An affordable, easy to use secure remote access solution deployable in a virtual environment, ideal for small and medium businesses looking to use virtualization for consolidating networking and security related services

SRA 1200 ► an affordable, easy to use secure remote access solution

Small to medium sized businesses. Organizations with less than 50 remote employees. Included users: 5. Maximum users: 50. Virtual Assist/Virtual Access: 10 maximum connections.

Standard features:

• Hardened security appliance.
• Clientless access; no pre-installed fat client software required.
• Web-based Virtual Office portal.
• Reverse Proxy: OWA Premium Version and Lotus Domino Access support.
• Network level access with NetExtender(support for Multiple IP Ranges and Routes).
• Broad access to resources: intranet, file, desktop and terminal resources; virtually any TCP/IP based resource.
• Mobile device support(Windows Mobile, Google Android, Apple iPhone, Apple iPad and Symbian).
• SRA One-Time Passwords; plus RSA, Vasco support.
• Local, Active Directory and Radius authentication.
• Layer-7 Load Balancing.
• Easy-to-use web management interface.

Optional features:

• Spike Licensing.
• ViewPoint.
• Virtual Access.
• Virtual Assist.
• Web Application Firewall.

SRA 4200 ► a cost effective, easy to use, powerful and high availability secure remote access solution

Medium sized businesses. Organizations with less than 500 remote employees. Included users: 25. Maximum users: 500. Virtual Assist/Virtual Access: 25 maximum connections

Standard features:

• Hardened security appliance.
• Clientless access; no pre-installed fat client software required.
• Web-based Virtual Office portal.
• Reverse Proxy: OWA Premium Version and Lotus Domino Access support.
• Network level access with NetExtender(support for Multiple IP Ranges and Routes).
• Broad access to resources: intranet, file, desktop and terminal resources; virtually any TCP/IP based resource.
• Mobile device support(Windows Mobile, Google Android, Apple iPhone, Apple iPad and Symbian).
• SRA One-Time Passwords; plus RSA, Vasco support.
• Local, Active Directory and Radius authentication.
• Layer-7 Load Balancing.
• Easy-to-use web management interface.
• Cryptographic hardware acceleration.
• High Availability.

Optional features:

• Spike Licensing.
• ViewPoint.
• Virtual Access.
• Virtual Assist.
• Web Application Firewall.
• Web Application Firewall - Application Profiling

SRA Virtual Appliance ► an affordable, easy to use secure remote access solution deployable in a virtual environment

Medium sized businesses. Organizations with less than 500 remote employees. Included users: 25. Maximum users: 500. Virtual Assist/Virtual Access: 25 maximum connections

Standard features:

• Hardened, performance-optimized virtual server; pre-configured for VMware environments.
• Clientless access; no pre-installed fat client software required.
• Web-based Virtual Office portal.
• Reverse Proxy: OWA Premium Version and Lotus Domino Access support.
• Network level access with NetExtender(support for Multiple IP Ranges and Routes).
• Broad access to resources: intranet, file, desktop and terminal resources; virtually any TCP/IP based resource.
• Mobile device support(Windows Mobile, Google Android, Apple iPhone, Apple iPad and Symbian).
• SRA One-Time Passwords; plus RSA, Vasco support.
• Local, Active directory and Radius authentication.
• Layer-7 Load Balancing.
• Easy-to-use web management interface.

Optional features

• Spike Licensing.
• ViewPoint.
• Virtual Access.
• Virtual Assist.
• Web Application Firewall.
• Web Application Firewall - Application Profiling.

The challenge: unreliable connectivity and management of laptop and mobile device security

"I commute 150 miles a day, so I am a huge advocate for working remotely," said Michael Giorgio, director of IT at Connex Credit Union. "We needed to offer a simplified way for employees to work remotely."

IT had previously received complaints from executive staff and other mobile users about the difficulty of accessing network resources remotely. Connex users had experienced limitations in connecting to all of their servers over their VPN connections. It became clear that the credit union needed an easier and more reliable remote access solution.

Giorgio is not willing to sacrifice security over mobility. While security processes and policies are in place to manage the information that Connex employees save on their desktops at work, IT loses control when laptops and mobile devices leave the network.

"My biggest concern is the moment the user walks out for the day with their Connex-owned laptop," said Giorgio. "Once someone goes home with a device and we lose sight of it until the next day, we really don't know whether the user or their family members have used it to access dangerous web sites or download malware."

Connex required a comprehensive and secure remote access solution that could decontaminate remote traffic before it could enter the network.

Previously, Giorgio deployed an onsite Check Point® unified threat management (UTM) appliance to provide the credit union's gateway security. Unfortunately, the solution frequently dropped Internet connectivity.

"Sometimes outages would last an hour," said Mohammad Usman, network engineer at Connex Credit Union. "We couldn't afford that."

The solution: SSL VPN integration with UTM

Connex evaluated products from Cisco® and Barracuda® before selecting SonicWALL® Secure Remote Access (SRA) 4200, Network Security Appliance (NSA) 3500 and Email Security ES300 solutions. The SonicWALL Clean VPN™ approach integrates SSL VPN with UTM firewall technologies to secure both VPN access and traffic. Connex purchased the appliances through Dell® and employed a third-party service provider to help with the installation and configuration.

"Flexibility and cost were key decision factors for us," said Giorgio. "The SonicWALL interface was so easy to navigate. Our Dell representative was able to provide us the appliances at the absolute minimum cost. As a credit union, every dollar counts."

"The SonicWALL product is very user friendly," confirmed Usman. "It took about half an hour to get up and running."

Usman also benefited from attending SonicWALL certification training. He has relied on SonicWALL for assistance as needed

"SonicWALL provides great support," said Usman. "I'm very pleased with their level of service."

The result: cost-savings, flexibility and reliability

Giorgio has seen significant business benefits in lowered operating costs, increased flexibility and greater reliability.

"By our projections, the SonicWALL solution will save us $15,000 over the first year, and $40,000 a year in annual operating costs within five years," said Giorgio. "That makes a huge difference to our business in today's economy. Every dollar saved adds job security for our employees and increased services to our members."

The solution has enabled IT to provide enhanced remote access for its users.

"Everyone is absolutely in love with how easy the SonicWALL solution has made it for them to work remotely from home or on a business trip," said Giorgio. "They just enter their password and for all intents and purposes, they're back on our WAN, with everything working the way it did when they left the office. No remapping. No multiple configuration steps. It is as simple as it gets."

Using the SRA 4200, Connex' users are able to drop into their network on the same subnet.

"The SRA 4200 has been really helpful for us to troubleshoot remote connectivity and work on all of our servers. I stay connected remotely all day without ever dropping," said Usman. "Our mobile users can reliably access their email and file shares remotely as if they were still on the network. As an added benefit, we get fewer related help desk requests."

In addition, the solution integrated seamlessly with the credit union's RSA appliance to authorize remote access over the VPN.

By integrating the SRA 4200 with the NSA 3500, Connex has also experienced greater reliability in its Internet availability.

"The NSA 3500 lets us automatically failover to a DSL backup immediately if our primary connection drops," said Giorgio.

Giorgio planned the scope of his SonicWALL deployment to future-proof his infrastructure for remote access on a global scale.

"Our SonicWALL solutions keep us safe and secure from threats," said Giorgio. "From a financial institution's point of view, SonicWALL's vision and expertise in security is outstanding. I have great confidence in placing our reputation in their hands every day."

For such cases another deployment mode is available, the Two Arm Mode.

High Security Two Arm Mode design

Some organizations have deployed back-to-back firewall topologies in order to increase security through physical separation and tight traffic control.

