Solution Brief #1
Are SSL VPNs Ready To Support Mobile Wireless Access?
Author: Dana Hendrickson, Director, Breakaway Security Group
On September 9, 2003, Neoteris, Inc., a leading supplier of SSL VPN appliances, surprised industry observers when it made the following claim in a product announcement:
“Unlike IPSec and other SSL VPN solutions with announced wireless device support, the Neoteris solution is the only one that does not require a client download or need a Java agent to set up a secure remote connection.”
In this report, Breakaway examines the primary issues surrounding the deployment of SSL VPNs with portable wireless devices and reviews some of the relevant key capabilities offered by a half dozen vendors. As you will learn, other vendors do offer the same capability claimed by Neoteris, and a whole lot more. Whether you wish to roll-out a new mobile application or simply extend the reach of existing resources like email, SSL VPN products are ready to handle the special requirements of wireless remote access.
Security Requirements
From a customer perspective, SSL VPNs must not only "connect" popular
portable devices like laptops, handelds and smart phones, they must also provide
convenient access to files and applications, facilitate remote access security
policies, and not add significantly to administrative workload and costs.
This seems like a short list but when one drills down a bit further, a range
of potential requirements emerge. Customers need to examine their needs at
this deeper level before evaluating individual solutions. May needs and wants
are addressed directly by SSL VPN gateway servers; others require the deployment
of complementary security products and services from other vendors (e.g.,
device file encryption).
Portable Device Support
While remote PCs and laptops will remain the “devices of choice” for secure remote access, some organizations already feel pressure to support handheld users. And in a few years, smart phones could join handhelds as a common remote access device. (Or, the boundary between the two categories could simply blur.) The key point: smart phones will not become important for general–purpose, remote access until they have sufficient on-board capabilities and are a lot less expensive to own than they are now. Smart phone device software is already sufficient.
Today most SSL VPNs will support any handheld that uses either the Palm OS
and Palm Web Pro browser or the Microsoft Pocket PC with the Pocket Internet
Explorer browser. Support for RIM Blackberries (email) is common; as is support
for smart phones that include a reliable browser.
Table 1: Portable Device Support by SSL VPN Vendor
| Device/OS/Browser |
Aventail |
F5 |
Motivus |
Rainbow |
SafeWeb |
Whale |
| Laptop/Windows/IE |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
| HH/Palm OS/Web Pro |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
| HH & SP/Pocket PC/PIE |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
| HH/RIM
OS/Web |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
| SP/Symbian/Opera/Nokia |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
| SP/Symbian/Opera/Sony-Ericsson. |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
| SP/Microsoft/Motorola |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
HH= Handheld RIM = Research In Motion SP = Smart Phone
Convenient File and Application Access
Most users of portable devices are currently accessing email, personal information management applications, and network files stored on either shared servers or their own desktop systems. A large number will expect access to web-based, general-purpose applications (e.g. CRM, HR) and smaller but important communities will be supported by special-purpose, mobile applications (e.g., sales, field service).
SSL VPN vendors are rapidly expanding the capabilities of their products to support secure remote access to all commonly used web and non-web applications and file resources from PCs, laptops and handhelds. As smart phones gain capabilities these devices will be broadly supported, as well.
Table 2: Common Application Usage by Device Type
|
Remote Access |
|||
| Laptop |
Handheld & PDA |
Smartphone |
|
| Market Size |
Largest Population |
Very Small Today |
Miniscule Today |
Web Mail |
Create, Send, Read, |
Create, Send, Read, Forward, Attach Remote Document |
Create, Send, Read, Forward, Attach Remote Document |
Web Applications |
Supported |
Few Mobile Applications |
Few Mobile Applications |
Web Terminal Services |
Supported |
Microsoft WTS (inconvenient) |
Microsoft WTS (inconvenient)? |
Web File Access |
View, Modify,Create |
View, Modify,Create |
Limited |
Web File Transfer |
Send & Receive |
Send & Receive |
Limited |
Native email |
Create, Send, Read, Forward, Attach Remote Document |
Create, Send, Read, Forward, Attach Remote Document |
Limited |
Client-Server |
Supported |
Not Supported |
Not Supported |
Legacy Host |
Supported |
Not Supported |
Not Supported |
Terminal Services |
Supported |
Not Supported |
Not Supported |
Native File Access |
Supported |
Not Supported |
Not Supported |
Collaboration (UDP) |
Supported |
Not Supported |
Not Supported |
Full Network Access |
Supported |
Not Supported |
Not Supported |
Truly Clientless. Contrary to the Neoteris claim, most SSL VPN vendors now support web access from portable devices without a requirement to download software or a java applet to the user’s device. This is true for the products from Aventail, F5 Networks, Motivus Software, NetScaler, Rainbow Technologies, Safeweb (acquisition by Symantec announced this month), and Whale Communications. Essentially, as long as the solution provides a usable presentation & content layer, then it will likely be functional via any web browser. Only those products that act solely as a data transport mechanism will require a client software to present the user with a functional interface. Generally, when a download is required, the software is usually small so client performance is not an important user issue even on slow wireless networks. (And wireless network bandwidth is expanding rapidly). Where download usage does become a problem is when users want to access network resources from unmanaged 3rd party devices that block software downloads and java applets. But that’s a subject for another column.
