Elastic SSL VPN virtualized service for mobile and cloud security
Feb 20, 2014
It has been a really cold winter for a large part of the US. When San Francisco 49ers played Green Bay Packers in the NFL wildcard playoff game, it was considered the coldest NFL game. It was 5 degrees at kickoff, and the winds made it feel like minus-10. And over the last week, I kept seeing pictures of the extreme weather, like this.
In this kind of extreme weather and natural disasters such as hurricane Sandy and Katrina, businesses stay up by allowing their employees to work from home and remotely. But even without these extreme conditions, the workforce is getting more and more mobile. According to IDC, the world’s mobile worker population is predicted to grow to more than 1.3 billion by 2015.
As more and more mobile users with diverse devices require network access, and as more organizations embrace the use of personal mobile devices and “Bring Your Own Device” (BYOD) initiatives, mobile device and network security can be compromised, and the number of issues and problems spawned can swell. For example, in virtually all recorded instances of high-profile Advanced Persistent Threats (APT), the initial point of entry is an end-user computing device compromised by a spear-phishing attack, Trojan, or other form of malware. The success of today’s enterprises and service providers is predicated on their ability to enable authenticated, authorized mobile users with controlled but secure, fast, and seamless access to all necessary network resources—from any mobile device, anywhere, at any time, to effectively maximize security and productivity.
Typically, the solution to meet the above requirements contains either IPSec VPN or SSL VPN to secure the connectivity to an access gateway, and an access control component to perform user authentication and authorization. There have been a lot of articles comparing the pros and cons of IPSec VPN vs. SSL VPN, and I don’t plan to dwell on that. The customer use case will dictate which solution is a better fit. What I want to point out here is, traditionally, IPSec and SSL VPN aggregation gateways are normally either implemented as a hardware appliance or an integrated function of a network device. In either one of these cases, these boxes are special purpose hardware that need to be purchased, statically installed at the enterprise network edge, or the service provider edge as part of business managed services offerings, with certain capacities likely measured by the number of users or connections they can handle. What do you do if you run out of that capacity? You need to go through the same process to install another box or upgrade to a box with higher capacity, which can potentially take a while to happen. These appliances fall short in the scenarios described in the beginning of this blog when there is a surge of remote workers who want to connect to their corporate applications through VPN.
There is a better approach enabled by virtualization and cloud technologies. Security services can be virtualized to run on virtual machines to leverage the economy of scale of X86 high-volume server platforms. But the real advantages come from the service automation and orchestration provided usually by a cloud orchestration platform that has been enhanced to handle not only virtual machine placement, scaling and movement, but also network virtualization, orchestration and automation. Such a platform provides an elastic infrastructure to enable virtualized security or network services to be spun up on demand based on configuration or feedback from analytics, chained into the traffic stream dynamically, and scaled up and down to accommodate load variations.
Take SSL VPN as an example, of course, one end point of the VPN is likely to be on a mobile host, such as a smartphone, tablet or laptop; and the other end point is the SSL VPN aggregator which is traditionally a hardware appliance. The virtualized SSL VPN aggregation software can run on one or more virtual machines orchestrated by OpenStack on servers residing in the DeMlitarized Zone (DMZ) at the edge of an enterprise data center so that authorized VPN users can be tunneled into the enterprise network securely from anywhere. Beyond the SSL VPN aggregation, the user can access business applications within the enterprise internal network. Furthermore, modern enterprises might deploy their business applications in a hybrid environment with some in their private enterprise data center but others in a public cloud or virtual private cloud environment. With virtualized service orchestration, it is very easy to deploy SSL VPN aggregation in both the public cloud provider’s data center and enterprise private data centers and have the SSL VPN aggregation and potentially other security services to be close to the applications they are protecting and still maintain policy consistency.
Other enterprises may decide to completely outsource certain services, in that case, these services will be hosted in their service providers’ infrastructure. In most of the cases, the service provider is already providing VPN service to their business customers, and the SSL VPN aggregation can be designed to be the gatekeeper of the enterprise VPN network. Once the mobile user traffic gets out of the SSL VPN tunnel, they can be dispatched to either the enterprise data center or the VPC, without getting out of the VPN (L3VPN or EVPN). Compared to enterprises deploying SSL VPN service themselves, service providers can better leverage the benefits of economies of scale and statistical multiplexing of resources. Their business customers can have full control of the VMs running the SSL VPN aggregation service to change policies and configuration.
Want to see this in action? Check out the video done with OpenStack, Juniper Contrail and Junos Pulse Secure Access.