My Quiet Life My Quiet Life

SSL VPN

An article on zdnet that caught my eye focuses on Aventail’s new small-biz product – a less expensive version of its “SSL VPN” product:

Sometimes smaller is better.

That’s what Aventail says. On Monday, the company will announce the EX-750, a less-expensive version of its SSL VPN–or Secure Sockets Layer virtual private network–product, which provides secure remote access through a Web browser. The EX-750 has all the same features as the company’s larger EX1500, but it supports fewer users and is priced much lower than its flagship product, the company said.

A VPN replacement with only a web browser? With my skeptism on full alert, I went to their website to try to find out what exactly it is they do. Cutting through the buzz-words proved very difficult. Their whitepaper spends an entire section on IPSEC, going to great lengths to prove that it’s an unworkable solution, even stretching a bit, claiming that “It requires compatible hardware or software, almost always from a single vendor, on both ends of the tunnel. This is perhaps true of general practice but is not a strict requirement, as I have used isakmpd successfully with several other vendors, including Cisco Concentrators, thanks to help from the VPN consortium, which is the coolest website ever.

But I digress. The phrase “client-less” is strewn about this whitepaper. The major weakness it purports to solve is that IPSEC requires a standardized client on every roaming VPN node.

Well, as far as I can figure, Aventail’s product consists of a “reverse HTTP proxy”, which just makes internal websites available on the internet via SSL (big wup), and then “for any non-Web traffic, Aventail uses the SOCKS v5 protocol to encapsulate and secure the application traffic.” That’s right, SOCKS v5. Which requires .. drumroll, please .. a client.

What I can’t figure out, however, is how they can claim to do “file sharing”. When people see “file sharing” in the context of a VPN, they assume “windows file sharing”, i.e. SMB, and SMB sure as shit won’t run over SOCKS – at least not in any way that wouldn’t make you want to open your wrists. I couldn’t cut through the buzzwords to figure this out.

The moral is that this software seems to be stretching a bit in calling itself a “VPN” solution. It’s not doing any networking at the layer 4 level. It’s more like an “SSL proxy” than an “SSL VPN”.

Now, don’t get me wrong. IPSEC can be troublesome. So can PPTP. If you’re behind a firewall/NAT device that doesn’t properly pass UDP port 500 and ESP (IPSEC) or TCP PORT 1723 and GRE (PPTP), you won’t have much luck. The idea of an SSL-based VPN tunnel is pretty appealing, and that’s where solutions like OpenVPN start to look attractive.

But they still require a client. You’d always require a client for any sort of true VPN tunneling. Until the security on Java or ActiveX via the browser is lax enough to let you actually create a fake pseudo-interface for the VPN, you need a client.