SSL VPN for Secure Wireless LAN Access
Using an In-House Approach to Delivering a Wireless Solution
When tasked with deploying a wireless LAN (WLAN) infrastructure within an organization, most people believe they must choose an outside vendor (for example, Cisco Systems, Aruba Networks, Trapeze Networks, or Symbol Technologies) to implement a solution that is both scalable and secure, and does not expose the company's data to wireless users.
However, if you have an SSL VPN appliance in place or are planning to implement one-perhaps to replace your IPsec VPN-you have all it takes to deploy a wireless LAN in-house. This article takes a look at the SSL VPN option, compares it to WLAN solutions, and covers the key benefits of an SSL VPN.
Why an SSL VPN Appliance?
For most deployment scenarios, an SSL VPN appliance can provide many of the features and benefits of a special-purpose WLAN controller for wireless access, but at a much lower cost and with greater flexibility. The basic premise is simple: Treat your wireless LAN (for example, 802.11g) users the same way you would treat a remote user accessing your network from home or a coffee shop. In other words, from an implementation and policy perspective, consider remote users and corporate wireless users the same.
This rule is also helpful for end-users because, for them, the user experience will be exactly the same, whether they are accessing the network from home or over the corporate wireless network. They will not have to launch a separate client for wireless access or go to a different URL or portal; their user experience will be consistent.
SSL VPN and WLAN Solutions Compared
So how does an SSL VPN solution for WLAN access compare to what a WLAN vendor might offer? Here are some key selling points for WLAN solutions with an explanation of how an SSL VPN can offer similar, complementary, or greater functionality.
Centralized Security and Management: An SSL VPN is a centralized point for security and management. The appliance is the single point of contact for all remote access traffic-it's where traffic is terminated and unencrypted. Because all traffic comes through the appliance, it provides the perfect place to define user policies and collect statistics such as who accessed what, and when.
In fact, if an enterprise deploys both an SSL VPN and a WLAN controller, in some sense they are taking away one of the main advantages of centralized management: a single or centralized place to define access policies. One way to prevent this is to deploy an SSL VPN for both remote and wireless access needs.
Strong and Scalable Data Encryption for Maximum Security: Data encryption is a strong point of SSL and is used to secure the most sensitive transactions on the Internet-for example, online banking. In fact, the encryption and overall data security provided by SSL VPN devices is as good as or better than that provided by any WLAN vendor. To address scalability, many SSL VPN device vendors provide hardware-based SSL acceleration.
Scalability: Scalability is typically measured in terms of the number of concurrent users on a given appliance (for example, 2,000) and throughput (Mbps or Gbps). WLAN appliances and enterprise-grade SSL VPN appliances are in the same range for these measurements, offering the same level of scalability.
Endpoint Security: Many SSL VPNs offer endpoint security that is superior to what is offered on most WLAN appliances. For example, some SSL VPNs offer a wide array of endpoint checks such as the presence of a specific antivirus (Symantec, to name one) or personal firewall software.
Roaming or Mobility: Some WLAN controllers enable a user to "seamlessly" roam across access points-for example, walking from one building to another without losing access. Roaming support is not common with SSL VPNs, but some vendors offer a feature called "auto reconnect" that will automatically reestablish a connection if it is temporarily interrupted, as when moving from one access point to another, or when a glitch occurs in the Wi-Fi signal. By offering auto reconnect, companies can ensure that most applications will not time out and will continue as before once the lower layer connection is reestablished.
RF Monitoring and Planning: RF (radio frequency) monitoring and planning tools help efficiently position wireless access points (APs) to avoid dead spots (holes in Wi-Fi coverage), detect sources of RF interference, or identify faulty access points. These tools don't have anything to do with securing your applications or data, and therefore are complementary to an SSL VPN. In other words, you can install an SSL VPN to secure wireless access, and use these tools only if you need better RF monitoring and planning.
While these tools may be helpful for large (for example, hundreds) of AP deployments, they may not be needed for the vast majority of medium-size enterprise installations. One thing to keep in mind is that these tools will work only with a particular WLAN vendor's APs, leaving you with very little flexibility. However, with an SSL VPN approach, you can use any AP on the market; in fact, in many cases, you can overcome deployment problems simply by installing low-cost APs.
Rogue Access-point Detection: A rogue access point is one that the company does not authorize for operation. For example, an employee might plug an AP into an open data port, and suddenly anyone with Wi-Fi capabilities can use that access point. Rogue AP detection is a part of what some WLAN vendors refer to as "securing (or locking) the air." Rogue AP detection and other methods used to prevent unwanted users from jumping onto an access point are complementary to SSL VPNs. These methods provide the first level of defense against someone exploiting an access point. But even if they try to exploit it, the SSL VPN is in place to make sure that critical applications and data are protected. Because of the defense offered by the SSL VPN, many enterprises are okay with simply deploying wireless WEP or WPA encryption on the access point, despite the widely publicized shortcomings of these security measures. The thinking here is that the bad guys might break down the first door, but if they do, you have an even stronger one just behind it.
This article has demonstrated that there is no reason to treat your corporate wireless LAN access differently from the way you handle remote access (from home, for example). In fact, from an IT management and end-user perspective, these two access scenarios are nearly identical, and therefore should be treated the same way. If you're using an SSL VPN for remote access at your company, then you have a robust wireless access solution already in place.
About the Author
Ameet Dhillon is Director of Product Management at F5 Networks.
© Copyright 2007 Auerbach Publications.