Although a single arm mode SSL VPN gateway can be deployed on a DMZ between the two firewalls this means, as inbound and outbound traffic goes through the same interface, that you will be mixing encrypted and unencrypted, inspected and uninspected traffic.

If this aspect represents an issue, the SSL VPN gateway can be instead deployed in a two arm mode by creating two extra DMZs, one on the frontend firewall and one on the backend firewall.

Pros of this design:

• Minimum impact on the current network layout; the current traffic flow(highlighted in yellow above) is unaffected.
• The exiting firewalls will take care of the routing.
• Network layer protection can be provided by the frontend firewall for the SSL VPN gateway.
• As the traffic between the SSL VPN gateway and the internal network passes through the backend firewall, an extra layer of protection can be achieved by having this firewall to apply IPS, content and gateway antivirus inspection(if available); this is useful especially in the case of the SSL VPN clients needing network level access.

Cons of it:

• Possibly a little bit difficult to setup.

Parallel deployment of the Two Arm Mode

Another possible design for the two arm mode is to have the SSL VPN gateway deployed in parallel with the existing firewall.

Pros of this design:

• Easier to deploy if you have an internal router taking care of routing.
• No pressure on the existing firewall as it will not have to process additional traffic.

Cons of it:

• Can lower the security of the solution; the SSL VPN gateway must feature a firewall to protect itself from external attacks and certain inspection types(IPS, antivirus, etc.) might not be available.
• Normally the SSL VPN gateway does not take of routing so this must be addressed somewhere else.

Sonicwall Approach

Sonicwall supports the Two Arm Mode through its SRA appliance, and the two designs depicted above; for extra security though it would be wiser to use the modified parallel design.

• Sonicwall SRA currently does not feature a SPI firewall.
• Sonicwall SRA does not route packets across interfaces so it can’t be used as a default gateway by internal hosts.

In the back-to-back firewall topology, as some prefer to use different firewall vendors for the frontend and backend firewalls, it is recommended that the NGFW Sonicwall NSA firewall to be the backend firewall.

A Sonicwall SRA appliance can be easily integrated into a network protected at edge by a NGFW Sonicwall NSA firewall as shown below.

Summary

The Two Arm Deployment Mode can offer extra security over the Single Arm One in certain scenarios or can fit some cases when an internal router exists.

This mode requires a free (Ethernet) network interface on the existing firewall which will act as a DMZ interface.

The SSL VPN gateway will be deployed on the created DMZ network and will use a single interface.

SSL protected traffic from remote users will enter the Internet facing interface of the existing firewall(WAN interface above) and will be forwarded through the DMZ interface to the SSL VPN gateway.

Traffic between the SSL VPN gateway and the internal network will be passed through the firewall’s DMZ and LAN interfaces.

Benefits of the Single Arm Mode

• Minimum impact on the current network layout; only a free Ethernet interface is needed on the current edge firewall.
• This firewall will take care of the routing.
• Network layer protection can be provided by the firewall for the SSL VPN gateway; to mention a few: DoS and DDoS protection or botnet/Geo IP filtering if available.
• As the traffic between the SSL VPN gateway and the internal network passes through the network firewall, an extra layer of protection can be achieved by having the firewall to apply IPS, content and gateway antivirus inspection(if available); this is useful especially in the case of the SSL VPN clients needing network level access.

Sonicwall Approach

Sonicwall offers fully support for the Single Arm Mode and recommends this mode of deployment.
A Sonicwall SRA appliance can be easily integrated into a network protected at edge by a Sonicwall NSA firewall as depicted below; the Sonicwall NSA firewall adds a layer of security with its IPS, gateway antivirus and content inspection, Flood Protection and Geo-IP & Botnet Filter features.

• The IPS, gateway antivirus and content inspection can be applied over the traffic between the SRA appliance and the internal network in both directions.
• The Flood Protection feature protects the SRA appliance from DoS and DDoS attacks.
• The Geo-IP & Botnet Filter options prevent remote devices part of botnets or suspicious countries to reach the SRA appliance.

Summary

One of the most common modes of deployment for a SSL VPN appliance is the Single Arm Mode.
This mode allows a plug-and-play deployment experience as little change is required to the current network infrastructure.

With the mobile workforce on the rise there were a couple of stringent needs that put a lot of pressure on the traditional remote access VPNs that relied on IPsec: the need for connectivity. the need for functionality. the need for mobility. the need for security. Basically these needs determined the appearance of SSL VPNs and shaped their evolution. The way SSL VPNs made available features to address these issues and combined them resulted today in SSL VPNs being the premier choice for secure remote access.

Connectivity

The remote users connect from anywhere: public wireless hotspots, hotel rooms, coffee shops, guest wireless LANs; they try to use whatever connection is available.

It’s hard to know in advance what outbound protocols will be allowed in such locations; usually TCP ports 80 and 443 should be allowed.

IPsec is the most commonly used network layer security control.
SSL is the most commonly used transport layer security control.
Originally IPsec had issues going through NAT devices. Furthermore it did not provide a feature dealing with network roaming scenarios. These issues were addressed later.

But with all the modifications made to IPsec, VPNs using IPsec cannot connect behind restrictive firewalls or web proxies.

Browsers use the HTTP CONNECT method to tunnel HTTPS through web proxies.
SSL VPNs take advantage of these, even when a full blown SSL VPN client is used.

Some vendors attempt to try to use with their SSL VPN clients a combination of both TCP and UDP meaning that when possible UDP will be used, otherwise the VPN will fallback to TCP.

Functionality

• administrative points of view; the need to configure and deploy VPN clients for basic connectivity introduces administrative overhead and increases the TCO.
• users’ point of view; users nowadays tend to use whatever machines they have access to for VPN-in. The need of a VPN client available is a great issue; furthermore the way users find and access the corporate resources once the VPN connection is established influences the ease of use of the VPN solution.

In case of SSL VPNs, from the portal page users can access their shares from a web page that looks like directories.

This is made possible since the VPN gateway does protocol translation.
Similar situation for FTP shares, no need for an additional FTP client or to manually connect to the FTP server.

The SSL VPN gateway can delegate the users’ credentials to the back application; single-sign-on, improved user experience.

Mobility

The latest generation of WiFi or 3G/4G enabled mobile devices provides the mobile workforce with almost anywhere Internet connectivity.

Popular smart phones like the iPhone or Android-based phones, iPad or Android tablets are used by remote users to access corporate data.

Security

Traditional VPNs, since they operate at the network level, are not particularly concerned with applications; they were primarily created to extend the corporate network to include the remote users’ machines allowing all traffic between these machines and the corporate network.
This may still be acceptable for managed machines, sort of; application inspection is still needed at the VPN gateway level.
While SSL can protect traffic like HTTP or FTP, by itself does not provide a secure remote access solution:

• The servers are exposed to the Internet.
• There is no central point of authentication, authorization and logging.
• Security is enforced by the application itself, at the extent available.

• Granular access to resources per user or group of users; by default they tend to allow only what’s needed.
• Application inspection; threats mitigation, spot on web applications.
• Endpoint identification and control; deals with managed and unmanaged devices.
• Strong authentication methods.
• SSL offloading; lift any SSL implementation issues from the back server’s stack.

Conclusion

With more than 100 million iPhones sold worldwide Apple became the largest mobile handset vendor in the world. The iPhone change the way people use mobile phones and stay in touch with their favourite online applications or their friends. Did not took long for it to step from an end consumer gadget into the corporate area with Apple working to make the iPhone busines ready and companies distributing iPhones to employees either in form of bonuses or to replace old smartphones. So mobile users equipped with iPhones in need to access corporate data and applications wanted and did use it for remote corporate access meaningless their iPhone were personal or corporate devices.

