SSL VPN Explained
SSL VPNs use browser-based protocols to create secure tunnels between a user’s device and an SSL VPN gateway. This end-to-end-encrypted (E2EE) tunnel gives remote users easy access to protected resources. SSL VPNs are relatively simple to deploy, easy to use, and work with access policies based on least privilege.
Although they kept the name of their original Secure Sockets Layer (SSL) protocol, today’s SSL VPNs use the more secure Transport Layer Security (TLS) protocol. Even then, administrators must address a few security issues with SSL VPNs.
We will explain how SSL VPNs work and the two ways companies implement these remote access solutions. A quick comparison with IPSec VPNs will explain the tradeoffs security administrators have to make. Finally, we will discuss how a secure access solution based on Zero Trust principles offers a better alternative.
One of the main reasons companies adopt an SSL VPN is because anyone who has surfed the web already knows how to use it. The secure HTTPS websites we use daily rely on TLS protocols built into every modern browser. Behind the scenes, a remote user’s SSL VPN connection starts the same way:
- Initial handshake: The user points their browser at their company’s SSL VPN gateway server to begin a quick handshake process.
- Server authentication: The server sends a certificate that the browser authenticates with a trusted certificate authority.
- Negotiate encryption: Once authenticated, the server and browser negotiate the encryption algorithm they will use.
- Key exchange: the server and browser exchange either a shared secret or public keys to establish the encrypted tunnel.
Once a secure, encrypted tunnel connects the user’s browser to the SSL VPN gateway server, things run a little differently from public websites. The gateway server presents the user with a login page that is integrated with the company’s authentication and authorization systems. Successfully logged in, the remote user has access to protected company resources, and the data has full E2EE protection.
What kinds of resources users can access will depend on how the company implements its SSL VPN: a simple SSL Portal VPN or a more capable SSL Tunnel VPN.
An SSL portal VPN works like any HTTPS-secured website. The gateway presents authenticated users with a portal web page with links to resources on the company network. Administrators can define least privilege access rules that only present links to the resources users require.
However, SSL portal VPNs have a few limitations. They only support one secure connection at a time. A bigger issue for some companies is that SSL portal VPNs only work with browser-friendly resources. Running legacy applications and network services through SSL portals requires additional development.
User traffic gets passed through secure tunnels to different protected resources at the gateway. The combination of secure tunneling and a client-side app gives users simultaneous connections to network services, on-premise resources, or cloud-based resources.
An SSL VPN provides a more straightforward user experience and better security than traditional VPNs while reducing administrative overhead and expenses.
- Easy to deploy - Since every modern browser, both mobile and desktop, supports the latest TLS protocol, SSL VPN will work with almost any user device. Administrators do not need to modify user devices or deploy client apps. Everything happens just in time as the user connects to the gateway.
- Easy to use - With an experience like everyday web browsing, remote workers automatically understand how the SSL VPN works with every device they use.
- Easy to support - A simple user experience combined with near-universal browser and device compatibility makes life easier for administrators and help desks.
- Support least-privilege access - SSL VPNs let administrators control access through policies based on principles of least privilege. Hackers can still exploit compromised devices or credentials, but they get limited access to the private network.
Most traditional VPNs use the IPsec protocol to create encrypted tunnels between a remote user’s device and the company’s VPN gateways. IPsec is a more capable protocol than TLS. With the right configuration, IPsec VPNs can connect users to any protected resource, whether browser-aware or not. That capability, however, comes at a figurative and literal price.
This complex protocol requires changes to the operating system and security software on every user’s device. Each device must run an IPsec VPN client app and may require a security key or other hardware to work. Unlike an SSL VPN, administrators must correctly configure IPsec VPN gateways because they give users full access to a protected network. Thus, administrators can easily create security holes by misconfiguring the deeply complex protocol.
On top of the extra workload they impose, IPsec VPNs can get quite expensive due to license fees, user hardware, and network upgrades.
The simplicity of SSL VPNs makes them more appropriate for most remote users. Whether on-premise, cloud-hosted, or offered by a SaaS provider, modern enterprise apps have browser interfaces. In addition to the benefits we reviewed earlier, an SSL VPN provides all the access most remote users will need without the overhead and expense of an IPsec VPN.
Still, an SSL VPN is not a perfect solution. Getting it to work with resources and services that are not browser-aware adds overhead and complexity. Man-in-the-middle attacks, phishing, and other security threats can compromise protected resources.
The biggest downside to an SSL VPN is that it is a VPN. It suffers from that legacy technology’s weaknesses. By concentrating user traffic onto the private network, SSL VPNs increase congestion, reduce bandwidth, and add latency. Split tunneling can help, but the user experience and overall network performance will still suffer.
SSL VPNs can also increase an attack surface due to their very public presence. The SSL VPN gateway broadcasts its presence on the public internet to be discoverable by remote users. Simple tools let hackers discover and monitor these gateways for any vulnerabilities. If over-burdened administrators take too long to deploy their VPN vendor’s security patches, they give hackers a window to penetrate the network.
Twingate offers a software-based access solution with the low cost and simplicity of an SSL VPN but with the security benefits of Zero Trust Network Access (ZTNA). This modern approach to access control recognizes the distributed nature of how computing works today.
Legacy VPN technologies appeared when a company’s resources sat on private, on-premise networks. However, networking and security paradigms have evolved to meet the needs of modern, distributed teams. Today, companies must create perimeters not around a network but around every resource an employee may need to access from anywhere in the world. Often these resources are no longer hosted on-premises either; they are often hosted in the cloud. Thus, today the internet is as much part of the network infrastructure as a private LAN.
Additionally, fewer users are employees as companies have a dynamic mix of contractors and other third parties interacting daily with company resources. Companies have evolved from the old secure perimeter, hub-and-spoke paradigm to today’s distributed network architecture. Providing access while keeping sensitive data secure requires a solution optimized for this new way of working.
Rather than protecting networks, Twingate uses software-defined perimeters to make individual resources invisible from any network. Users connect directly to the resources through encrypted tunnels.
Directly connecting users with resources eliminates VPN’s network performance issues. Private networks only carry traffic destined for on-premise resources. Traffic to cloud-based resources passes along the most performant routes.
Role-based policies combine with rules for device posture to give administrators granular control over the resources users may access. Detailed activity logs indexed by user and device make spotting unusual behavior easier and let security administrators respond to attacks faster.
Twingate gives companies a scalable path to modern ZTNA secure access. Compatible with existing security stacks, Twingate works with companies’ current identity providers, single-sign-on, and multi-factor authentication systems. Twingate deployments can happen in phases, first protecting the most important users and resources while leaving legacy VPN solutions in place for everyone else. As more users migrate to Zero Trust access, administrative overhead falls and user productivity improves.
SSL VPNs provide a simpler alternative to IPsec VPN that is more appropriate to the browser-compatible nature of modern enterprise applications. But an SSL VPN is still a VPN and subject to all the weaknesses this legacy technology brings.
Twingate offers a more secure, performant, and convenient approach to secure access based on modern principles of Zero Trust Network Access. Designed for a world when users and resources can be anywhere, Twingate connects the two sides directly while keeping sensitive company data secure.
Find out how to deploy Twingate within minutes to protect the most critical resources while improving users’ experience. Or sign up with our free Starter plan for individuals and small teams to see Zero Trust Network Access in action.