It is a well established fact that SSL means Supreme Security  for the buzzword driven IT Security world. It is one of the great misunderstood technologies, and most security companies have educated the user to believe that if they see a yellow lock on the browser window the communication is "secure" and hack proof, with a trusted party, and its OK to put your credit card details in. Nothing could actually be further from the truth, and phishermen are having a field day as a relatively naive user clicks on a link to https://secure.ebay-address-update.com and puts in their details. The browser vendors then go and verify the certificate, and find it actually does come from a recognised cert provider, is still valid, and hasn’t been published on a revocation list. Once that is all clear, the browser puts the little secure lock logo in the window and the user assumes the page is secure. No one has actually checked that the domain ebay-address-update.com belongs to a unlisted company in east bolorovia (or other obscure country), and the web site is served from a datacenter in Tonga, and has nothing to do with e-bay. Some cert providers do a semblance of checks, but they cant be held responsible for the INTENTION of the certificate requestor. Then someone has a big party at your expense.

Secondly SSL is a rather strange technology, it authenticates the server to the attacker, but not the attacker to the server. I have always liked this, if I want to attack a website, if I see a valid SSL cert, I know I am attacking the right target. That server has a certificate issued to it, that a third party is vouching for the domain identify of it. Never forget that the client (attacker) has to provide NOTHING in terms of who it is, or what its intentions are for an SSL Security Association to be formed. The reason people use SSL is for that very reason, there is no special software or change required to the client, and the client needs only to check the certificate is valid (which all browsers do for you). The encryption just kind of happens.

Now for the next technology VPN ! In the past it  has been a license to print money for some appliance vendors as companies rushed to externalise access to their infrastructure and applications. VPN's power lies in the fact that a company could give full IP access to its internal infrastructure (if it wanted to) to one of its stakeholders outside the firewall security perimeter. It has been one of those frequently used technologies that has made it into the vocabulary of almost all corporate employees, or at least anyone that has been issued with a computer knows what it is. Vendors tended to compete in the VPN space by a few different means, the first is the encryption strength of the tunnels they set up between the client and the server, so CheckCoat says my VPN is better than CiScreen because I do AES256 and they only do AES128, or they use something bad like 3DES. So far, I haven’t heard in the Internet wild too many cases of a full on VPN tunnel being broken in mid-stream (if you have, mail me), so this argument is largely the type of "I can kill you with a .50 calliber, and he can only kill you with a .45. Net result is you're still dead.

The next compete argument is about the factors of authentication, and the new emerging technologies. The industry for a while ran out of ways to sell simple VPN boxes so they evolved new technologies for you to buy new “next generation VPN solutions”. Fortunately, these technologies are quite cool, and most quite useful (30 year old thinking simple layer 4 firewall vendors still own the “I can sell you a 1963 Trabant” as state of the art award). Given that VPN appliances due to their cost, etc were considered easy money (look at the Beware the Firewall Salesman post for an explanation of margin), tons of entrants to the market flooded in, and the technology became commodity as salesmen in droves entered the market. Differentiation of your offering became important, as the technology matured from niche, to commodity. A few things emerged, and its helped strengthen VPN technology:

1.)                          Multiple Authentication Factors – Like Smart Card, SecureWhatever tokens, potentially the anatron biometric device, and whatever other widget to replace, or supplement the password and username.

2.)                          Quarantine, or end-point compliance, where the host is assumed to be sick, untrusted, and infected, and isn’t getting access to anything until it verifies its health and state. These have also by definition required smarter clients on the host that can check security policy, have the right corporate security agents like spyware, AV, IDS/IPS etc, and other useful stuff like host based firewalls, and baseline security scans etc. Some vendors sell the clients as an additional authentication barrier, that only those in possession of the client can VPN in, which can also be a good idea, just beware patch management of the client as a few VPN vendors have found out, attackers can find vulnerabilities in the VPN client code too ;)

All of this technology has resulted in a fairly secure external access strategy being technologically available, well established and supported in the industry, and largely fairly secure. VPN is definitely more secure than internal access of a network now where Ethernet still gives you a switch port and DHCP an  IP address in exchange for the relatively difficult task of plugging a network cable into a PC (NAP/NAC is still in its infancy and less than 0.5 % share). But the downside…..Cost. It is initially a high fixed cost to deploy VPNs, with the concentrators physical installation, authentication setup, integration to backend systems, etc costing money, and new client keyfobs, VPN licensing structure (usually per user), and user administration costs having a marginal cost as well. But so far companies have happily paid the price. They get a TRUSTED client, which they installed, that runs security checks, with multiple authentication factors, that has been visited by IT, and quarantined. In exchange for this cost, relatively low business risk. At Microsoft we use this type of solution, with quarantine, security agents onboard, smart cards, and a custom VPN client all ensuring corpnet access is well protected. In return for this, almost full access to corpnet is provided. Check out www.microsoft.com/itshowcase for some info on how we do it.