The iPhone mobile workforce challenge

It was obvious that the iPhone can greatly improve work productivity since users would have quick access to needed data while on the move.

This has created a new challenge for enterprises, the need to integrate the iPhone into their infrastructures.

It’s not uncommon for iPhones to fall within the unmanaged endpoints category.

iPhone challenge details

• clientless access to business-class web applications.
• restrict access to corporate resources when users use personal iPhones.
• with the level of mobility the iPhone can offer,  VPN anywhere connectivity using traditional VPN solutions is difficult to achieve; network roaming and connectivity issues may appear.
• granular role based access to resources in order to securely accommodate unmanaged iPhone.

SSL VPNs meet the iPhone

With SSL VPN solutions varying from psedo-VPNs to true VPNs, multiple scenarios can be fulfilled.
SSL VPN vendors understanding the importance of the iPhone for businesses updated their offers to include support for it.

• if only access to web applications is needed this can be achieved using the portal on the VPN gateway and the browser on iPhone as VPN client; the web applications will not be directly exposed to the Internet. Granular access to certain applications and applications features can be granted per user or group of users. SSO(single sign on) is supported for the backend web applications so the users won’t have to login multiple times.
• access 24x7x365 to e-mail using ActiveSync is done without having to expose the Microsoft Exchange server to the Internet; the VPN gateway can act as an ActiveSync reverse proxy allowing only authenticated traffic to the back Exchange server.
• true VPN or full network access for power users in need to access non-web applications(like RDP, telnet, SSH) is provided through a full blown SSL VPN client compatible with the iPhone; the VPN client can be downloaded from the App Store. The VPN tunnel can be established even when connecting behind restrictive firewalls or web proxies; advanced features like network roaming or connect on demand(and tear down after an interval of inactivity) are supported.
• the VPN gateway can require a client side certificate for the iPhone.

SSL VPNs caveats

The lack of Java on the iPhone makes certain SSL VPN features like port forwarding, application forwarding or Java based clients for popular applications unavailable; port forwarding or application forwarding are typically provided using Java applets or ActiveX controls, neither being available on the iPhone.

SSL VPN Appliances that Support iPhones

There are no products matching the selection.

The iPad is one of the mobile devices that are quickly growing in popularity. Once primarily used by end users(consumers), little by little it managed to enter the corporate area, companies distributing iPads to employees. In fact nowadays mobile users in need to access corporate data and applications tend to use whatever devices they posses to do that, either personal or corporate devices; the iPad being such a device. This has created a new challenge for enterprises, the need to support the on the rise mobile workforce. It’s not uncommon for iPads to fall within the unmanaged endpoints category.

Challenge details

• detect the type of device (kiosk , home PC, laptop, tablet, smartphone) the user is using for VPN access and restrict access appropriately.
• with the level of mobility the iPads can offer  VPN anywhere connectivity using traditional VPN solutions is difficult to achieve; network roaming and connectivity issues(only TCP ports 80 and 443 available sometimes) appear.
• clientless access by use of the browser.
• granular role based access to resources in order to securely accommodate unmanaged iPads.

SSL VPNs to the rescue

With SSL VPN solutions varying from psedo-VPNs to true VPNs, multiple scenarios can be fulfilled.
SSL VPN vendors understanding the importance of the iPad for businesses updated their offers to include support for it.

• if only access to web applications is needed this can be achieved using the portal on the VPN gateway and the browser on iPad as VPN client; the web applications will not be directly exposed to the Internet. Granular access to certain applications and applications features can be granted per user or group of users. SSO(single sign on) is supported for the backend web applications so the users won’t have to login multiple times.
• access to email using ActiveSync is done without having to expose the Microsoft Exchange server to the Internet; the VPN gateway can act as an ActiveSync reverse proxy allowing only authenticated traffic to the back Exchange server.
• true VPN or full network access for power users in need to access non-web applications(like RDP) is provided through a full blown SSL VPN client compatible with the iPad; the VPN client can be downloaded from the App Store. The VPN tunnel can be established even when connecting behind restrictive firewalls or web proxies; advanced features like network roaming or connect on demand are supported.
• the VPN gateway can detect the type of device (kiosk , home PC, laptop, tablet, smartphone) the user is using for VPN access by browser type, requiring a client side certificate, etc.

SSL VPNs caveats

Certain SSL VPN features like port forwarding, application forwarding or Java based clients for popular applications are not available since the iPad does not support Java; port forwarding or application forwarding are typically provided using Java applets or ActiveX controls, neither being available on iPad.

In certain cases(power users or complex/better applications support) the clientless or the thin client modes offered by SSL VPNs will not be enough, a traditional VPN client being needed with network level access support.

Usually the IPsec-based VPN clients offer a robust solution, but at some costs.
To mention a few drawbacks:

• Administrative overhead.
• Connectivity issues.

Administrative overhead

Remote access IPsec-based VPNs can be difficult to configure, maintain and troubleshoot due to IPsec being a complex protocol.
Normally SSL VPNs provide a lower TCO.
Furthermore, the way the VPN clients will be distributed to users can create some issues.

Administrative overhead – How SSL VPNs help

Enabling and configuring support for the full blown SSL VPN clients is usually a straight process; also vendors tend to offer broad platforms and OS support for these clients.
The users can download the SSL VPN client package from the portal after login; the distribution problem being simplified.

Connectivity issues

Usually with IPsec-based VPNs connectivity issues appear in two forms:

• When connecting behind restrictive firewalls, broken NAT devices or web proxies; this is a dead end for IPsec as it will not be able to get through such devices. 
• Network roaming; only the latest version of IKE(Internet Key Exchange), IKE v2, provides network roaming support with its new feature called MOBIKE.

Connectivity issues – How SSL VPNs help

SSL VPN clients can use TCP port 443 which is “universally” open; also can get through web proxies which require authentication.
Network roaming is not such an issue since they operate at the transport level.

Caveats

• When the SSL VPN clients use TCP, the performance is not as good as with UDP the transport medium.
• The SSL VPN clients are usually proprietary and don’t interoperate with other SSL VPN gateways; it’s hard for an OS to include a built-in SSL VPN client.

Features of the SSL VPN client

The SSL VPN clients share some features with the IPsec-based VPN clients.

• Offer full network access.
• Virtual IP address and DNS server configuration support.
• Various authentication methods are available; including two-factor or client certificate.
• Support split-tunneling if needed; if not this can be disabled.
• The VPN connection can be established at OS login to be available all the time.
• Or the VPN connection can be established when connectivity is needed and terminated after a specific tunnel idle timeout. Additionally can support application on-demand connectivity.
• Available for multiple platforms: PC, Mac, laptops, tablets or smart phones.

Conclusions

The SSL VPN client provides network level access similar with the IPsec-based VPN clients; additionally offers better connectivity options and less administrative overhead.

• reverse web proxy(incorporating some level of application inspection)
• portal
• authentication and authorization
• port forwarding
• network extension or tunnel mode
• client endpoint detection and control

Key Features of a SSL VPN

However it’s all about how these features and possible extra ones are implemented.

1. Compatibility – browser and OS broad support

Although dubbed as a clientless remote access solution, SSL VPN uses the browser as the base VPN client to access a portal on the VPN gateway. In addition when full network access is required a SSL VPN client will be used.

2. Portal and portal customization capabilities

The portal is the door to corporate resources.
The layout, shortcuts(bookmarks), ease of navigation or load time(performance) can play an important role. Furthermore in order to improve user experience features like automatically start upon user login a port forwarding rule will help.

3. Authentication and authorization

Good support for popular authentication methods including Active Directory, LDAP, RADIUS and SecurID.
Some VPN gateways may function well authenticating against Active Directory but not so well with SecurID for example.

