As work forces become more mobile and geographically dispersed, SSL VPN is becoming an integral means to achieve secure access to corporate resources wherever you are, whenever you want. In addition to offering you and other trusted company associates easy access to a network, SSL VPN works from a standard Web browser and does not require the end user to install specialized software. This type of setup is especially useful for companies with several mobile users who need to connect from various locations. As a result, security is essential when dealing with SSL VPN. This slideshow features 10 tips Stonesoft has identified to help implement SSL VPN securely.
Click through for 10 tips for securely implementing SSL VPN, as identified by Stonesoft.
Utilizing a virtual appliance allows an application portal to be built in accordance to your needs. The appliance can be dynamically populated based on your criteria and serve as an integral safeguard for connections. An effective virtual appliance will have a heavy focus on strong authentication, end-point security assessment and trace removal techniques. It will also allow for immediate deployment of the desired connection as well as easy building of application portals.
Controlling the amount of access end users have to corporate resources is a must for a secure network. Access control capabilities need to be granular and flexible, offering or denying access based on any combination of your chosen parameters. Furthermore, administrators should have the option of setting up unique access control characteristics for each application individually.
Auditing capabilities are a vital aspect of any network to ensure that strict corporate, industry and government compliance regulations are always being met. Successful auditing options must include detailed reports as well as various means of performing an audit, be it comprehensive or consolidated.
Authentication that provides both security and ease of use is a must with any network. The most effective authentication provides a dozen or more options, ranging from the most basic to the most sophisticated, any of which are easily integrated into the existing system. Choices may include passwords, mobile ID or even chaining the authentication methods to provide a holistically stronger, multi-factor process without being too intrusive. For example, an authentication approach could require a username and password, a digital certificate and an additional one-time password delivered to the user’s mobile phone.
Not just any device should be allowed access via a SSL VPN, in case the device is compromised and used as a stepping-stone for entry into your valued corporate resources. The most secure SSL VPN will thoroughly inspect each device for certain specifications. They may include antivirus software, firewalls, patches, spyware, network configuration and operating system details. Those devices that do not meet the requirements may be denied access altogether. As a result, you may choose to have the users forwarded to an updated site or granted limited access as needed.
Failed connections that are supposed to work are another stumbling block that can arise with SSL VPN security. One of the most effective ways to defend against this is through fault-tolerant authenticated sessions that allow two appliances to form a mirrored access point pair. If one access point happens to fail, another node will immediately take care of corporate application access, providing high availability. Even when the initial access point is functioning up to par, the additional access point can be placed in a different geographical location. This provides an automatic safeguard and a tool that meets disaster recovery requirements.
Integration in the most effective systems typically consists of the ability to add accessible applications to your application portal. You should have the capability to define how each application is presented and further define users who may access each application and when.
The management end of your SSL VPN should function just as seamlessly, with a clear and user-friendly interface. Such an interface should allow you to administer and maintain remote access to the system, report incidents and manage resource access, ensuring comprehensive security of your networks.
While you may provide end users with access to your corporate resources, the most secure SSL VPNs will not allow them to access the resources directly. All traffic should instead be routed via a Web proxy, which accesses the backend applications and then delivers the information back to the end user, providing access to Web applications as well as client-server applications, terminal applications and file server applications. In essence, the proxy mechanism is a major safeguard to your network that creates a buffer between the end user and your valuable corporate resources.
Rather than facing re-authentication, multiple passwords and a series of potentially frustrating stonewalls during sessions, a single sign-on provides one digital identity, ensuring ease of use and user security. A single sign-on that can combine with Federation ID provides maximum flexibility.
If your network contains a large number of roaming users, trace removal is vital to the security of your network. Trace removal is an option that plays a heavy role when accessing resources from insecure locations. This applies to Internet cafes, airports, hotels, access points outside corporate security boundaries and other distrusted areas. Trace removal eradicates the trail of information that can accumulate during an access session, such as URL history, registry entries, downloadable components, cached pages and cookies. The most effective trace removal options will allow you to customize the rules.
Guesswork and confusion are never beneficial to the security of a network, and a user-friendly interface takes care of both. The application portal should be intuitive, offering the end user clear options and menus listing all applications available to them.
The universal device support should also extend to any device that can access a Web browser. Rather than requiring specialized hardware, software installation or specific parameters that can make or break your SSL VPN, access should work on the wide range of devices found in today’s workforce with the same secure and easy access your business requires to succeed.