SSL has been the accepted "security" technology for lightweight access requiring no client footprint, and VPN was the "thick client" solution, that fully expects client modification and control. So what happens when even quarantine, and the cool VPN technologies are becoming hard to sell ? We take the two buzzwords together, and make a brand new product, and thus a brand new appliance – the SSL VPN ! Basically what this device is, is a reverse proxy web publishing device that gives you access to web pages, and recently terminal services emulation, so that you can do everything you could do on a VPN, but without the client setup, maintenance, and administration costs (straight from the marketing literature). All you need is an Internet café in the Philippines, and during your holiday you can come into the bank’s payment systems and authorize and issue that million pound payment. Brilliant ! you didn’t even need to change your floral print shirt. How do they sell you this stuff ? Well largely they tell you that they can download a little ActiveX style control to the browser and that magic 100Kb in size control can rid the client PC of every known piece of malware, key logger, and bot on it. At only 100Kb it’s a bargain. Most AntiVirus vendors still need 2-5 meg download of their signatures, and the spyware engines also about the same, plus a series of checks to run that work on all clients and all browsers ? How do you even install an Active X control on a browser that doesn’t support it, and doest let you install code ? How do they do it….  They don’t !

Some SSL VPNs have clever technology like holding your credentials in RAM so that you can access multiple applications by logging on just once to the device, and they re-present them for you. They also do cache cleaning, where you can rest safe knowing the control will try to delete the cache of what you have accessed, and all your data is now gone from the browser.

But its not all bad, they can provide useful security features like pre-authentication, where the SSL VPN will auth you before you get access to a back end resource (kills current worms, as they are anonymous), and some applications are currently provided by SSL only, so its not all bad, but lets call it an SSL reverse proxy not an SSL VPN – these little clientless devices requiring no pre-existing footprint will not, and can never be true VPN devices. The reason is very simple, at its very heart VPN technology is about allowing a trusted client to use a network, not a trusted user, the only check anything does of the users’ intention is a credential, nothing else, and definitely VPN is not about letting an untrusted client in.

SSL VPN is about untrusted clients that you have never touched before, and never will again, being temporarily cleaned. You have to decide if you think the vendor’s technology can do this, but I don’t think it can. The key thing to do is ignore the sales guys, and think a very basic question. Assuming my attacker controls the PC I will be using to access my network, is the application I am trying to externalise too valuable to be accessed by the attackers machine ? What is the cost of the credentials being lost through keylogging, how sensitive is the information displayed on the screen (for cameras or screen capturing software), and should Bill be authorising payments whilst he is on holiday ? What if corpWorm waits for 10 minutes after session opens to launch itself in my network ? If I would NOT allow this shifty guy hiding in the shadows of the room into our corporate datacenter, why would I allow his PC ?

At Microsoft, anything requiring sensitive access to our infrastructure has to be multi-factor and trusted client base, it’s a simple business risk decision for us. Which isn’t to say all SSL VPN is bad. After all ISA Server 2006 will include “SSL VPN like” capability, but we don’t usually call it that, it misses the point. For web apps that you want externalised, we can do it, and do it well. But don’t force your apps to fit the constraints of the appliance you just bought ! Think it through with a proper risk review of what you are trying to make available outside, and always assume the attacker has full control of the client PC and that all client side checks have been fooled. If its sensitive to your business, or the loss or theft of that data is extremely high impact for you, then SSL VPN is not the right thing for you to do. Like most things in security its about tradeoffs, cost, and risk mitigation.If the CisScreen or CheckCoat guy tells you it’s the next new thing, its usually because if he sells 20, he gets a plasma tv, and you get the 18^th appliance to your security portfolio….