Security Policy
Security policies for enterprise secure remote access can cover a large range of topics from access control to device-level protection from misuse or attacks. SSL VPN products can directly contribute a great deal of protection - and the richness of available functionality is steadily improving. This report deals specifically with the convenience and security issues surrounding authorized usage.
There are some significant differences in how vendors enable security policies to be implemented on portable wireless devices. Most vendors permit the downloading of files to handhelds – and to desktop PCs and laptops. However, some can require that server-based files are remotely edited so files are never stored on the user device. Since loss or theft of devices is reasonably common, an enterprise must use caution (and appropriate device-based user authentication) when allowing users to download entire documents which may contain sensitive material.
Examples:
Simplified file emailing. Sending emails with large files attachments can be a big problem if a user must download the file over a slow network or the device simply lacks the capacity to store the file. A Power Point presentation is a good example. A solution: some vendors allow users to link a file stored on the network to a remotely created email. That’s a big plus.
Simplified file browsing. With a small access device searching through network directories for files can be a big inconvenience. A solution: automatically display each user’s commonly used files whenever the user accesses the SSL VPN Server.
Simplified file viewing. Most users do not need to edit Microsoft Office files; but viewing is essential. By rendering these popular files in html, they can be displayed without the need to download them over the network nor have a copy of the application installed on each remote device. That’s good news.
File download blocking. This prevents
the downloading of files to devices. This capability could be varied based
on user, device, and source address.
File Editing without Downloading. Some
SSL VPN products allow users to edit popular application files (e.g., Word,
PowerPoint, Excel, Vision, etc) on personal desktops and shared network file
servers without the need to download the file to the portable device. This
increases security and improves user productivity.
Device-specific, auto-data formatting.
Small portable devices are constrained by limited display characteristics
and storage capacities that vary widely. Some SSL VPN servers will detect
a device type and then automatically tailor the data that is delivered.
Standard Email and PIM Functions. With most SSL VPN solutions, full PIM features are limited to devices that can run Microsoft or IBM email clients for Exchange or Lotus mail servers. However, at least one vendor enables all features without the need of a client.
Roaming session support. The ability to maintain a user session while moving from one wireless access area to another.
Table 3: Application Features By SSL VPN Vendor
| Feature |
Aventail |
F5 Networks |
Motivus |
Rainbow |
Safeweb |
Whale |
| Truly Clientless |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Simplified File emailing |
No |
Yes |
Yes |
Yes |
Yes |
No |
Simplified File Browsing |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Simplified File Viewing |
Yes |
.doc,txt,.html,and other text files |
All common desktop productivity files |
Yes |
No |
Yes |
Block File Downloading |
Yes |
Yes |
Yes |
No |
No |
Yes |
| File Editing Without Download |
No |
No |
Yes |
Yes |
No |
No |
Device-specific |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Full email and PIM Functions w/o an Installed email
Client |
Yes |
email, view tasks,view calendar |
email, tasks, calendar, mailbox folders |
Yes |
Yes |
Yes |
Maintain Sessions While Roaming |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Administrative Workload
If the remote access solution is truly clientless or only requires an automatically downloaded control, then administration is comparable across all vendor solutions. However, if the product requires client software installation, then an enterprise can expect that the device will take a trip to the IT department for installation and testing before deployment. Perhaps the most important consideration is that a requirement for client software installation may very well imply that the solution supports a finite number of devices/browsers. This can be an impediment to user adoption (particularly for those users who are unwavering in their support for their favorite device), and may force the enterprise into a policy of acquiring the device for the employee. This is opposed to a truly clientless solution that will function on any reliable web browser on practically any device – including those already owned by the user.
Conclusion
When one looks closely at feature sets, two really different classes of SSL
VPN products emerge. Most vendor solutions extend their standard security
features to wireless portable devices. These include confidential communications,
authentication, access control and usage audits. However, one vendor, Motivus
Software, offers a unique security feature – on all devices - that can
be especially important on mobile ones. If your security policy dictates that
files be remotely edited without downloading them, you will pay a
premium for this capability. The Motivus product is really more a complementary
solution rather than an alternative to the others. So the decision comes down
– not surprisingly - to figuring out what you need.
Note: NetScreen has announced its intention to acquire Neoteris.
Copyright 2003 Breakaway Security Group All rights reserved. Published October 2003