By Ken Araujo, special to Network World
Network World |
The technology provides secure remote access to a broad spectrum of applications and network resources
Application-layerVPNs are generating lots of attention these days. Proponents cite the technology's ability to provide secure remote access to a broad spectrum of applications and network resources. But what exactly are application-layer VPNs, and how do they differ from traditional VPNs?
Unlike traditional IP Security (IPSec)-based VPNs, which operate at Layer 3 (the network layer) of the Open Systems Interconnection model, application-layer VPNs operate at Layer 7 (the application layer). Operating at Layer 7 provides visibility into application data, giving network administrators new opportunities to enforce security policy for remote application access.
The central element of an application-layer VPN is the application-layer proxy, typically provided in the form of a dedicated network appliance. The proxy offers a single point of administration while acting as a sentinel to the private network behind the firewall.
An application-layer VPN acts as an intermediary between remote client requests and server-based applications. It terminates incoming connections from remote users at the application layer, processes the data and then translates the data to the appropriate application protocol. During this termination gap, the VPN analyzes application information, applies security policy and serves as a gatekeeper between the Internet and the private network.
An application-layer VPN runs client and server versions of an application on a single server, eliminating the need for a client on the remote PC. For Windows applications, client and server versions are installed on a Windows Terminal Server, which uses Microsoft Remote Desktop Protocol (RDP) to negotiate the remote user's input with the application's responses.
Remote users launch a browser and enter the URL of the application-layer VPN appliance. Secure Sockets Layer (SSL) is used to encrypt all data from the user's browser to the application-layer proxy. SSL provides strong security, and most Web browsers incorporate it.
The application-layer VPN enforces policy during the termination gap by polling external authentication and policy servers, such as Active Directory orLightweight Directory Access Protocol, to certify user identities and authorize specific application access.
From this point, the browser sends legacy application data to the proxy via a thin-client application protocol. In turn, the proxy terminates and translates this protocol to RDP and delivers it to the application server.
Application-layer VPNs also work well with Web-based and intranet applications, allowing secure remote access without exposing nonhardened intranet servers to outside attack. The proxy terminates, examines and rewrites HTTP requests. Remote users then receive Web application resources as defined by policy and security.
User requests are not sent directly to the application server, but are terminated in the VPN appliance, processed with policy and security and translated to the appropriate back-end protocol, and then transmitted to the application server.
This model, with the application-layer VPN functioning as a proxy, enforcing authentication and policy before letting the data streams reach the application server, protects private networks. In an IPSec VPN, by comparison, user requests go across the network layer and access an entire enterprise network.
Because application-layer VPNs can provide secure remote access to a range of applications and give network administrators flexible control over who can access those applications, the technology will become increasingly important for enterprise network and security architects.
Araujo is CTO at Netilla Networks. He can be reached at ken_araujo@ netilla.com.
Learn more about this topic
VPN research center\The latest news, reviews, opinions and more.
Related:
Copyright © 2003 IDG Communications, Inc.