3. Connectivity options

Five important ones(discussed below):

• reverse web proxy
• protocol translation
• port forwarding
• network extension or tunnel model; full network access
• Java or ActiveX based clients for popular applications

4.1. Advanced reverse web proxy

One of the core features of SSL VPNs is to provide secure access to web applications, popular or custom web applications; achieved through a reverse web proxy.
This has some key functions:

• provide functionality; proxying web applications is not an easy task given the dynamic nature of web applications and multitude of features used like AJAX, Flash and JavaScript.
• provide security; by incorporating a WAF(Web Application Firewall) the VPN gateway can protect the published web applications against various attacks and also limit access to various application features for specific users.
• SSO(Single Sign-on) capabilities; delegate credentials to the backend application after the user was pre-authenticated and authorized at the portal level; avoid multiple logins.

4.2. Protocol Translation

From the portal the users can access FTP directories and CIFS shares.
On the browser side the users view a web page that looks like a file directory from where they can download, upload or manage FTP or CIFS shares.

4.3. Port forwarding

To access non-web applications the users will load a Java applet or ActiveX control on their machines that will intercept traffic destined to certain (TCP) ports and will forward this traffic to the VPN server.

Some power users may still need full network access. This is achieved using a full blown SSL VPN client.
Some SSL VPN solutions allow(improved user experience):

• download from the portal this client and automatically install it without requiring administrative credentials; then automatically connect it to the VPN gateway. Minimum of user intervention.
• automatically connect this VPN client at OS logon.
• network roaming awareness for an always on VPN connection.

4.6. Java or ActiveX based clients for popular applications

4. Client endpoint detection and control plus user authorization for granular access to resources

5. Ease of deployment

Boils down to:

• integrating into the existing architecture; this includes a virtualized environment, check if the SSL VPN gateway is offered as a virtual appliance. Also some forms of SSL VPNs are part of UTM gateways solutions, no extra appliance needed.
• management capabilities for easy setup and configuration.
• monitoring and logging tools for troubleshooting.

6. Extra features

Like antivirus on the VPN gateway side for scanning uploaded files.

Remote access gives users the ability to gain access to a computer, a network or an application from remote distance.

• telnet for example allows people to access a command shell on a remote computer; by default does not encrypt the data sent over the connection, login information(like password) is sent in clear.
• SSH provides the functionality of telnet but adds encryption and optional public key authentication.
• HTTP can be used to allow access to the web interface of a remote application, for example web email. Provides no security whatsoever.
• HTTP can be secured with TLS adding encryption, public key authentication to mention a few.
• VPN protocols can be used to provide remote access. The offered level of privacy varies per VPN protocol.

Spot on the secure word

The word secure in respect with remote access has two main meanings:

• the security of the protocol or combination of protocols used to provide remote access; protects the communication channel from prying eyes or MITM attacks.
• the security of the remote access solution; does not expose directly to an insecure network the resources nor permits access to more than is needed.

VPNs for remote access

Secure VPN protocols

• confidentiality though encryption; prevents eavesdropping.
• message integrity; prevents tampering.
• peer authentication; confirms the identity of the peers; prevents MITM attacks.
• replay attack protection; prevents attackers to replay old packets.

Only one part of the equation has been solved, protecting the communications from prying eyes and MITM attacks.

Secure VPN remote access challenges

• granular access to resources per user or group of users; network level access plus port or protocol filtering is not enough.
• application inspection; threats mitigation, spot on web applications.
• endpoint identification and control; managed and unmanaged devices.
• clientless access.
• strong easy to use authentication methods; attacks on passwords are common.

Secure VPN remote access in practice

Summary

VPN stands for Virtual Private Network.
A traditional VPN is a virtual network created on top of existing physical networks(like public networks), with the intent of providing secure communications between various endpoints.

• Virtual - tunnels are used to provide connectivity between separate physical networks and the tunnels are logical links not physical ones.
• Private - the tunnels are encrypted, endpoints authenticated and message integrity is used to prevent data alteration during transit.
• Network - originally was used to provide network level access.

There are two main types of VPNs:

• remote access VPNs; used to allow remote users(home and mobile workers, off-site employees, etc.) to securely access corporate resources.

• site-to-site VPNs; used to securely connect physically separated locations, like a branch office  to the head-quarter office.

Where SSL VPNs stand

Usually SSL VPNs are used for remote access solutions; rarely for site-to-site VPNs.

At their origins they provided users with remote access to corporate applications; not exactly true VPNs.
Nowadays SSL VPNs provide:

• access to web-based applications.
• access to non-web applications.
• network level access(true VPN).

Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL) are used to protect the traffic between the VPN client and the VPN server.
SSL or TLS secure communications by providing at a minimum:

• confidentiality though encryption; prevents eavesdropping.
• message integrity; prevents tampering.
• peer authentication; confirms the identity of the peers; prevents MITM attacks.

Key components of remote accesss SSL VPNs

Two main components:

• browser.
• portal; users use their browsers to connect to a web site called portal hosted on the VPN gateway from where they can access multiple services located on the corporate network.

Types of SSL VPNs

Basic clientless access
Provides access to web applications using the web browser as the VPN client; the VPN gateway acts as a reverse web proxy.

Summary

SSL VPNs take a step forward the concept of a VPN, offering application layer VPN and becoming the clear choice for secure remote access to corporate resources.
SSL VPN solutions vary from pseudo-VPNs to the traditional tunnel mode, from clientless to full blown VPN client mode.
They provide anywhere anytime connectivity.

A key aspect of the current generation of mobile workforce is that workers use whatever they can whenever they need to do their job. Their desk is a car, a train, a wireless hotspot in a park, hotel room or their home; WIFI or 3G/4G enabled mobile devices provide them with almost anywhere Internet connectivity.

The outcome

SSL VPNs for mobile devices

The mobile devices share a common thing, they all have a browser.

SSL VPNs use this browser as a VPN client to provide access to web applications; the so called clientless access mode.

If needed, a full blown SSL VPN client is available; this client is easy to install through the app market of the respective mobile platform.

Some vendors also offer a thin client for access to client-server applications(non-web based ones).

• Anywhere access; from behind NAT devices, restrictive firewalls or web proxies as outbound TCP port 443 is allowed in many places.
• Always on; network roaming is possible since they usually operate at the transport layer.
• Clientless access; use the browser as a base universal VPN client.
• Application layer security; today’s threats target applications.
• Native granular access to resources per user or group of users.
• Endpoint identification and control; support for managed and unmanaged devices.
• Strong easy to use authentication methods; protect users’ credentials.
• Additionally can be integrated with various mobile security suites; achieve protection against malware and theft or applications installation control.

Mobile devices typically lack support for Java Runtime Environment. This makes certain SSL VPN features like port forwarding or application forwarding unavailable; port forwarding or application forwarding are typically provided using Java applets or ActiveX controls.

Summary

Multiple mobile platforms are available today to be used by the growing mobile workforce.
Access to corporate resources while one the move means increased work productivity. SSL VPNs by their nature can naturally fit within the dynamic mobile environment to provide workers with the needed secure access to corporate resources.

The issue with traditional VPNs is that they require a client to be provisioned and installed on the users’ machines.

This can create headaches when it comes to unmanaged endpoints(e.g. contractors or mobile devices).

Furthermore, in many situations the users need access to applications, and not full network level access; full network access can create security issues, granular access to resources being desired.

The solution

• Browser; at a minimum needs JavaScript and cookies enabled.
• Portal; web site hosted on the VPN gateway from where users can access multiple services located on the corporate network.

What can be accessed at a minimum?

Assuming cookies and JavaScript are enabled on the browser:

• Web applications; the VPN gateway acts as a reverse web proxy.
  
