X.COMM Home
 
X.COMM Home
Products
Remote Access
Firewall VPN
SSL 'Clientless' VPN
Juniper
Strong Authentication
Client Security
Email Security
Anti Spyware
Global Roaming
Bandwidth Optimisation
Faxing
Vendors
Legacy Products
Services
Support
About Xcommunications
Request Information
Site Map
Search this Site
VPN Technology

Virtual Private Networks

A VPN carries data securely over an insecure network such as the Internet. It provides:

  • strong encryption to protect the confidentiality of your data
  • integrity checking to ensure that your data is not tampered with
  • strong authentication to ensure that only the right people are allowed access

There are two distinct flavours of VPN. A Site-to-Site VPN provides a cost effective alternative to more traditional point-to-point Leased Lines and Frame Relay networks. A Remote Access VPN allows controlled access to your network for staff and business partners. Unlike direct dial RAS a VPN has no call costs apart from the local call to the nearest Internet POP. It costs no more to connect from the other side of the world than it does from the next street. It also supports broadband users whose high speed connection always terminates on the Internet.

Ipsec VPN

The IPsec VPN standard is the most widely deployed Internet tunnelling protocol. It was designed originally for site-to-site connections for which it is ideally suited. In this context the remote site may be a branch location, retail outlet or single user with a VPN enabled Firewall or ADSL Router. All leading Firewall vendors offer IPsec functionality within the product; either as an embedded feature or a chargeable add-on

For a remote access VPN you need to load IPsec software on the client PC, laptop or handheld. All VPN vendors offer IPsec clients although the cost varies from free to £50 or more for each client. The more expensive clients often contain an embedded personal Firewall. Because IPsec is an international standard you can mix and match gateways and clients from different vendors although this does involve a somewhat steeper learning curve.

A remote access VPN is not a fit and forget solution. The IPsec client needs to be deployed and managed. Periodically it will need to be refreshed with an upgraded version. Many users are going to be road Warriors using a mixture of modem or ISDN dial-up, wired or wireless broadband, 3G, GPRS or GSM mobile networks to connect to the Internet. Whilst global roaming systems like iPass reduce the complexity the overall support burden should not be underestimated.

SSL 'Clientless' VPN

An SSL VPN is used exclusively for remote access. The clientless moniker refers to the use of the browser that comes as part of the operating system as the VPN client. This makes an SSL VPN much easier to deploy and maintain than an IPsec VPN.

There are parallels here with the dial-up RAS market when Windows 95 was released all those years ago. Back in the days of DOS, Windows 3.1 and 3.11 you had to use a dial-up client provided by the RAS vendor. Indeed, you often had to go and buy and install an IP protocol stack as well! One of the standard features of Windows 95 was Dial up Networking (DUN) written for Microsoft by Shiva, the RAS market leader. This was a great enabler and from this point forward the whole RAS market blossomed. An SSL VPN is making the same technology leap in the Internet age - no more client deployment - use what comes pre-installed with the OS or your alternative browser of choice.

SSL VPNs in brief:

  • uses a standard browser as the VPN client, so no deployment costs and low TCO
  • supports Web, email, WTS/Citrix, client server and desktop applications
  • no application changes required
  • is very secure as all packets are proxy'd onto the network
  • supports all the popular authentication options, including SecurID
  • has granular access control, down to individual files or Intranet pages
  • has powerful group management capabilities
  • is ideal for business partner access where IPsec is problematic

To initiate a VPN session simply point your browser to the URL of the gateway appliance which typically sits on your Firewall DMZ. Once authenticated you will be presented with a group or personal portal page containing hyperlinks to the services available to you. If connecting to Web enabled services the gateway acts as a secure reverse proxy protecting the resource and encrypting delivery. No trace of the session is left on the client browser so you can access confidential information from an Internet café or a customer site with confidence. If connecting to Client/Server, Terminal Server/Citrix and email applications an application tunnel is built dynamically by downloading a small JAVA applet. This tunnels the application traffic within a port 443 SSL envelope whilst no change is required to the application or server. For complex port hoping applications such as H.323 and SIP the some gateways can be configured to download a fatter JAVA client capable of tunneling all traffic in a manor similar to IPsec. In addition the gateway may contain webified versions of Telex, VT100 or even IBM 3270 thus eliminating the need to perform these tasks with client software.

SSL VPN technology is much easier to deploy to a large number of users than traditional IPsec VPNs, as you don't need to install any client software on your remote users PCs. Neither do you have the hassle of trying to debug a problem on a home users PC's where you have no control over the specification or other software installed on it. SSL VPNs use a standard browser to make a secure connection to the VPN Gateway on your network. SSL VPNs still have all the authentication options of IPsec VPNs so you are still in control of who gets access to what. In fact with SSL VPNs you are in greater control, because you can dictate which file on which server is allowed to be accessed, unlike IPsec VPNs which can only restrict which service on which server.

One advantage of a "clientless" VPNs, is that it can be deployed where IPsec cannot, such as partner organisations. Deploying restricted access to partners using an IPsec VPN requires you to negotiate with your partners IT department to allow you, first of all to install your software on their PCs and then to open a hole in their Firewall to allow your VPN connection. With an SSL VPN you don't need to do any of that. There will already be a browser on the partner PC, and port 80 (http) and port 443 (https) will likely already be open on their Firewall. What could be easier?

Back to Firewall/VPN (IPsec)
Back to SSL VPN

back to top
Mail to X.COMM - Secure Remote Access
Tel: 01883 730055 Fax: 01883 730057		  
 
web site designed by funkydunk.net