This post is also available in: Português English Español
The internet has brought numerous business benefits, such as the possibility of rapid interconnection between business units and users in transit or remote ones, who could connect to companies and conduct their work, even at distance.
There are several ways to offer this type of access for companies and employees, but it is of utmost importance that this process be analyzed with a minimum of security, avoiding unnecessary exposures, making the benefit a serious problem for the organization.
Within this context, VPNs have played a key role in ensuring that companies or employees can securely connect from anywhere to the services offered within the offices, as if they were physically there.
Many VPN technologies are available in the market, some with high level of interoperability and some not so much, usually applied between gateways of the same manufacturer, for securely interconnecting head offices and branches, forcing in some way that the devices and versions are the same in all the points of interconnection.
Interoperability is an extremely important element, especially today, given the vast amount of client device manufacturers such as tablets, smartphones, laptops and their operating systems.
For a company looking for a VPN solution, the point of interoperability is something important to be validated in addition to the technical/functional aspects and security, of course.
In this sense, several manufacturers have used the SSL protocol, which is widely applied to secure HTTP connections (HTTPS), as an alternative to other protocols, especially IPSec.
The SSL protocol offers an interesting security layer, being able to work with a very extensive cryptographic suite, not having to be deployed at the operating system level, and in many cases, without the need to install any application, being accessed through a browser.
With this set of features, SSL becomes a very interesting VPN alternative to be used both in interconnections between companies, which need secure communications and the scope between the networks for end users, since most of the deployments rely on applications multiplatform, facilitating user access.
It is important to make it clear that VPN provides a secure means of communication between two or more parties; this does not mean that an unauthorized person with VPN access can automatically access internal applications of a company. Therefore, the user also needs to have the system access credentials.
Secure SSL VPN based on digital certificates
Many SSL VPN solutions implement a private certificate authority (CA) to manage communications access through digital certificates. In this way, only certificates issued by the product are accepted to negotiate the connection to the VPN concentrator.
Each certificate can still have different validities, for example creating a 1-day certificate for access from a vendor, as well as larger validations for trusted employees who need to have remote access to the company structure.
The certificates can be password protected, which are personal and add an extra layer of security in case of theft or loss of certificate. Thus, before starting the connection a password is checked.
An important feature associated with the use of digital certificates is non-repudiation; it is much safer for companies to guarantee the validity of the access of a particular person or company/business unit.
Multi-factor authentication with SSL VPN
Reinforcing the aspect of the certificate, password protection, it is interesting that SSL offers the possibility of working with multiple factors of authentication. This means that VPN access will only be released upon confirmation of at least two user identification structures.
This facility is a very important layer of security that has nothing to do with ease of use on the part of users. Generally, digital certificates are used in association with the validation of access credentials of a directory service, or Radius, for example.
Active Directory Integration
Since this is a widely used directory solution in corporate environments, it is very common for SSL VPN solutions to work with an authentication/credential validation backend in an Active Directory base.
In this case, the administrator creates an individual or collective certificate for VPN users, and access is only guaranteed after access credentials are informed and validated by the service.
This gives a very large ease of administration to the environment, especially by the possibility of working with groups, defining that only users belonging to the VPN group can have access to the resource.
When a user needs to access, the administrator releases a certificate for it, and when access is no longer necessary, it does not necessarily have to revoke the certificate, and just removing it from the access group will make it no longer possible to join.
Granular access control
As VPN only allows connectivity between certain points, it is common for some access profiles, even connected ones, not to have access to the connectivity of certain equipment or networks.
VPN concentrators can then act by regulating remote users’ VPN traffic to the equipment and servers within the internal network segment, allowing one user to have access to a certain group of servers, while another in the same service only accesses an equipment.
This set of features, from the perspective of the VPN server/concentrator, with the interoperability and portability capabilities, making it possible to use any device, guarantees much more security for companies that need mobility.
[rev_slider hor-pot-vpn-ssl]
This post is also available in: Português English Español