  
• File shares(e.g. FTP or CIFS); the gateway does protocol translation.
  
  
• Other applications for which protocol translation is available.

Access to non-web applications, the so called thin client mode

By downloading and loading Java applets or ActiveX controls the users can access popular non-web applications in two ways:

• Port forwarding; the Java applets or ActiveX controls will intercept traffic destined to a certain port and address and will forward it to the VPN gateway.
  
  
• Application forwarding; similar with port forwarding but instead identifies the local application on the user machine by its process name(or local path) and all the traffic or just the traffic destined to the servers behind the VPN gateway of that process will be sent through the VPN gateway.
  
  

We can still refer to this mode as clientless because it does not actually need the installation of a particular VPN client on users’ machines.
Technically it falls between the “true” clientless access and tunnel mode access; some form of tunneling occurs.

Access to non -web applications with Java or ActiveX based clients

There might be times when access to some popular non-web applications is needed while the application clients are not available or installed on the users’ machines.

• This scenario is made possible by downloading and loading various Java or ActiveX based clients.

Enhanced security

• The default strategy is to allow only what’s needed; many tunnel mode implementations by default allow full access to the network behind the VPN gateway, firewall rules can be implemented later.
• A higher level of application inspection tends to be provided(e.g. for web applications the reverse web proxy may have WAF(Web Application Firewall) capabilities); with tunnel mode typically filtering is done per protocol and ports, IPS and malware inspection may be available.
• A rather native granular access control per users or groups; with tunnel mode user-based firewall rules may not be supported by all VPN gateways.

Clientless SSL VPN common issues

• Some features(like port or application forwarding) may not be supported on the latest versions of the browsers.
• Java updates may also introduce compatibility issues.
• Certain devices like iPad or iPhone do not support Java or ActiveX so they will not be able to use clientless SSL VPN features that rely on them, e.g. port or application forwarding.

The use of Android smartphones on the rise

Punlished research indicates that Android has taken almost 50% share of the worldwide smart phone market.
Given this strong figure there is no doubt the Android-based phones will play a big role in the corporate area. Quick access to needed data while on the move can greatly improve work.
The applications available within the Business category of the Android Market tend to prove this point; on top of that Android is an open platform that encourages third-party development.

The Android mobile workforce challenge

To securely integrate the managed or unmanaged Android-based phones into the corporate infrastructure, enterprises and VPN vendors can build on the experience gained with the iPhones; the challenges are similar.

A difference would be Android’s openness in terms of approving the apps for distribution on the Android Market; malware issues. Application monitoring and control for user’s phones may be needed.

Android challenge details

• clientless access to business-class web applications.
• restricted access to corporate resources when users use personal Androids.
• achieve VPN anywhere connectivity; network roaming and blocked ports issues.
• granular role based access to resources in order to securely accommodate unmanaged Androids.
• compatibility issues, early stages; some VPN vendors still in beta testing and preview modes.
• determine the earliest version of Android that will be supported for business use.

SSL VPNs and Android-based phones

With SSL VPN solutions varying from pseudo-VPNs to true VPNs, multiple scenarios can be fulfilled.

• access to web applications can be achieved using the portal on the VPN gateway and the browser on Android as VPN client; the web applications will not be directly exposed to the Internet. Granular access to certain applications and applications features can be granted per user or group of users. SSO(single sign on) is supported for the backend web applications so the users won’t have to login multiple times.
• access 24x7x365 to e-mail using ActiveSync is done without having to expose the Microsoft Exchange server to the Internet; the VPN gateway can act as an ActiveSync reverse proxy allowing only authenticated traffic to the back Exchange server.
• true VPN or full network access for power users in need to access non-web applications(like RDP, telnet, SSH) is provided through a full blown SSL VPN client compatible with the Android; the VPN client can be downloaded from the Apps Android Market. The VPN tunnel can be established even when connecting behind restrictive firewalls or web proxies; advanced features like network roaming or connect on demand(and tear down after an interval of inactivity) are supported.
• the VPN gateway can require a client side certificate for the Android.
• As part of the VPN solution a mobile security suite might be offered by some vendors to address the malware and application control issues.

SSL VPNs caveats for Androids

• The lack of Java Runtime Environment on the Android makes certain SSL VPN features like port forwarding, application forwarding or Java based clients for popular applications unavailable; port forwarding or application forwarding are typically provided using Java applets or ActiveX controls, neither being available on the Android.
• SSL VPN support for Android might be still in beta testing or preview mode including from some major vendors; compatibility not guaranteed.
• Root access required for various layer 3 VPN clients to perform certain necessary OS level operations due to limitations and restrictions of the Android platform.

How it Works

The SonicWALL SSL VPN on UTM solution utilizes the SonicWALL NetExtender software in combination with a SonicWALL UTM appliance. Remote users only need to have an Internet connection and they can access their network through the SonicWALL portal from any Web browser. A small (thin client) Active-X component is installed on the remote users system and connectivity is provided according to policies defined on the SonicWALL UTM device. All remote network traffic is processed by SonicWALL's patented Re-assembly Free Deep Packet Inspection engine and other services on the SonicWALL UTM appliance to ensure the utmost in network protection.

Just the Beginning

Secure remote access utilizing SonicWALL SSL VPN on UTM is all some organizations will need to ensure they can securely connect remotely to their corporate network. SonicWALL also makes a complete line of SSL VPN appliances which offer capabilities that organizations may need depending on their size, network complexity or overall security needs. The table compares the SonicWALL UTM solution using NetExtender to SonicWALL's other SSL VPN product lines.

What to Buy

With each SonicWALL UTM appliance running SonicOS 5.2 or higher installed, you receive two SonicWALL UTM SSL VPN (NetExtender) clients. You can purchase additional clients in packages of 1, 5, 10, 25, and 50 clients, as noted below. The maximum number of clients on a given SonicWALL UTM system varies so please check the specifications before purchasing. When you purchase additional clients you will receive a perpetual license for those clients and as such no renewal is required. The SonicWALL UTM SSL VPN clients will be automatically updated as long as the SonicWALL UTM appliance on which they are installed is covered under product support.

• SonicWALL UTM SSL VPN (1 user license) - 01-SSC-8629
• SonicWALL UTM SSL VPN (5 user licenses) - 01-SSC-8630
• SonicWALL UTM SSL VPN (10 user license) - 01-SSC-8631
• SonicWALL UTM SSL VPN (25 user license) - 01-SSC-8632
• SonicWALL UTM SSL VPN (50 user license) - 01-SSC-8633

For more information about the SRA 1200 please check our SSL VPN product page

VPN types

In general, there are two types of VPNs—remote client VPNs and site-to-site VPNs. A remote client is generally a single PC that uses VPN software to connect to the host network on demand, while a site-to-site VPN is generally a permanent connection between two sites using dedicated networking equipment. A remote client VPN typically supports telecommuters, while the site-to-site variety usually connects office networks.

Some key factors that affect VPN performance

If your VPN seems slow, or you just want to know how efficient it really is, you have a number of options for improving its performance. Let's look at some of the factors involved.

My lab setup

For the purposes of this article, I've set up a Windows 2000 Server with VPN services enabled via Windows 2000's built-in Remote Access Services. On the remote client side, I'm running a Windows XP Professional workstation over a 1 Mbps DSL connection. This connection uses Point-to-Point Tunneling Protocol (PPTP) to connect to the central server. My lab network uses Network Address Translation (NAT) to get out over the DSL connection to the Internet.

