Skip navigation
Cisco Learning Home > Certifications > Security (CCNA Security) > Discussions

_Communities

This Question is Answered
5283 Views 12 Replies Latest reply: Jul 10, 2010 7:53 AM by Michael Law RSS

Currently Being Moderated

SSL VPN

Jul 7, 2010 9:34 AM

Michael Law 571 posts since
Jun 30, 2008

Topic: SSL VPNs

 

Question: When are they used? Do I see them often? I see SSL when browsing to major websites like CLN, MS Hotmail, MS OWA. Is this considered the same thing or is SSL VPN totally different than just viewing webpages? Is it called a VPN because of all the VPN-like features in the delivery of critical informaiton?

 

Thanks

 

Mike

  • Conwyn 7,907 posts since
    Sep 10, 2008
    Currently Being Moderated
    1. Jul 7, 2010 9:44 AM (in response to Michael Law)
    Re: SSL VPN

    Hi Michael

     

    SSL is on virtual every PC in the world. So If I wanted to create a private tunnel between two parties I would need some security technology. And since SSL exists on every PC it is the idea candiate. I think tunnel throughput is not particulary high but with modern bandwidth that is not a problem.

     

    Regards Conwyn

  • Conwyn 7,907 posts since
    Sep 10, 2008
  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    4. Jul 7, 2010 9:51 AM (in response to Michael Law)
    Re: SSL VPN

     

     

    Topic: SSL VPNs

     

    Question: When are they used? Do I see them often? I see SSL when browsing to major websites like CLN, MS Hotmail, MS OWA. Is this considered the same thing or is SSL VPN totally different than just viewing webpages? Is it called a VPN because of all the VPN-like features in the delivery of critical informaiton?

     

    Thanks

     

    Mike

     

    Hello Mike -

     

    An HTTPS session to a web server, is different than the Cisco concept of SSL VPN.   For example, with the anyconnect Cisco client, a client can begin by connecting to the head end SSL VPN server, using only SSL, and after authenticating can have the anyconnect client downloaded and installed on the PC.   The anyconnect client, then still using SSL (as opposed to ESP or AH, (IPSec protocols)), can be assigned a routeable virtual IP address from the head end server, and the client can tunnel traffic to the corporate network just as if they were running an IPSec VPN client.   The big difference, is the transport:  SSL vs IPSec.

     

    Best wishes,

     

    Keith

  • Conwyn 7,907 posts since
    Sep 10, 2008
    Currently Being Moderated
    5. Jul 7, 2010 10:05 AM (in response to Michael Law)
    Re: SSL VPN

    Hi Michael

     

    No.

     

    Imagine SSL like TCP. Two user can run a TCP session between them. Two users can run SSL between them.

     

    The TCP carries HTTP  FTP Mail etc   and the SSL carries tunnel protocol at the conceptual level. HTTPS is an example. VPN-SSL is another.

     

    Please read the URL I cited.

     

    Regards Conwyn

  • Jared 5,502 posts since
    Jul 27, 2008
    Currently Being Moderated
    Re: SSL VPN

    I am running a set up that Keith has describe.  Before the anyconnect client, the old 3000 series VPN concentrators had a SSL VPN client and what you did was go to a web portal, authenticate, and then the SSL VPN client would download on your computer and establish a VPN connection that used SSL as the transport instead of IPSec.

     

    It was nice because we didn't have to worry about installing and configuring the Cisco VPN Client.... although I still do use the IPsec client as well.

  • Jared 5,502 posts since
    Jul 27, 2008
    Currently Being Moderated
    9. Jul 9, 2010 6:06 AM (in response to Michael Law)
    Re: SSL VPN

    Now, my use of VPNs is very limited, but after doing the ISCW which was very similar to CCNA Security, I realized that the focus was also on IPsec and very little on SSL VPNs.  I think the reason why is because there are different implementations or reasons to implement a VPN.  For example.  In ISCW and CCNA Security, point to point VPNs are discussed and focus on IPSec.  This would be great on a couple of routers if you wanted to secure/encrypt your WAN link traffic.  So an IPsec VPN makes sense.  For a client computer that wants to VPN into the corporate network, an SSL vpn makes more sense because every client has a web browser and there would be very little, if any setup required on the client station.

     

    In those classes, the point to point vpn seems to be a major topic and the client vpn a lesser topic.

     

    This is just an example I have been able to come up with as far as when you would want to use IPSec vs SSL.  I have not played with SSL Point to point VPNs and don't even know if its a feature, but I have used client vpn's and they are very nice.  This was my observation when I did ISCW way back in the day.

  • Paul Stewart  -  CCIE Security, CCSI 6,993 posts since
    Jul 18, 2008
    Currently Being Moderated
    10. Jul 9, 2010 8:23 PM (in response to Michael Law)
    Re: SSL VPN

    I think it is really hard to understand what the SSL VPN is in the Cisco world until you see it in action.  SSL VPN includes several different use scenarios including:

     

    HTTPS access to internal web sites

    HTTPS access to CIFS (Microsoft) file shares

    Browser Plugins (like Java app to allow SSL access to Terminal Services, or Java Plugin for SSH/Telnet)

    Smart Tunnels--automagically tunnels traffic from certain apps

    Port Forwarding--client connects to some tcp port on 127.0.0.1 and that is tunnelled back to enterprise network

    Anyconnect/SVC--allows EasyVPN like connectivity over DTLS or TLS using UDP or TCP respectively

     

    As you can see, SSL VPN is a bunch of components.  Its really hard to visualize what it is until you see it in action.  I think Cisco would sell a lot more of their SSL VPN licenses if they would build a publicly accessible demo site for it.

  • Mohamed Sobair 340 posts since
    Oct 21, 2008
    Currently Being Moderated
    11. Jul 10, 2010 12:16 AM (in response to Michael Law)
    Re: SSL VPN

    Hi,

     

    With SSL VPN,  the connection between the host and the SSL Web server is encrypted. using the cryptograpghy concept , an SSL Web Server uses digitally signed cetificate to identify the host owner of the site. Those digitally signed certificates are obtained from third party Certification Authority CAs.

     

    When a user tries to connect to SSL webserver, the user actually send information to the 3rd party CA, the CA identifies the Ownership of the site by confirming its public Key which was widely published. with its private key Only stays with the Webserver.

     

    To conclude , an SSL VPN is a VPN tunnel is created but rather than the host having the public key published to remote hosts here, a 3rd party CA has its public key and confirms identity of the owner.

     

     

    HTH

    Mohamed

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)