135
Chapter 10:
Connections from Afar: Remote Network Access
Another major type of VPN is one built into a firewall device. Most popular firewalls,
such as Check Point's Firewall-1 or WatchGuard's Firebox, serve not only as firewall
devices, but also as VPN hosts. Firewall VPNs can be used both to support remote
users and also to provide WAN VPN links. The benefit of using a firewall-based VPN
is that you can administer your network's security--including both standard firewall
security and VPN security--entirely within the firewall. For example, you could
configure the firewall to allow connections to the network only when they are made as
part of a valid VPN connection.
The third major type of VPN includes those offered as part of a network operating
system. The best example of this type is Windows RRAS, and Novell's BorderManager
software. These VPNs are most often used to support remote access, and they are
generally the least expensive to purchase and install.
The fourth major type is the SSL VPN, a relatively new category. This is actually
my overall favorite for remote access support. An SSL VPN takes advantage of the
Secure Sockets Layer (SSL) encryption technology built into most web browsers to offer
VPN services through the web browser. SSL is the same technology used to encrypt
information in web pages that use the http:// prefix, such as for shopping or online
banking web sites.
SSL VPNs bring a number of attractive benefits to supporting remote access:
No client software needs to be installed on the remote computer, except for
usually an ActiveX or Java add-in that installs into the browser automatically.
There is essentially no configuration or management required on the remote
system. This is an important point, because most VPN client software is very
difficult to support.
Provided the users know the web address of the SSL VPN server and have the
correct information to authenticate (log in) to the system, they can log in from
almost any Internet-connected computer in the world and access a wide range
of network services through simple web pages.
Because many common functions, such as file management, can be performed
using web pages, SSL VPNs work much better over lower-bandwidth
connections than other VPN alternatives. HTML was designed to be stingy in
its use of network bandwidth, so many tasks that are slow over a traditional
VPN connection are much faster with an SSL VPN.
Most SSL VPNs, in addition to their web-based access features, also allow
the user to start a remote node connection on demand, and this remote node
connection runs using automatically installing and configuring browser
plug-ins.
SSL VPNs are typically offered as an appliance--a rack-mountable piece of
equipment that contains all of the hardware and software needed to run the VPN.