What is a VPN?

VPN stands for Virtual Private Network.
A traditional VPN is a virtual network created on top of existing physical networks(like public networks), with the intent of providing secure communications between various endpoints.

• Virtual - tunnels are used to provide connectivity between separate physical networks and the tunnels are logical links not physical ones.
• Private - the tunnels are encrypted, endpoints authenticated and message integrity is used to prevent data alteration during transit.
• Network - originally was used to provide network level access.

There are two main types of VPNs:

• remote access VPNs; used to allow remote users(home and mobile workers, off-site employees, etc.) to securely access corporate resources.

• site-to-site VPNs; used to securely connect physically separated locations, like a branch office  to the head-quarter office.

Where SSL VPNs stand

Usually SSL VPNs are used for remote access solutions; rarely for site-to-site VPNs.

At their origins they provided users with remote access to corporate applications; not exactly true VPNs.
Nowadays SSL VPNs provide:

• access to web-based applications.
• access to non-web applications.
• network level access(true VPN).

Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL) are used to protect the traffic between the VPN client and the VPN server.
SSL or TLS secure communications by providing at a minimum:

• confidentiality though encryption; prevents eavesdropping.
• message integrity; prevents tampering.
• peer authentication; confirms the identity of the peers; prevents MITM attacks.

Typically TCP port 443 is used for the VPN connection.

Key components of remote accesss SSL VPNs

Two main components:

• browser.
• portal; users use their browsers to connect to a web site called portal hosted on the VPN gateway from where they can access multiple services located on the corporate network.

Various SSL VPNs remote access methods build on top of these two.

Types of SSL VPNs

Basic clientless access
Provides access to web applications using the web browser as the VPN client; the VPN gateway acts as a reverse web proxy.

Advanced clientless access - Java Based Application Clients
Allows users to access popular non-web applications from the portal for example by downloading and loading various Java applets like RDP, SSH, telnet or VNC applets. In addition to the browser, Java must be installed and enabled on the machine.

Advanced clientless access - Port forwarding
Provides access to non-web applications using the browser to load for example a Java applet on user’s machine that will intercept traffic destined to a certain TCP port and will forward this traffic to the VPN server.

Advanced clientless access - Application forwarding
Similar with port forwarding but instead identifies the local application on the user machine by its process name(or local path) and all the traffic of that process will be sent through the VPN gateway.

Tunnel mode or network extension
Provides true VPN network level access using a full blown VPN client.

Application proxying
Similar with the reverse web proxy; instead of HTTP other application layer protocols like POP3, IMAP or STMP are proxied.

Summary

SSL VPNs take a step forward the concept of a VPN, offering application layer VPN and becoming the clear choice for secure remote access to corporate resources.
SSL VPN solutions vary from pseudo-VPNs to the traditional tunnel mode, from clientless to full blown VPN client mode.
They provide anywhere anytime connectivity.