Principle of SSL VPN technology

SSL VPN principle

If you separate the two concepts of SSL and VPN, you should know what they mean, but as a new technology, how they are combined may not be well understood. From the academic and commercial point of view, because they represent a different meaning, so often be misinterpreted.

SSL (Secure Sockets Layer) protocol is a common protocol that guarantees the security of sending information on the Internet. It is in the application layer. SSL uses public key cryptography to work with data transmitted over an SSL connection. The SSL protocol specifies the security mechanism for data exchange between application protocols such as HTTP, Telnet, and FTP, and TCP/IP protocols, providing data encryption, server authentication, and optional client authentication for TCP/IP connections. The SSL protocol includes handshake protocol, recording protocol and warning Protocol. The Handshake protocol is responsible for determining the session encryption parameters used between the client and the server. The logging protocol is used to exchange application data. The warning protocol is used to terminate a session between two hosts when an error occurs.

VPN (Virtual private network) is mainly used in virtual connection network, it can ensure the confidentiality of data and has a certain access control functions. VPN is a very useful technology, it can expand the enterprise's internal network, allowing enterprise employees, customers and partners to use the Internet Access Enterprise network, and the cost is far lower than the traditional dedicated line access. In the past, VPNs were always associated with IPSec because it was the actual protocol used for VPN cryptographic information. IPSec runs on the network layer, and IPSec VPNs are used to connect two or more networks to point-to-point connections.

The so-called SSL VPN, in fact, is the VPN device manufacturers in order to differentiate with the IPSec VPN is created by the term, refers to the user using the browser built secure Socket layer packet processing function, browser to connect to the company's internal SSL VPN server, And then through the network packet steering way, so that users can execute the application on the remote computer, reading the company's internal server data. It uses standard Secure Sockets Layer (SSL) to encrypt packets in transit, which protects the security of the data at the application layer. A high-quality SSL VPN solution ensures secure global access for your enterprise. SSL VPN overcomes the lack of IPSec VPN between ever-expanding Internet web sites, remote offices, traditional trading floors, and clients, making it easy for users to be safe and easy to use without requiring client installation and to configure simple remote access, reducing the total cost of users and increasing the productivity of remote users. Also in these places, it is difficult or impossible to set up a traditional IPSec VPN because network address translation (NAT) and firewall settings must be changed.


A framework for remote access to an enterprise's internal network via SSL VPN

Implementation of SSL VPN

In simple terms, SSL VPN is generally implemented by placing an SSL proxy server behind the enterprise's firewall. If a user wants to securely connect to a corporate network, when the user enters a URL in the browser, the connection is obtained by the SSL proxy server and the user is authenticated, and the SSL proxy server provides a connection between a remote user and a variety of application servers. Mastering the meaning of four key terms helps to understand how SSL VPN is implemented. That is: agents, application transformations, port forwarding, and network extensions.

SSL VPN gateway implements at least one function: Proxy Web page. It sends a page request from a remote browser (using the HTTPS protocol) to the Web server, and then passes the server's response back to the end user.

File access for non-web pages is often aided by the application of transformations. SSL VPN gateways communicate with Microsoft CIFS or FTP servers within the enterprise network, translating these server responses to clients into HTTPS protocol and HTML format to the client, which the end-user feels are web-based applications.

As agents and applications are converted, testers find that there is a big difference between these products. Some products can support a very small number of application converters and agents. Some support the FTP, the network file system and the Microsoft File Server application transformation very well. When choosing gateways, users must have a clear understanding of the applications they need to transform and prioritize them according to their importance.

There are applications, such as Microsoft Outlook or MSN, whose appearance is lost in the process of translating into web-based interfaces. The port forwarding technique is used at this time. Port forwarding is used for a well-defined application of port definitions. It needs to run a very small Java or ActiveX program on a terminal system as a port forwarder to listen for connections on a port. When packets enter this port, they are routed through the tunnels in the SSL connection to the SSL VPN gateway, and the SSL VPN gateway unlocks the encapsulated packets and forwards them to the destination application server. Using a port forwarder requires that the end user point to the local application that he wants to run without pointing to a real application server.

Some SSL VPN gateways can also help enterprises achieve network expansion. It connects the end-user system to the corporate web, and accesses control based on network layer information such as destination IP address and port number. While sacrificing high levels of security, it also has the benefit of simple network management in complex topologies.

Advantages of SSL VPN

In the most important security aspect, because the SSL protocol itself is a kind of security technology, SSL VPN has the characteristics of preventing information leakage, denying illegal access, protecting the integrity of the information, preventing the users from impersonating, ensuring the usability of the system, and can further guarantee the access security, thus expanding the security function facilities. First, SSL VPN can realize 128-bit data encryption, ensure data is not stolen in the process of transmission, ensure the security of ERP data transmission. Second, the use of multiple authentication and authorization methods can only allow the "right" users to access the internal network, thereby protecting the security of the enterprise's internal network.

For application, SSL VPN does not require the installation of client software. Remote users can access the enterprise's network resources simply by using a standard browser to connect to the Internet. In this way, although the cost of purchasing software and hardware is not necessarily low, the cost of deploying SSL VPNs is low. As long as SSL VPN is installed, there is basically no need for IT support, so maintenance costs are negligible. SSL VPN is clearly a cheap choice for remote users who need to enter an intranet site or e-mail communication. In addition, SSL VPN connections are more stable than IPSec VPNs because IPSec VPN is a network layer connection and is easily interrupted. In addition, in management maintenance and operability, SSL VPN scheme can be based on the application of fine control, based on users and groups to give different access to the application, and the relevant access to audit. In addition, SSL VPN has increased the flexibility of the platform, easy to expand applications and enhance performance, especially in reducing the cost of use, the most effective protection of user investment on the sensitive topic, SSL VPN won the user's final favor.

What is more noteworthy is that today's web becomes a standard platform is unstoppable, more and more enterprises began to migrate the system to the Web. and SSL VPN through special encryption communication protocol, is considered to be the best way to achieve remote security access to Web applications, can let users anytime, anywhere even in the mobile enterprise intranet, will bring high benefits and convenience to enterprises.

Undoubtedly, with the deepening of enterprise informatization, the demand of remote security access and collaborative work will become more and more obvious, SSL VPN technology has a full range of advantages, replacing the traditional networking technology has become the mainstream has not been far.