PPTP vs. L2TP

While more widely supported than Layer 2 Tunneling Protocol (L2TP), PPTP is giving way to L2TP as the tunneling protocol of choice because of L2TP's enhanced security features. However, establishing an L2TP VPN is somewhat more complex that setting up a PPTP connection. PPTP-based VPNs may also operate slightly faster because there is less processing involved in encrypting and encapsulating the packets. Under PPTP, the PPP (point-to-point protocol) payload packet is encapsulated inside a GRE (generic routing encapsulation) packet, which is then encapsulated inside an IP packet to which the data link header is attached. The packet is then sent across the tunnel.

Under L2TP, packets are encapsulated no fewer than four times and as many as six times, depending on the IPSec policy being used. Each time a packet is processed, overhead is added to the overall procedure, resulting in higher latency. I'd be remiss if I didn't mention that L2TP provides additional levels of security through the use of DES and 3DES encryption as well as data authentication. However, if you're looking at a VPN from a strict standpoint of performance, L2TP may not be the best choice.

One point worth mentioning is the fact that PPTP relies on the TCP protocol, while L2TP uses UDP for typical communication. This can result in slightly lower performance capabilities for PPTP. Bear in mind, though, that since PPTP uses fewer levels of encapsulation, the total message size is smaller than with L2TP, which would tend to cancel this advantage.

What kind of VPN are you using?

The topology of your VPN can also have a significant impact on its performance and can vary widely among the remote devices. If you're supporting a site-to-site VPN that connects two different remote offices, it's likely that both ends use dedicated equipment configured for a permanent VPN tunnel. If your VPN performance seems slow, you may need to increase the size of the tunnel by adding bandwidth at both ends. You might also be able to change configuration options to increase performance.

For example, if your tunnel allows a maximum of 50 users but all 50 of them don't need to use it all day long, you can decrease the maximum number of clients allowed to preserve bandwidth. You can also use traffic monitoring software to determine the type of traffic that is traversing the VPN. You'll need to place a system running such software between your users and the VPN, since the VPN traffic is likely to be encrypted.

Watch your traffic

 Traffic monitoring software can help you to tweak your policies with regards to your infrastructure. For example, is there a lot of file sharing traffic coming across the VPN link? If so, put a stop to it by enforcing a stricter administrator policy on file sharing among users. If there is excessive replication traffic coming across the link between Windows domain controllers, consider changing the replication interval between the two machines.

What about DNS and DHCP? Are these services hosted at the central site or at each location? If they are centrally served and you're having performance issues, consider separating these services and placing them closer to the users who need them.

The next steps

When all is said and done and you've tweaked everything you can to increase performance, you may need to consider replacing the VPN concentrators. Most VPNs tell you how many tunnels they can support. As you begin to approach this number, the system may not have the capability to keep up with the processing requirements.

On the other hand, if you have a VPN for which there is a central VPN server or VPN concentrator, and VPN connections are created on demand directly from remote user workstations, you have different things to try. First, if a user with a dial-up connection complains that the VPN is slow, the reason is obvious. Unless it's for e-mail only or for a low-bandwidth application, a dial-up connection to a VPN just won't cut it.

Second, make sure that the remote user's PC is capable of handling the load. Bear in mind that in this type of VPN, the workstation is responsible for establishing, maintaining, and using the tunnel, as well as for encrypting and encapsulating data, which can tax a CPU, depending on the level of encryption. If you simply want to enhance performance for these machines and you aren't concerned about security, you could disable encryption, which would increase the overall performance of the VPN.

In this type of scenario, the VPN client included with newer versions of Windows, such as Windows XP, is capable of telling you what kind of compression you're getting (Figure A). Compressing data definitely helps with the performance of the actual link for the VPN, but it can spell trouble if the client machine doesn't have the CPU resources to handle the compression as well as all of its other duties.

Figure A

VPN status under Windows XP

 A simple test of VPN performance

Because of their complexity and the huge differences in technology between different types of VPNs and different vendors, it's difficult to determine the actual efficiency of a VPN, let alone improve it. The simplest method is to determine the actual size of the tunnel between two sites, clock the average file transfer speed between the sites, and take the ratio as a percentage. You'll never achieve 100 percent efficiency—that would imply a perfect VPN with no overhead, which is impossible.

For example, if you have 1 Mbps of bandwidth dedicated between two sites and you get 800 Kbps of raw throughput, your efficiency would be 80 percent. From there, you can begin to assess some of the factors I've discussed to determine where you can make improvements.

The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol. This type of VPN may be referred to as either an SSL VPN or a TLS VPN. This guide uses the term SSL VPN. SSL VPNs provide remote users with access to Web applications and client/server applications, and connectivity to internal networks. Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security (IPsec) VPNs.1 The two VPN technologies are complementary and address separate network architectures and business needs. SSL VPNs offer versatility and ease of use because they use the SSL protocol, which is included with all standard Web browsers, so the client usually does not require configuration by the user. SSL VPNs offer granular control for a range of users on a variety of computers, accessing resources from many locations. There are two primary types of SSL VPNs:

• SSL Portal VPNs. This type of SSL VPN allows a user to use a single standard SSL connection to a Web site to securely access multiple network services. The site accessed is typically called a portal because it is a single page that leads to many other resources. The remote user accesses the SSL VPN gateway using any modern Web browser, identifies himself or herself to the gateway using an authentication method supported by the gateway, and is then presented with a Web page that acts as the portal to the other services.
•  SSL Tunnel VPNs. This type of SSL VPN allows a user to use a typical Web browser to securely access multiple network services, including applications and protocols that are not web-based, through a tunnel that is running under SSL. SSL tunnel VPNs require that the Web browser be able to handle active content, which allows them to provide functionality that is not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript, Active X, or Flash applications or plug-ins.

 Information Processing Standard (FIPS)-compliant cryptographic algorithms and modules. Many of the cryptographic algorithms used in some SSL cipher suites are not FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be used in applications that must conform to FIPS 140-2. This means that to be run in FIPS-compliant mode, an SSL VPN gateway must only allow cipher suites that are allowed by FIPS 140-2.

Some of the cryptographic requirements, including allowable hash functions and certificate key lengths, will change at the end of 2010. Therefore, Federal agencies who want to provide SSL VPN services after 2010 must ensure that their systems are upgradeable to the new FIPS-compliant cipher suites and key lengths before the end of 2010, and that their SSL VPN vendors guarantee that such upgrades will be available early enough for testing and deployment in the field.

Organizations planning SSL VPN deployments should identify and define requirements, and evaluate several products to determine their fit into the organization.

• SSL VPN products vary in functionality, including protocol and application support. They also vary in breadth, depth, and completeness of features and security services. Some recommendations and considerations include the following:
• SSL VPN manageability features such as status reporting, logging, and auditing should provide adequate capabilities for the organization to effectively operate and manage the SSL VPN and to extract detailed usage information.
• The SSL VPN high availability and scalability features should support the organization’s requirements for failover, load balancing and throughput. State and information sharing is recommended to keep the failover process transparent to the user.
• SSL VPN portal customization should allow the organization to control the look and feel of the portal and to customize the portal to support various devices such as personal digital assistants (PDA) and smart phones.
• SSL VPN authentication should provide the necessary support for the organization’s current and future authentication methods and leverage existing authentication databases. SSL VPN authentication should also be tested to ensure interoperability with existing authentication methods.
• The strongest possible cryptographic algorithms and key lengths that are considered secure for current practice should be used for encryption and integrity protection unless they are incompatible with interoperability, performance and export constraints.
• SSL VPNs should be evaluated to ensure they provide the level of granularity needed for access controls. Access controls should be capable of applying permissions to users, groups, and resources, as well as integrating with endpoint security controls.
• Implementation of endpoint security controls is often the most diverse service amongst SSL VPN products. Endpoint security should be evaluated to ensure it provides the necessary host integrity checking and security protection mechanisms required for the organization.
• Not all SSL VPNs have integrated intrusion prevention capabilities. Those that do should be evaluated to ensure they do not introduce an unacceptable amount of latency into the network traffic.

