SSL VPN and return on investment. A possible combination

Wednesday, May 05, 2010

Dario Forte



At the current point in the history of information security, companies have spent a lot of time analyzing various options for remote access to their information systems. Many of them have begun with IPsec-based systems to interconnect different sites. It all seemed rather simple at first, but as the number of sites (and clients) that needed to be interconnected increased, scalability and interfacing problems began to emerge. 

Many companies then tried to scale (or actually replace) IPsec with PPTP (point-to-point tunnelling protocol). But a dual problem arose in this case: inadequate tunnel security level, and difficulty in selecting permission and access types after the connection had been established. PPTP in particular caused serious problems in terms of intrinsic security, with repercussions on daily operations.

Client needs

It seems almost superfluous to mention it, but right now companies need to ensure that their mobile work force has maximum access to their information systems while also guaranteeing maximum security. Demands for network access are now many and varied and contain a series of unknowns that must not be underestimated. While the problem is rather simple to outline from the security standpoint, there are inner areas of criticality that must not be overlooked. One of these is hidden costs. One of the commonly recognized problems is the question of administration costs. These costs include implementation costs, which are directly proportional to the difficulty of deployment. And we must also factor into the equation the fact that the number of virtualized, terminal-server-based and, obviously, directory based infrastructures is increasing.

For these reasons, many companies have started to turn to "alternative" VPN systems, for example, those based on the SSL protocol. Many implementations of this type are commercial, while others are open source. The author has often met with clients who have attempted a "homemade" implementation most often based on Linux and then moved on to more "solid" commercial options. The latter are usually based on dedicated appliances and provide a series of additional advantages that we will discuss one-by-one below:

1)     The hardware has been designed for a specific purpose. It might seem obvious, but an SSL VPN appliance designed with ad hoc hardware provides superior performance and improved scalability with respect to an analogous system based exclusively on software;

2)     The use of dedicated appliances indirectly favours rationalized organization of security management. Since we are talking about appliances, the devices are managed by the final client's networking department. This means better organization in terms of access management and secure connections, which, technically speaking, are often already handled by the network staff; 

3)     With the adoption of an appliance, it is the vendor who becomes the sole client interface, with consequential pre-sale and post-sale savings of time and money. Furthermore, given that the provider represents a single, unified commercial interface, a partnership may be established (and consolidated), something which is not exactly automatic in the current moment in history;

4)     Disaster recovery and business continuity. Thanks to their implementation architecture, SSL VPN-based appliances allow very quick restoration of connectivity in the event of a security incident or-worse yet-loss of network segments. This provides further assurances of preserving business continuity;

5)     Virtualization and management of access gateways from a single point. Most of the options available on the market allow for the creation of multiple access gateways handled by a single appliance. This expands governance capacity of a large number of widespread mobile elements from a single control point.

Observations in terms of security: authentication method

Password-based authentication presents a host of problems. First and foremost among them is the unlikelihood of knowing whether a password has been compromised. If a hacker succeeds in guessing a password, the legitimate owner often is unaware that his or her credentials-or entire identity-have been stolen. Sharing a password among a group is another area of risk in this type of authentication. Among other possible problems, it is also true that passwords that are hardest to guess are also the hardest to remember, and forgotten passwords add to administrative costs in providing services to people who need to recover their passwords. Furthermore, since passwords are not necessarily easy to remember, users generally use the same one at different work stations. The hacker just has to guess it once to gain multiple access. And of course there are those who write down their passwords to make sure they won't forget them, an open invitation to disaster.

Hardware-based authentication keys resolve all these problems by eliminating the interaction between user and password. Users are provided with a physical device (security token) that must be present for authentication to be accomplished. These devices are often protected by a PIN, similar to that for an ATM card, so that they cannot be used if they are stolen or lost, creating a two-tiered authentication process. Hardware authentication keys are difficult to violate and practically impossible to share (without physically giving the device to someone else). The users "credentials" are memorized in the token and since the password resides there, the user only has to remember his or her PIN to access the network. If the token is lost or stolen, it is completely unusable and, as is the case with ATM cards, it is blocked after a certain number of incorrect attempts at entering the PIN.   

Security tokens for VPNs is still rare and generally difficult to implement. To meet the growing demand for this type of authentication, many VPN SSL systems provide built-in security tokens.

Return on Investment

The Return on Investment for these systems usually is calculated by assessing the following series of factors:

1)     Savings on implementation costs. During the preliminary feasibility study, estimated or actual costs for a "traditional" option (such as those mentioned at the beginning of this article) are compared to those for the SSL VPN alternative;

2)     Savings in terms of administration costs. Another element to take into consideration when comparing options and calculating RoI regards the administration costs of the new option with respect to others. The possibility of centralized administration of the VPN is certainly something to be assessed in terms of cost management;

3)     Savings v. Green Computing. In certain cases during my work as an advisor, I have had occasion to estimate, together with the client, the impact on energy consumption of one option with respect to another. It is clear, for example, that the greater the virtualization and throughput capacity, the greater the potential energy efficiency.

Rent or buy?

Another question of much relevance to those who make the expenditure regards how the provision of technology is formulated. Living in a period of limited or even frozen budgets, some propose these technologies as a service and/or pure rental. And it is a choice worth considering, given that we are talking about core infrastructure of the client companies. Some opt for the traditional solution since they want to avoid any further interference on the part of suppliers or service providers. Others instead seek alternative methods of provision, working out a plan with the service provider to ensure they get the most out of their planned investment. I can confidently affirm, on the basis of my direct experience, that service provider and final user have a complete array of commercial options available to them making a win-win result quite easily achievable. Another very important aspect to keep in mind in building a VPN are the service levels that will be demanded of the network. If the information traveling over the VPN is of critical importance to the company, it is necessary that the network be dimensioned appropriately to ensure the desired level of performance, which can be achieved by establishing the proper bandwidth for the network. 

However, something that is even more important to guarantee is that the performance provided by the network is constant over time and ensures an information flow that will meet company needs.

In the case of VPNs on public infrastructure, different service providers often enter into play and it is not possible to predetermine the route that the information will take in travelling from one node to another. In this case it is only possible to ensure adequate bandwidth, but it will not be possible to dictate a minimum service level because it is not possible to control the intermediate carriers.  

Thus this type of VPN can only be used for mission critical applications in which an interruption or slowdown in data flow will not produce serious consequences. The appeal of this type of networking solution is its relatively low cost.

If a constant flow of information is vital, it will be necessary to opt for a VPN that is supported by a single carrier. In this case a Service Level Agreement can be drawn up specifying important parameters such as minimum and maximum bandwidth and the time slots in which an above-average connection quality is guaranteed. The costs of this type of VPN are strictly linked to its geographical extent, the guarantees included in the contract and the choice of carrier.


Virtual Private Networks using the Secure Socket Level protocol will soon become one of the de facto consolidated standards for security of privileged communications and remote access. In a period when the mobile work force is undergoing continual and dynamic evolution, long implementation and administration lags are not an option. Furthermore, security protocols are now reaching a state of consolidation that should facilitate the choice of technology, allowing the client to concentrate more fully on the added features and commercial aspects of the services provided.

Dario Forte; CFE, CISM, CGEIT, Is the Founder and Ceo of DFLabs, an european firm specialized in Governance Risk and Compliance.

Possibly Related Articles:
General Network->General
SSL VPN Remote Access ROI
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.