Standards for SSL VPN – available, but not accepted

PPTP, IPsec and L2TP are long-established standards for virtual private networking. And they aren’t good enough. The reason is simple: when planning connectivity, allow it through authenticating HTTP proxies. That explains the need for SSL VPN as a mean of user-friendly connectivity.

But why SSL VPNs aren’t considered a way to connect multiple sites within a organisation? A part of the issue is lack of the standards for SSL VPNs – and no interoperablity between different implementations.

What is the best candidate for the standard? In my opinion, that’s PPP over SSL. The point to point protocol is widely available, widely adopted and there’s nothing apparently wrong with it – therefore it exists without major makeover for many years (it had bumpy start in early nineties but easily took over SLIP as supporting not only IP over serial lines).

And it turns out that the standard is adopted by at least one major VPN vendor – F5. Here’s how to connect pppd to F5 FirePass SSL VPN (and a discussion of implications).

Full DIY solution not involving FirePass as a server is also available. You need Linux (or another UNIX-like system running pppd) and Stunnel (which should be a part of any security professional toolkit). The guidelines can be found here – and don’t forget to patch Stunnel to support HTTP proxies).

A big thing that is missing from the DIY solution is actually Windows support. There is no pppd for Windows, and Windows PPP implementation doesn’t allow things like redirecting to terminals. How sad.

I should have added something about Microsoft SSL VPN but today the gigabyte download threw a CRC error unpacking virtual machine image at me (the virtual machine-based demo kit is available here). However, the requirement to install a Socket Forwarding component on Linux and MacOS X clients doesn’t give me much optimism – likely, we are dealing with (not) good old port redirection. I understand that requirement to run a non-SSL VPN over VPN (that doesn’t work with port forwarding but works over PPP) might be considered very strange, but it’s real in some organisations. Remember, VPN itself is IP-over-IP solution.

Looking at proliferation of iPod and BlackBerry, one might think – what’s real value of open standards? I might be a little old-fashioned but I’d prefer to have an option to create interoperable solutions using multiple platforms. So common standards for SSL VPN supported by multiple vendors would help.

Leave a Reply

Your email address will not be published. Required fields are marked *