Q&A On SSL VPNs, Part Two: Joerg Hirschmann

This is part two in our Q&A series on SSL VPNs. Earlier this week, we shared insight from Rainer Enders, CTO, Americas at NCP engineering, on the inception of SSL VPN and its key differentiators.

Q: What are the core strengths of SSL VPN, and when might enterprises choose to go with this protocol over IPsec VPN?

Joerg Hirschmann: The pre-installed, SSL approach is ideal for situations in which one doesn’t require transparent connections for secure remote access. For instance, SSL VPN is an optimal solution when enterprises must grant limited access to external associates or partners needing connections only to specific applications (e.g. web-based) or administrative access to specific machines through RDP or SSH sessions. However, the ideal secure remote access solution takes a hybrid approach combining the strengths of both SSL and IPsec.

Q: What about choosing to go with software solutions versus hardware appliances?

Joerg Hirschmann: A software solution is the ideal fit for a virtualized central environment, whereas appliances are usually a better fit in branch offices or a smaller environment without virtualization in place.

If you have any questions on VPNs, the IPsec and SSL protocols or anything else related to secure remote access, send them to editor@vpnhaus.com. 

 Joerg Hirschmann is CTO at NCP engineering GmbH. 

What We’re Reading: Week of 1/21

CIO – IT Decision-Makers says Embrace BYOD or Be Left Behind
Dark Reading – Avoiding IAM’s Biggest Blunder
Network World – Are federal agency workers going rogue with personal devices?
SearchEnterpriseWAN – Preparing for a disaster: When remote employees overload your VPN

Webinar: What CIOs and CTOs Need to Know About Mobile Device Security

Rainer Enders, CTO, Americas at NCP engineering, recently conducted an Execsense webinar around what CIOs and CTOs need to know about mobile device security. Rainer explains how the replacement of static access networks with mobile access networks has led to a paradigm shift in overall network security. Because mobile device protection complements infrastructure protection, enterprises must safeguard their data within hostile mobile access networks, which are made all the more vulnerable in today’s information age.

Taking us further down this journey of murky data classification and the new obstacles IT leaders face with the proliferation of mobile devices and BYOD, Rainer describes what mobile-centric security strategies CIOs and CTOs should implement to ensure optimal network protection. We hope you’ll tune in to the new Execsense webinar here.

 

Q&A on Employee Provisioning with Joerg Hirschmann: Part 3

This is the third and final entry in our Q&A series on questions related to employee provisioning and VPNs. Last week, we addressed how provisioning can benefit an organizations’ overall security postures as well as the de-provisioning tactics necessary to mitigate security risks during employee transitions. 

Question: Certain scenarios, such as short-term business partnerships, will require adaptable provisioning. How can VPN technology enable temporary and secure remote access? What are other solutions companies can use to incorporate flexibility into their workforce?

Joerg Hirschmann: VPN solutions offer different access points for various types of remote access users. In general, employees will require deeper access to corporate network resources than external partners will need. For that reason, companies should deploy VPN clients to their entire workforce, depending on the necessary access requirements, whereas external partners should access the relevant applications through client-less SSL VPNs, if possible. This will allow external partners to avoid the process of deploying software and licenses.

Organizations can also achieve temporary access, whether it be on-demand or limited hourly access,  by implementing a Remote Authentication Dial-In User Service (RADIUS) server. With this approach, general access limitations can be set automatically, whereas on-demand access will have to be enabled–as well as disabled–manually by an administrator. Again, process quality is important.

If you have any questions that you would like answered on VPNs, remote access, network security and the like, send them to editor@vpnhaus.com. 

Joerg Hirschmann is CTO at NCP Engineering GmbH. 

Making Sense of Split Tunneling: Part 2

By Patrick Oliver Graf, General Manager of Americas, NCP engineering

Last week, we provided an overview of split and full tunnel configurations. Here, we delve a bit deeper to explore the security benefits of this technology.

Split tunneling has a variety of advantages:

• It only transmits data that actually requires the protection of a VPN. This leads to smaller workloads for VPN clients, server and gateways.
• It enables strict separation of corporate Internet traffic and private Internet use.
• It conserves bandwidth within the VPN connection since it does not have to transmit private data.

Despite these gains, many IT administrators still have reservations about split tunneling. Most notably, some believe split tunneling is a security risk because some data traffic is separated from the secure VPN tunnel and is not directed through the secure gateway. Others criticize the split tunneling concept as being too complicated and requiring specialized VPN clients. These concerns are further fueled by fears that an attacker might somehow be able to use the private Internet connection to gain access to the corporate network, which the user accesses through the VPN.

However, none of these points are logical. Firstly, in order to route a private Internet connection into a VPN, the client has to have the bridging mode activated. This is not a default setting. Moreover, an administrator can use a group policy to deactivate the bridging feature and prevent the user from activating it.

Additionally, the concern of infecting a corporate network with malware through a private connection is only partially valid. On the one hand, almost every company uses antivirus software to eliminate malware before it even enters the company’s intranet. Furthermore, there are other sources of viruses and Trojans beyond the Internet—for example, USB drives and DVDs can also infect a user’s PC. From this point of view, the raised risk of infection through split tunneling is hardly significant.

Split tunneling does not make a company network unmanageable, but it’s important to note that its manageability depends on the quality of the implemented VPN components. For example, VPN gateways and clients like the NCP Secure VPN Client, support full tunneling and split tunneling. This solution requires minimal configuration effort, and it supports various platforms including Windows 8, Linux, Mac, and Android.

The bottom line is that split tunneling should not be considered a security risk. However, client systems that use this technology should always be up-to-date. For example, security patches have to be installed promptly; personal firewall and antivirus engines have to be activated and updated on a regular basis; and potentially risky features, like bridging, have to be deactivated permanently.

Full tunneling is the better alternative for companies and authorities with extremely high security requirements. However, they have to accept the increased effort that comes with full tunneling and implement more powerful VPN systems and “big pipes” for VPN data traffic. Alternatively, it’s no longer appropriate to prohibit private use of the company computer in order to keep the data volume within limits. Ultimately, it comes down to efficiency. After all, it doesn’t take scores of data to know that companies that restrict employee access to corporate information also limit overall productivity.