Re: Clientless VPN (SSL VPN) vs HTTPS

[Christopher Stromblad <cs () outpost24 com>]

Hi,

I tend to only read these lists, but the increasing amount of
mis-information presented on this list just has to stop and this is my
attempt to thwart this ever increasing trend by hopefully bringing some
clarity to at least this topic.

As Sean Swayze correctly states SSL VPN is NOT related to HTTP in
anyway. There are some serious problems with the marketing of IT
security products and services these days with completely incorrect
information spreading like a plague. Let's use the terms for what they are.

SSL contains ciphers and algorithms to securely authenticate, provide
confidentiality and integrity to services using it. VPN in combination
with SSL can provide virtual private networks running across the
Internetwork securely. It is used to create virtual private network(s)
using the SSL cipher suite. One implementation of this is OpenVPN.

Let me attempt to illustrate this by a simple example:
(The information below is for reference and sake of clarity.)
Network setup:
User network is: 192.168.0.0/24
Company internal network is: 192.168.1.0/24 (A very small one I know!)
Company external address: mycompany.com (whatever the IP address might be)

Virtual NIC IP: 192.168.0.127 ("gateway" for internal network)
Real NIC IP: 192.168.0.1
Router IP: 192.168.0.254 (default gateway)
VPN port: 1023 (example only)

A mobile user wants to connect to a service which her company provides
but only to users on the internal network. So essentially we need a way
for this user to become part of the internal network, while
simultaneously residing on the external side of the company firewall and
network. This is exactly that a VPN provides.

Implementation at client side varies between different operating
systems, but conceptually this is what we will happens. A virtual
Network Interface Card (NIC) will be created on the client computer
through which we will "route" all traffic targeted for internal network
of the company. The virtual NIC will encapsulate our original packets
and send them out like regular packets through the default gateway, but
now encapsulated by SSL. Before all this the user should of course have
been authenticated, something that OpenVPN also provides. We also have
to consider routing tables. We either have to tell the router (default
gateway) that packets destined for 192.168.1.0/24 should be routed back
through the virtual NIC, or  we simply modify the local routing table
and directly route packets destined for 192.168.1.0/24 through the
virtual NIC.

Below is an attempt to "illustrate" what happens to a packet in transit
from the user to the internal network of the company:

Packet (dst: 192.168.1.5) -> VNIC (encapsulates packet and now it will
have a new dst address: mycompany.com) -> mycompany.com:1023 (VPN end
point will decapsulate the packet, and now the dst address is once again
192.168.1.5) -> target machine.

I know this is not the most illustrative example, but it should
hopefully bring some sort of clarity in how a SSL based VPN work, or
function. Following this it should also be fairly obvious that it can
pretty much tunnel through any traffic, be it Instant Messaging, Network
File Systems, or a game of Quake World.

It is hopefully clear by now that there is a massive difference between
a secure web mail and a SSL VPN. Perhaps i've managed to explain it so
well that you can now also see they are not even related nor should be
mixed up in conversation, ever.

// Christopher

PS: I might have made some assumptions in my explanation which could
make it seem inaccurate, I just hope that is not the case. :)




harbinger wrote:
> Hi
>
> These days SSL VPN has been the alternative to
> the tradition IPsec VPN, particularly for users that
> require only email access.
>
> However, what is the different in implementing SSL VPN -
> which essentially means allowing only webbased traffic i.e webmail,
> as compare to just to setup a webmail server running HTTPS.
>
> Can anyone point out the differences??
>
> Thanks
>
> ---------------------------------------------------------------------------
>
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence in Information Security. Our program offers unparalleled
> Infosec management education and the case study affords you unmatched
> consulting experience. Using interactive e-Learning technology, you
> can earn this esteemed degree, without disrupting your career or home
> life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------