SSL-VPN | RSA Information Security Glossary

SSL-VPN

Although the Secure Sockets Layer (SSL) is a protocol designed specifically for web browsers to securely access web-based applications, the fact that it encrypts information and that it authenticates at least one of the parties, also makes it a Virtual Private Network (VPN). One of the best things about this protocol is that most computers have a browser; that means that no new software needs to be added to the client in order to use this method.

A very simplified explanation of how it works is like this: The browser client asks for a secure session with the web server. If the web server can support an SSL session, it says what it supports and sends back a certificate that includes the server’s public key as well as some other information to negotiate a secret key. The client checks the certificate and decides whether to trust the server; if it does, it encrypts some information with the server’s public key and sends it back. The information is used to compute the secret key and the rest of the session is encrypted with that shared secret (symmetric key cryptography).

It’s important to note that only the server was authenticated. Although the protocol includes methods for authenticating the client, this simple method is most commonly used. Without additional steps, like the use of IDs and passwords or tokens, the client is anonymous.

Another of the drawbacks is that needed information may not be available to a browser without the added expense of developing web services. Where a VPN is needed for access to many, non-web enabled applications, an IPsec VPN may be a better solution.

21 CFR Part 11 access control, access management AES Alerting, alerts Anti-phishing service Anti-Phishing Working Group (APWG)authentication authorization Basel II Baseline, baselining biometrics/biometric authentication California AB 1950 and SB 1386 call center call center assist Card Management Systems (CMS)CAS certificate authority, certification authority (CA)Certificate Revocation List (CRL)Chip and PIN COBIT control framework credentials, credential store CVV DAS digital certificate digital identity digital rights management (DRM)digital signature directory service E-Authentication Initiative EMV™endpoint authentication EPS EU Data Protection Directive factoring, prime numbers Federal Information Processing Standards (FIPS)federated identity FFIEC FFIEC Online Banking Authentication Guidance FIPS 140 FIPS 201 GINA Gramm-Leach-Bliley Act (GLBA)hardware authenticator hijacking HIPAA Homeland Security Presidential Directive – Number 12 (HSPD-12)Identity and Access Management (IAM)identity theft Intelligent Questioning IPSec ISO 17799 ISO27002 key logging key management Knowledge Based Authentication (KBA)layered authentication LDAP Liberty Alliance, Liberty ID-FF logical access, physical access man-in-the-middle attacks (MITM)MasterCard's Chip Authentication Protocol (CAP)Microsoft.NET, Passport MPEG-LA mutual authentication NIST OASIS Open Mobile Alliance (OMA)OTP (One-Time Password)OTPS password, passcode, pass code Payment Card Industry (PCI) Data Security Standard Personal Identity Verification card (PIV Card)pharming phishing PKCS PKI provisioning RADIUS RBAC (Role Based Access Control)RC2, RC4, RC5, etc.RFID risk-based authentication RSA algorithm S/MIME SAML Sarbanes-Oxley Act (SOX)seed record sequential questions Service Oriented Architecture (SOA)single sign-on (SSO)smart badging smart card smart chip spoofing SSL-VPN strong authentication symmetric key cryptography time synchronous authentication token Trojans two-factor authentication U.K. Identity Cards Bill USB token user life-cycle management verification Visa's Dynamic Passcode Authentication (DPA)VPN web access management web services WS-Security XML	SSL-VPN Although the Secure Sockets Layer (SSL) is a protocol designed specifically for web browsers to securely access web-based applications, the fact that it encrypts information and that it authenticates at least one of the parties, also makes it a Virtual Private Network (VPN). One of the best things about this protocol is that most computers have a browser; that means that no new software needs to be added to the client in order to use this method. A very simplified explanation of how it works is like this: The browser client asks for a secure session with the web server. If the web server can support an SSL session, it says what it supports and sends back a certificate that includes the server’s public key as well as some other information to negotiate a secret key. The client checks the certificate and decides whether to trust the server; if it does, it encrypts some information with the server’s public key and sends it back. The information is used to compute the secret key and the rest of the session is encrypted with that shared secret (symmetric key cryptography). It’s important to note that only the server was authenticated. Although the protocol includes methods for authenticating the client, this simple method is most commonly used. Without additional steps, like the use of IDs and passwords or tokens, the client is anonymous. Another of the drawbacks is that needed information may not be available to a browser without the added expense of developing web services. Where a VPN is needed for access to many, non-web enabled applications, an IPsec VPN may be a better solution. Top of Page	Related Terms certificate authority, certification authority (CA) IPSec PKI symmetric key cryptography VPN Related Links Secure Remote Access
		Email to a friend Print