Q&A On SSL VPNs, Part Two: Joerg Hirschmann

This is part two in our Q&A series on SSL VPNs. Earlier this week, we shared insight from Rainer Enders, CTO, Americas at NCP engineering, on the inception of SSL VPN and its key differentiators.

Q: What are the core strengths of SSL VPN, and when might enterprises choose to go with this protocol over IPsec VPN?

Joerg Hirschmann: The pre-installed, SSL approach is ideal for situations in which one doesn’t require transparent connections for secure remote access. For instance, SSL VPN is an optimal solution when enterprises must grant limited access to external associates or partners needing connections only to specific applications (e.g. web-based) or administrative access to specific machines through RDP or SSH sessions. However, the ideal secure remote access solution takes a hybrid approach combining the strengths of both SSL and IPsec.

Q: What about choosing to go with software solutions versus hardware appliances?

Joerg Hirschmann: A software solution is the ideal fit for a virtualized central environment, whereas appliances are usually a better fit in branch offices or a smaller environment without virtualization in place.

If you have any questions on VPNs, the IPsec and SSL protocols or anything else related to secure remote access, send them to editor@vpnhaus.com. 

 Joerg Hirschmann is CTO at NCP engineering GmbH. 

Q&A On SSL VPNs, Part One: Rainer Enders

This is part one in our Q&A series on SSL VPNs.

Q: When SSL VPN followed IPsec VPN into the world of remote access, what was its initial purpose? How did it differentiate?

Rainer Enders: SSL VPN was introduced to address various shortcomings of IPsec VPN, such as usability, interoperability and scalability. In particular, the IPsec client-based approach was regarded as a process that was difficult to manage from both administrators’ and users’ perspectives.

When SSL was initially introduced, it was considered a client-less technology. The terminology “client-less” was created to differentiate from the IPsec client-centric approach. Obviously, SSL VPN is not client-less, as a client is still involved and is typically in the form of a web browser. Therefore, the key differentiator between the two approaches is that the SSL VPN client comes pre-installed on all OS platforms in the form of the browser, whereas IPsec VPN is separate software that, in many cases, must be installed.

Q: When should companies use a browser-based SSL VPN for secure remote access? How does this differ from applications of a Thin Client SSL VPN?

Rainer Enders: When deploying SSL VPN, great care must be taken to implement and secure the digital signature architecture. Web proxy and thin client SSL are restricted to certain access modes, and as such, should only be used in projects with limited scope with compliant access environments. SSL VPN should not be used for high security environments, as there are more points of attack and vulnerabilities.

Rainer Enders is CTO, Americas, at NCP engineering.

Stay tuned for more expert insight on SSL VPNs later this week from Joerg Hirschmann, CTO at NCP engineering GmbH.

Hotel VPNs: When the firewall strikes back, Part Two

In part one of this two-part series, we explored the problem that many IPsec users face when trying to connect to their corporate network from the road, especially hotels. This being, some hotels block IPsec ports because of the misconception that SSL is universally employed.

So what’s the solution? Firstly, for security reasons, users should not deactivate the firewall or the proxy server. However, compelling a hotel guest to send or receive sensitive information via unsecured connections is no option either. Even using SSL is not a suitable for all situations, as SSL does not provide the same level of security as IPsec. And to further complicate matters, SSL only works with applications that are optimized for browser access.

However, there is a third option that combines the best of both worlds: NCP’s VPN Path Finder Technology. When a guest wants to establish a connection to his company network from a hotel, NCP’s Secure Client automatically recognizes if the company’s VPN gateway is not available via IPsec. In this case, the client software automatically switches to a modified IPsec protocol mode.This modified IPsec mode uses a TCP encapsulation and prefixes a SSL header. The IPsec client simulates a SSL connection via the standard HTTPS Port 443 and uses it to establish an IPsec tunnel to the company network.

The main advantage of this solution: there is no discernible change for users. They continue using all their regular authentication mechanisms — and reap the benefits of IPsec. Also, the corporate system administrators can enforce this security policy without having to make exceptions for single users who would undermine the company’s security concept. And finally, the hotel managers, too, profit from NCP’s VPN Path Finder Technology. Their guests are content because they are able to easily and securely access their company network, despite firewall and proxy server issues.

Hotel VPNs: When the firewall strikes back, Part One

Not so long ago, business travelers could only access the Internet through a telephone line and a notebook modem in a hotel. Today, Internet access has become not only ubiquitous, but also fast and largely reliable.  The vast majority of hotels provide Wi-Fi or LAN connections for guests to connect their notebooks, tablet PCs or smartphones and log onto their corporate network.

Unfortunately, too many hotels operate under the misconception that everyone uses SSL VPNs to remotely connect to their corporate networks. The reality is, however, a large number of companies prefer IPsec VPNs but many hotels block these connections. In fact, there are two network components frequently cause this trouble in hotels – the firewall or the proxy server. And this is not just annoying for guests, but it’s bad for the hotel’s business. What hotel wants to be tarred with a reputation for being unaccommodating to the needs of business travelers?

It is not just hotels that struggle with such problems regarding IPsec connections. Each sales employee who has tried to logon to a guest Wi-Fi network at a customer’s site has likely faced similar issues. Not only do many firewalls block IPsec connections, but so do several radio communication networks.

Now that we’ve identified the problem with securing remote access in hotels and other remote sites, what will it take for guests to easily and securely access their company network, despite firewall and proxy server issues? Tune in next time for part two —  the solution.

The Awards Keep on Coming!

Good news – NCP engineering  has been named a finalist in the 2012 Golden Bridge Awards  in the VPN/IPSec/SSL – Innovations category. This recognition comes on the back of continued awards momentum for NCP, reinforcing its position as the leading provider of robust enterprise VPN solutions. Earlier this year, NCP was selected as a finalist in the Golden Bridge’s sister awards, the Network Products Guide’s 2012 Hot Companies and Best Product Awards and the Info Security Product Guide’s 2012 Global Excellence Awards.

A bit of background on the Golden Bridge Awards. Now in their fourth year, the awards  were created to generate industry-wide honor and peer recognition for all facets of the IT industry.

NCP was named a finalist for its  Secure Enterprise Solution, which is comprised of the NCP Secure Enterprise Client, the NCP Secure Enterprise VPN Server and the NCP Secure Enterprise Management System, and is designed specifically for companies with large, complex remote access environments. The centrally managed software solution provides IT staff with a single point of administration for a company’s entire remote access system, including hybrid IPsec/SSL VPNs, personal firewalls, certificate management, provisioning and practical Network Access Control (NAC) functions. NCP’s flexible solution makes remote access management simple by integrating to any third-party hardware or software already in place, while maintaining strong policy enforcement and rule-set creation.

Winners will be announced in San Francisco in October – stay tuned and best of luck to all finalists!