Networking

SSTP: Microsoft’s SSL VPN


For years IPSec has been the reigning protocol for establishing VPN connections.  However, challenges facing organizations attempting to use this technology to facilitate roaming user access are forcing network managers to look at SSL VPN as an alternative.  Not to be left behind, Microsoft is working on its own release of SSL VPN.

Microsoft’s SSL VPN
In order to integrate SSL VPN technology into its Network Access Protection (NAP) solution, Microsoft is working on a new protocol—Secure Socket Tunneling Protocol (SSTP).  SSTP encapsulates PPP packets over an HTTPS session. 

According to John Fontana, SSTP will be part of Microsoft’s Routing and Remote Access Server (RRAS) in Longhorn Server (“New Secure VPN tunneling protocol in the works at Microsoft”, John Fontana, ComputerWorld, 2007).  Vista support will ship with Vista Service Pack 1.  Businesses deploying Microsoft’s NAP and SSTP will have access to most of the features shipped with SSL VPN appliances, including checking the health of the remote client prior to establishing a session. 

SSTP is intended for remote client access only.  Site-to-site VPN connections are not supported.  Details about how SSTP works are available at Samir Jain’s Routing and Remote Access Blog.  Jain is the Lead Program Manager for RRAS.

Why SSL VPN
In a 2005 Gartner report on SSL VPN, John Girard predicted that by 2008, SSL VPN will be the primary method of remote access for most organizations (“Magic Quadrant for SSL VPN, North America, 3Q05”).  This trend was confirmed in the recently released Gartner SSL VPN Magic Quadrant for the third quarter of 2006 (Article #G00144950, December 27, 2006).

IPSec was developed to support site-to-site VPN connectivity.  With the increasing number of roaming users who need to access business networks anywhere, anytime, IPSec connectivity challenges are growing.  According to Girard, these challenges include:

  • IPSec does not force strong authentication
  • User clients are required, and significant differences exist in the quality and coding of user clients between vendors
  • Non-IP protocols are supported by default
  • Originally designed for site-to-site secure connections with verifiable static IP addresses, IPSec can present problems for remote users attempting to connect from a location with a limited number of IP addresses

SSL VPN addresses these issues and more.  Unlike basic SSL, SSL VPN secures an entire session.  No static IP’s are required, and a client is unnecessary in most cases.  Since connections are made via a browser over the Internet, the default connection protocol is TCP/IP.   Clients connecting via SSL VPN can be presented with a desktop for accessing network resources.  Transparent to the user, traffic from her laptop can be restricted to specific resources based on business defined criteria.

This doesn’t mean that IPSec isn’t still a viable solution for specific business challenges.  Figure 1 depicts the remote access situations in which IPSec and SSL VPN are best suited (“Weigh the Pros and Cons Before Choosing IPsec or SSL Remote-Access VPNs”, John Girard, Gartner #G00129673, August 4, 2005).

Gartner SSL VPN v. IPSec Decison Framwork - Large

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

1 comments
Tom Olzak
Tom Olzak

Are you planning to move to SSL VPN for remote access? Does an SSTP solution look like an alternative you might consider?

Editor's Picks