Organizations should use a phased approach to SSL VPN planning and implementation.
A successful SSL VPN deployment can be achieved by following a clear, step-by-step planning and implementation process. The use of a phased approach can minimize unforeseen issues and identify potential pitfalls early in the process. The five phases of the recommended approach are as follows:
1. Identify Requirements. Identify the requirements for remote access and determine how they can best be met.
2. Design the Solution. Make design decisions in five areas: access control, endpoint security, authentication methods, architecture, and cryptography policy.
3. Implement and Test a Prototype. Test a prototype of the designed solution in a laboratory, test, or production environment to identify any potential issues.
4. Deploy the Solution. Gradually deploy the SSL VPN solution throughout the enterprise, beginning with a pilot program.
5. Manage the Solution. Maintain the SSL VPN components and resolve operational issues. Repeat the planning and implementation process when significant changes need to be incorporated into the solution.
Organizations should be familiar with the limitations of SSL VPN technology.

SSL VPNs, although a maturing technology, continue to face several challenges. These include limitations on their ability to support a large number of applications and clients, the methods of implementing network extension and endpoint security, the ability to provide clientless access, the use of the SSL VPN from public locations, and product and technology education.
 

Organizations should implement other measures that support and complement SSL VPN implementations.
These measures help to ensure that the SSL VPN solution is implemented in an environment with the technical, management, and operational controls necessary to provide sufficient security for the SSL VPN implementation. Examples of supporting measures include:

To accommodate mobile users companies would have to set up dedicated dial-in remote access servers (RAS). The RAS would have a modem, or many modems, and the company would have to have a phone line running to each modem. The mobile users could connect to the network this way, but the speed was painstakingly slow and made it difficult to do much productive work.

With the advent of the Internet much of that has changed. If a web of servers and network connections already exists, interconnecting computers around the globe, then why should a company spend money and create administrative headaches by implementing dedicated leased lines and dial-in modem banks. Why not just use the Internet?

Well, the first challenge is that you need to be able to choose who gets to see what information. If you simply open up the whole network to the Internet it would be virtually impossible to implement an effective means of keeping unauthorized users from gaining access to the corporate network. Companies spend tons of money to build firewalls and other network security measures aimed specifically at ensuring that nobody from the public Internet can get into the internal network.

How do you reconcile wanting to block the public Internet from accessing the internal network with wanting your remote users to utilize the public Internet as a means of connecting to the internal network? You implement a Virtual Private Network (VPN). A VPN creates a virtual “tunnel” connecting the two endpoints. The traffic within the VPN tunnel is encrypted so that other users of the public Internet can not readily view intercepted communications.

By implementing a VPN, a company can provide access to the internal private network to clients around the world at any location with access to the public Internet. It erases the administrative and financial headaches associated with a traditional leased line wide-area network (WAN) and allows remote and mobile users to be more productive. Best of all, if properly implemented, it does so without impacting the security and integrity of the computer systems and data on the private company network.

Traditional VPN’s rely on IPSec (Internet Protocol Security) to tunnel between the two endpoints. IPSec works on the Network Layer of the OSI Model- securing all data that travels between the two endpoints without an association to any specific application. When connected on an IPSec VPN the client computer is “virtually” a full member of the corporate network- able to see and potentially access the entire network.

The majority of IPSec VPN solutions require third-party hardware and / or software. In order to access an IPSec VPN, the workstation or device in question must have an IPSec client software application installed. This is both a pro and a con.

The pro is that it provides an extra layer of security if the client machine is required not only to be running the right VPN client software to connect to your IPSec VPN, but also must have it properly configured. These are additional hurdles that an unauthorized user would have to get over before gaining access to your network.

The con is that it can be a financial burden to maintain the licenses for the client software and a nightmare for tech support to install and configure the client software on all remote machines- especially if they can’t be on site physically to configure the software themselves.

It is this con which is generally touted as one of the largest pros for the rival SSL (Secure Sockets Layer) VPN solutions. SSL is a common protocol and most web browsers have SSL capabilities built in. Therefore almost every computer in the world is already equipped with the necessary “client software” to connect to an SSL VPN.

Another pro of SSL VPN’s is that they allow more precise access control. First of all they provide tunnels to specific applications rather than to the entire corporate LAN. So, users on SSL VPN connections can only access the applications that they are configured to access rather than the whole network. Second, it is easier to provide different access rights to different users and have more granular control over user access.

A con of SSL VPN’s though is that you are accessing the application(s) through a web browser which means that they really only work for web-based applications. It is possible to web-enable other applications so that they can be accessed through SSL VPN’s, however doing so adds to the complexity of the solution and eliminates some of the pros.

Having direct access only to the web-enabled SSL applications also means that users don’t have access to network resources such as printers or centralized storage and are unable to use the VPN for file sharing or file backups.

SSL VPN’s have been gaining in prevalence and popularity; however they are not the right solution for every instance. Likewise, IPSec VPN’s are not suited for every instance either. Vendors are continuing to develop ways to expand the functionality of the SSL VPN and it is a technology that you should watch closely if you are in the market for a secure remote networking solution. For now, it is important to carefully consider the needs of your remote users and weigh the pros and cons of each solution to determine what works best for you.

IPSec creates a secure tunnel by first using a handshake protocol called Internet Key Exchange (IKE). IKE authenticates the end points of the tunnel to each other, and then follows a secure procedure to exchange the necessary information to create a more permanent tunnel using symmetric encryption. Once this tunnel is in place, any arbitrary traffic sent between these two end points will be passed through the protected tunnel. This tunnel can be used by any application or protocol and is semi-permanent, meaning it will stay up indefinitely provided both end points continue to desire its existence. IPSec was created by a committee and some believe this process added more functionality, bloat, and complexity than is needed or reasonable. The committee approach has received criticism as a viable way to develop security standards. The preferred method is to use contests like the one used to choose the new

Advanced Encryption Standard or AES. As Bruce Schneier and Niels Ferguson put it, "IPSec is too complex to be secure" [SF99]. Be that as it may, IPSec is used to create a majority of the VPN products found today. Checkpoint VPN-1, Cisco PIX, and the open source FreeS/WAN are all examples of commonly used VPN solutions that implement IPSec. So in the past, if you wanted a VPN, you suffered with the complexity of IPSec.

IPSec creates a secure tunnel by first using a handshake protocol called Internet Key Exchange (IKE). IKE authenticates the end points of the tunnel to each other, and then follows a secure procedure to exchange the necessary information to create a more permanent tunnel using symmetric encryption. Once this tunnel is in place, any arbitrary traffic sent between these two end points will be passed through the protected tunnel. This tunnel can be used by any application or protocol and is semi-permanent, meaning it will stay up indefinitely provided both end points continue to desire its existence.

IPSec was created by a committee and some believe this process added more functionality, bloat, and complexity than is needed or reasonable. The committee approach has received criticism as a viable way to develop security standards. The preferred method is to use contests like the one used to choose the new Advanced Encryption Standard or AES. As Bruce Schneier and Niels Ferguson put it, "IPSec is too complex to be secure" [SF99]. Be that as it may, IPSec is used to create a majority of the VPN products found today. Checkpoint VPN-1, Cisco PIX, and the open source FreeS/WAN are all examples of commonly used VPN solutions that implement IPSec. So in the past, if you wanted a VPN, you suffered with the complexity of IPSec.

