Security Basics mailing list archives
Re: Clientless VPN (SSL VPN) vs HTTPS
From: Christopher Stromblad <cs () outpost24 com>
Date: Mon, 14 Aug 2006 18:03:21 +0100
Hi, I tend to only read these lists, but the increasing amount of mis-information presented on this list just has to stop and this is my attempt to thwart this ever increasing trend by hopefully bringing some clarity to at least this topic. As Sean Swayze correctly states SSL VPN is NOT related to HTTP in anyway. There are some serious problems with the marketing of IT security products and services these days with completely incorrect information spreading like a plague. Let's use the terms for what they are. SSL contains ciphers and algorithms to securely authenticate, provide confidentiality and integrity to services using it. VPN in combination with SSL can provide virtual private networks running across the Internetwork securely. It is used to create virtual private network(s) using the SSL cipher suite. One implementation of this is OpenVPN. Let me attempt to illustrate this by a simple example: (The information below is for reference and sake of clarity.) Network setup: User network is: 192.168.0.0/24 Company internal network is: 192.168.1.0/24 (A very small one I know!) Company external address: mycompany.com (whatever the IP address might be) Virtual NIC IP: 192.168.0.127 ("gateway" for internal network) Real NIC IP: 192.168.0.1 Router IP: 192.168.0.254 (default gateway) VPN port: 1023 (example only) A mobile user wants to connect to a service which her company provides but only to users on the internal network. So essentially we need a way for this user to become part of the internal network, while simultaneously residing on the external side of the company firewall and network. This is exactly that a VPN provides. Implementation at client side varies between different operating systems, but conceptually this is what we will happens. A virtual Network Interface Card (NIC) will be created on the client computer through which we will "route" all traffic targeted for internal network of the company. The virtual NIC will encapsulate our original packets and send them out like regular packets through the default gateway, but now encapsulated by SSL. Before all this the user should of course have been authenticated, something that OpenVPN also provides. We also have to consider routing tables. We either have to tell the router (default gateway) that packets destined for 192.168.1.0/24 should be routed back through the virtual NIC, or we simply modify the local routing table and directly route packets destined for 192.168.1.0/24 through the virtual NIC. Below is an attempt to "illustrate" what happens to a packet in transit from the user to the internal network of the company: Packet (dst: 192.168.1.5) -> VNIC (encapsulates packet and now it will have a new dst address: mycompany.com) -> mycompany.com:1023 (VPN end point will decapsulate the packet, and now the dst address is once again 192.168.1.5) -> target machine. I know this is not the most illustrative example, but it should hopefully bring some sort of clarity in how a SSL based VPN work, or function. Following this it should also be fairly obvious that it can pretty much tunnel through any traffic, be it Instant Messaging, Network File Systems, or a game of Quake World. It is hopefully clear by now that there is a massive difference between a secure web mail and a SSL VPN. Perhaps i've managed to explain it so well that you can now also see they are not even related nor should be mixed up in conversation, ever. // Christopher PS: I might have made some assumptions in my explanation which could make it seem inaccurate, I just hope that is not the case. :) harbinger wrote:
Hi These days SSL VPN has been the alternative to the tradition IPsec VPN, particularly for users that require only email access. However, what is the different in implementing SSL VPN - which essentially means allowing only webbased traffic i.e webmail, as compare to just to setup a webmail server running HTTPS. Can anyone point out the differences?? Thanks --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Clientless VPN (SSL VPN) vs HTTPS harbinger (Aug 11)
- Re: Clientless VPN (SSL VPN) vs HTTPS Eoin Miller (Aug 14)
- Re: Clientless VPN (SSL VPN) vs HTTPS PCSC Information Services (Aug 14)
- Re: Clientless VPN (SSL VPN) vs HTTPS Saqib Ali (Aug 14)
- Re: Clientless VPN (SSL VPN) vs HTTPS Joe (Aug 14)
- RE: Clientless VPN (SSL VPN) vs HTTPS Melchior, Raimar (Aug 14)
- Re: Clientless VPN (SSL VPN) vs HTTPS Christopher Stromblad (Aug 15)
- <Possible follow-ups>
- Re: Clientless VPN (SSL VPN) vs HTTPS bhaven . haria (Aug 14)
- RE: Clientless VPN (SSL VPN) vs HTTPS Wesley Ward (Aug 14)