26 Mar 2020 Remote Working With SSL VPN
Remote Working With SSL VPN
Recent events have forced a lot of workers to work from home, but which one is the most secure and easy to use?
Today we’re looking at SSL and will overview the following:
- Ease of Use
SSL is highly secure but not as secure as using an IPSec based VPN due to the inability to incorporate multi-layer encryption, as a result, an attacker only needs to know the Public IP address and the client login details.
The connection itself is protected by TLS encryption so its just the lack of multi-layer which is a risk and you do have the option to incorporate WatchGuard AuthPoint to utilise Multi-Factor Authentication.
Ease of Use/Configuration
Unlike IKEv2 the SSL VPN requires a separate application which can be obtained by going to the public IP address of the Firebox and logging in with either the Active Directory / LDAP credentials or using a local user stored on the Firebox.
Define the Public IP the VPN will establish to and specify the DHCP pool.
You can configure split tunnelling and specific resources users can access if it’s required.
Select the authentication server you wish to use along with any local users you may have configured.
Specify any Authentication or Encryption settings you wish to use along with any specific DNS servers you wish the users to use.
You can either push the client out via Group Policy if using a Windows Domain or you can instruct users to navigate to https://Firewall IP / DNS/sslvpn.hmtl where they can log in with their user credentials and download the most relevant client for their OS.
Once installed the users can then login to the SSL connection.
One advantage of using SSL VPN is that it uses TCP Port 443 for authentication and to form the tunnel so any network that doesn’t decrypt HTTPS traffic it will just work with no issues.
However, if there is any form of Content Inspection – Protocol Enforcement or Application Control which blocks OpenVPN software this could cause the VPN to not establish.
Typically SSL VPN has a heavy impact on speed and performance due to it relying on using TCP meaning every packet needs an acknowledgement.
For latency-sensitive applications like VoIP or if raw speed is required for file transfers this may not be the best option for you.
If you would like to get in touch with any further questions about this article or any other technical enquiry, please contact us on +44 (0) 1488 647 647
Author: Alex Claro – Solutions Architect Team Lead at Purdicom (CCNP, CWNA). To read this article and more by Alex on LinkedIn check here: https://www.linkedin.com/in/alex-claro/detail/recent-activity/posts/