In addition to configuration complexity, IPSec has strayed from the secure OS Ring Architecture design principle of non-interference with kernel space. This principle breaks out the OS into rings of privilege. Ring0 is reserved for the kernel and other essential processes. Ring1 for other system processes that need low level access to hardware. As you move outward in rings, the privilege of the process is decreased. Ring3 is where most user processes are found. The architecture rules state that processes in higher numbered rings can not interfere with processes in lower numbered rings. This provides greatly enhanced stability and security in our applications and allows for multi-user, multithreaded systems.

To reduce the impact of application failure on the stability and security of the system, non-essential processes should not interfere with the kernel. In order to gain the level of control needed to secure traffic over the interface link, IPSec needs to be tightly integrated into the OS kernel, in Ring0. This violates our design principle and puts the entire operating system at risk. This violation also makes installation difficult and puts up road blocks to developing client and server applications for other platforms.

Anyone who has installed FreeS/WAN on Linux understands the degree of coupling necessary under IPSec. Having to install touchy, kernel specific code hacks can definitely be discouraging, especially for security conscious administrators who upgrade their kernels on a regular basis. Additionally, even though IPSec is touted to be interoperable between vendors; the reality is if you have a vendor's VPN product on one side of the tunnel, you often need to use the same vendor's client or server on the other end. This reduces the flexibility of many products as they don't make clients for Windows or have a hard time installing with the existing Windows IPSec VPN client. This issue of variation in implementation results in many headaches that eliminate the benefit of using an open standard in the first place.

The process of accessing a corporate network remotely can pose serious security risks; cause moderate downtime and extensive end user training. This compromises the complete infrastructure of a network but is a necessary part of a properly functioning enterprise since it's virtually impossible to have every end user plugged into the mainframe twenty-four hours a day.

Secure Auth for SonicWALL VPN authentication is a browser-based, bi-directional X.509 certificate authentication solution for SonicWALL SSL VPNs. It works directly with the existing SonicWALL appliance providing a complete solution delivering the most secure authentication service in existence. This solution offers several distinct advantages over its competitors. It requires no tokens, data servers or additional infrastructure investment and no private enterprise information is stored in the hosted Secure Auth infrastructure. It eliminates the need for an administrator to deploy and upgrade end-user software and its very user-friendly self-registration and automated certificate distribution reduces help desk calls. If that's not enough it also fully supports IE, Firefox and Safari browsers.

Secure Auth is scalable to meet individual enterprise needs and offers a full range of services for customizing Secure Auth to meet the needs of any enterprise. This offers a layer of security that has not been available in recent times. As hackers and vulnerabilities become even more prevalent and extremely dangerous to corporate security it's becoming very important to secure software that gives that extra layer of protection. This allows for more integration of remote end users to allow increased productivity while protecting your network from those who should not have access. It also helps to limit the amount of calls to helpdesk to correct integration issues which will help to decrease the cash cost per user thus making IT services more productive and cost efficient to the enterprise.

SUNNYVALE, Calif., Oct. 24 /PRNewswire-FirstCall/ -- SonicWALL, Inc. (NASDAQ: SNWL) announced today that it has expanded the capabilities of its SSL VPN secure remote access solutions for small and mid-sized businesses (SMB) to include a clientless remote support add-on module, allowing technicians to remotely take control of a customer's PC or laptop to quickly and easily remedy technical issues. SonicWALL Firmware Version 2.5 also expands its NetExtender capabilities to support Mac OS X and Linux operating systems in an effort to open the product line up to a more diverse market of users.

Customer satisfaction is a key business driver for IT departments. Technical support via phone, e-mail, live chat and pre-installed remote support clients can often result in frustrating and time-consuming experiences. Clientless tools eliminate the need to download and pre-install "fat" clients, minimizing customer frustration, set-up overhead, and reducing on-site travel expenses and equipment cross-shipping costs.

SonicWALL Virtual Assist allows technicians to quickly and easily diagnose problems on a customer's computer by gaining instant access to the customer's computer via a web browser. Technicians are then able to remotely support any application on their client's desktop or laptop by securing control of the mouse and keyboard. Virtual Assist enables IT support departments, help desks and call centers to reduce the cost of supporting remote employees, shorten average time-to-resolution, and increase staff productivity levels.

"Providing speedy technical support is a key part of being able to provide our clients with the best service possible and maintaining satisfaction levels," said James Eitzen of NetworkNow. "With SonicWALL's Virtual Assist it's almost like being right there next to the customer, without the costs or inconvenience associated with being onsite, or their having to ship their computer to us. Virtual Assist is especially helpful in situations where the client is less technically proficient and where the normal procedure would be to walk them through a step-by-step process."

SonicWALL Virtual Assist includes online chat capabilities, secure file transfer, a personalized customer web portal, tight integration with the existing authentication infrastructure and seamless integration of the SSL VPN appliance behind any firewall. Support can be initiated in one of two ways. A customer can submit a request via the user-friendly web portal or a technician can send an e-mail to the customer requiring help and the customer simply has to click on an embedded link to enter the customer portal.

"As a channel-focused company, SonicWALL is constantly working on innovative ways to help our partners increase and achieve higher profitability," said Jan Sijp, product line manager of SonicWALL's SMB SSL VPN appliances. "IT Support is an important aspect of our partners' businesses. Innovations from SonicWALL that combine ease-of-use and quicker time-to-resolution helps to improve customer satisfaction and aids in achieving this goal of higher profitability."

In an effort to expand SonicWALL's secure remote access market reach and cater to more diverse IT environments, Firmware version 2.5 introduces cross platform compatibility with Mac OS X and Linux NetExtender clients. Users of Mac- or Linux-based operating systems can now gain network level access to resources in addition to the portal access currently available with the use of SonicWALL's SSL VPN 2000 and 4000 appliances.

Pricing & Availability

Current users of SonicWALL SSL VPN 2000 and 4000 appliances with a valid support contract automatically receive updates for Firmware version 2.5. SonicWALL Virtual Assist is available only on SonicWALL SSL VPN appliances running Firmware version 2.5 and must be purchased as an additional license to the SSL VPN appliance. Licenses start at $995 for one technician connection.

SonicWALL launched the industry's first range of SSL VPN solutions for remote network access, supporting an unrestricted number of concurrent tunnels at no additional cost in 2005. This powerful family of appliances makes remote clientless access simple and affordable. Today SonicWALL's SSL VPN line extends from entry-level solutions up through the enterprise with the company's acquisition of secure remote access leader Aventail in July 2007. Aventail's pioneering SSL VPN solutions cover security, access, end point control, policy and mobility.

About SonicWALL, Inc.

SonicWALL is committed to improving the performance and productivity of businesses of all sizes by engineering the cost and complexity out of running a secure network. Over one million SonicWALL appliances have been shipped through its global network of ten thousand channel partners to keep tens of millions of worldwide business computer users safe and in control of their data. SonicWALL's award-winning solutions include network security, secure remote access, content security, backup and recovery, and policy and management technology. For more information, visit the company web site at http://www.sonicwall.com/.

Safe Harbor Regarding Forward-Looking Statements

Certain statements in this press release are "forward-looking statements" within the meaning of the Private Securities Litigation Reform Act of 1995. The forward-looking statements include but are not limited to statements regarding the benefits of SonicWALL's SSL VPN remote clientless access products. These forward-looking statements are based on the opinions and estimates of management at the time the statements are made and are subject to certain risks and uncertainties that could cause actual results to differ materially from those anticipated in the forward-looking statements. In addition, please see the "Risk Factors" described in our Securities and Exchange Commission filings, including our Annual Report on Form 10-K for the year ended December 31, 2006, for a more detailed description of the risks facing our business. All forward-looking statements included in this release are based upon information available to SonicWALL as of the date of the release, and we assume no obligation to update any such forward-looking statement.

NOTE: SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies.

SOURCE: SonicWALL, Inc.