NIST COMPUTER SECURITY - Guide to SSL VPNs
Book Details
Author(s)U.S. NIST
ISBN / ASINB00GK0W6DS
ISBN-13978B00GK0W6D6
Sales Rank2,564,150
MarketplaceUnited States 🇺🇸
Description
Executive Summary
Secure Sockets Layer (SSL) virtual private networks (VPN) provide secure remote access to an organization’s resources. A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and other information transmitted between two endpoints. Because a VPN can be used over existing networks such as the Internet, it can facilitate the secure transfer of sensitive data across public networks. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers. The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol. This type of VPN may be referred to as either an SSL VPN or a TLS VPN. This guide uses the term SSL VPN. SSL VPNs provide remote users with access to Web applications and client/server applications, and connectivity to internal networks. Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security (IPsec) VPNs.1 The two VPN technologies are complementary and address separate network architectures and business needs. SSL VPNs offer versatility and ease of use because they use the SSL protocol, which is included with all standard Web browsers, so the client usually does not require configuration by the user.
SSL VPNs offer granular control for a range of users on a variety of computers, accessing resources from many locations. There are two primary types of SSL VPNs:
SSL Portal VPNs. This type of SSL VPN allows a user to use a single standard SSL connection to a Web site to securely access multiple network services. The site accessed is typically called a portal because it is a single page that leads to many other resources. The remote user accesses the SSL VPN gateway using any modern Web browser, identifies himself or herself to the gateway using an authentication method supported by the gateway, and is then presented with a Web page that acts as the portal to the other services.
SSL Tunnel VPNs. This type of SSL VPN allows a user to use a typical Web browser to securely access multiple network services, including applications and protocols that are not web-based, through a tunnel that is running under SSL. SSL tunnel VPNs require that the Web browser be able to handle active content, which allows them to provide functionality that is not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript, Active X, or Flash applications or plug-ins.
This publication discusses the fundamental technologies and features of SSL VPNs. It describes SSL and how it fits within the context of layered network security. It presents a phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments. It also compares the SSL VPN technology with IPsec VPNs and other VPN solutions. This information is particularly valuable for helping organizations to determine how best to deploy SSL VPNs within their specific network environments.
Implementing the following recommendations should assist in facilitating more efficient and effective SSL VPN use for Federal departments and agencies.
Federal agencies deploying SSL VPNs must configure them to only allow FIPS-compliant cryptographic algorithms, cipher suites, and versions of SSL.
Some organizations, such as Federal agencies, have strict requirements for encryption and integrity protection. SSL VPNs should support the required algorithms for symmetric encryption, key exchange, and hash functions. For government agencies, traffic that requires protection must employ Federal Information Processing Standard (FIPS)-compliant cryptographic algorithms and modules. Many of the cryptographic algorithms used in some SSL cipher suites are not FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be used in applications that must conform to FIPS 140-2.
Secure Sockets Layer (SSL) virtual private networks (VPN) provide secure remote access to an organization’s resources. A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and other information transmitted between two endpoints. Because a VPN can be used over existing networks such as the Internet, it can facilitate the secure transfer of sensitive data across public networks. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers. The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol. This type of VPN may be referred to as either an SSL VPN or a TLS VPN. This guide uses the term SSL VPN. SSL VPNs provide remote users with access to Web applications and client/server applications, and connectivity to internal networks. Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security (IPsec) VPNs.1 The two VPN technologies are complementary and address separate network architectures and business needs. SSL VPNs offer versatility and ease of use because they use the SSL protocol, which is included with all standard Web browsers, so the client usually does not require configuration by the user.
SSL VPNs offer granular control for a range of users on a variety of computers, accessing resources from many locations. There are two primary types of SSL VPNs:
SSL Portal VPNs. This type of SSL VPN allows a user to use a single standard SSL connection to a Web site to securely access multiple network services. The site accessed is typically called a portal because it is a single page that leads to many other resources. The remote user accesses the SSL VPN gateway using any modern Web browser, identifies himself or herself to the gateway using an authentication method supported by the gateway, and is then presented with a Web page that acts as the portal to the other services.
SSL Tunnel VPNs. This type of SSL VPN allows a user to use a typical Web browser to securely access multiple network services, including applications and protocols that are not web-based, through a tunnel that is running under SSL. SSL tunnel VPNs require that the Web browser be able to handle active content, which allows them to provide functionality that is not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript, Active X, or Flash applications or plug-ins.
This publication discusses the fundamental technologies and features of SSL VPNs. It describes SSL and how it fits within the context of layered network security. It presents a phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments. It also compares the SSL VPN technology with IPsec VPNs and other VPN solutions. This information is particularly valuable for helping organizations to determine how best to deploy SSL VPNs within their specific network environments.
Implementing the following recommendations should assist in facilitating more efficient and effective SSL VPN use for Federal departments and agencies.
Federal agencies deploying SSL VPNs must configure them to only allow FIPS-compliant cryptographic algorithms, cipher suites, and versions of SSL.
Some organizations, such as Federal agencies, have strict requirements for encryption and integrity protection. SSL VPNs should support the required algorithms for symmetric encryption, key exchange, and hash functions. For government agencies, traffic that requires protection must employ Federal Information Processing Standard (FIPS)-compliant cryptographic algorithms and modules. Many of the cryptographic algorithms used in some SSL cipher suites are not FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be used in applications that must conform to FIPS 140-2.
More Books by U.S. NIST
