Some sites have stringent security requirements that do
no allow any clear-text on the wire; others want the ability to encrypt
legacy applications without having to rewrite the applications themselves.
In either of these cases, SonicWALL Offloaders offer a feature called “SSL
Initiation” that extends the functionality of an offloader beyond simply
decrypting or terminating SSL traffic.
SSL Initiation is the ability to behave not only as an
SSL termination point (an SSL server) but also as the initiator of an SSL
connection (an SSL client). Much like the standard web-browser is the SSL
client when connecting to a secure site, SonicWALL SSL offloaders have the
ability to re-encrypt decrypted traffic, or to encrypt any TCP based
traffic.
An increasingly common use of SonicWALL’s SSL
initiation is Application Specific SSL-VPN’s. SSL-VPN’s use two or more
SonicWALL SSL offloaders to allow any TCP based application to be run over a
secure SSL tunnel without the need for VPN hardware or software, and without
having to rewrite any existing client or server applications.
Application
Specific SSL-VPN
One of the largest benefits of SSL
Initiation is its ability to secure legacy applications such as telnet,
TN3270, and other mainframe applications without any programmatic changes,
and without incurring the burden of cryptography on the mainframe.
Additionally, it becomes possible to easily secure other typically
unencrypted TCP applications such as LDAP, SQL*Net, and XML-RPC without any
modifications to client or server software.
SSL-VPN’s, which can work with or without
load-balancers or content switches, provide a drop in encryption solution by
first accepting a TCP connection from the client application on a predefined
port. Based upon the port on which it receives the connection, it initiates
a corresponding outbound SSL session to a remote IP address and TCP port.
The remote site can be a SonicWALL SSL offloader or any other SSL
termination point. When the remote offloader receives the SSL traffic, it
decrypts it and sends it to the clear-text listener (e.g. the telnet
server).
Another area where SSL-VPN’s prove
particularly useful is Web Services. Web Services, such as Microsoft’s
well-known .NET initiative, utilize SOAP (Simple Object Access Protocol) or
other XML over HTTP implementations to create a distributed architecture
computing system utilizing HTTP for transporting data between sites. Since
the native protocol over which Web Services are transported is HTTP, it
lends itself well to security via SSL. As an alternate to building SSL
client and server or other security components into client and server
applications, sites deploying Web Services should consider using SSL-VPN for
security.
Simpler than conventional IPSec VPN’s,
SSL-VPN’s provide the same level of security as an IPSec VPN (up to 168-bit
DES3) but do not require nearly the same level or preparatory effort or
maintenance. SSL-VPN’s can take full advantage of the security mechanisms
built into SSL, including configurable encryption levels and client and
server certificate support for access controls and authentication.
