
MIDWESTERN INTERMEDIATE UNIT IV – A CASE STUDY IN INTERNET SECURITY
WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com
4
application. This approach provides the same general level of connectivity for that application as IPSec does, but
imposes a performance penalty and requires a management burden equivalent to or greater than that of an IPSec
solution.
Other common business applications, such as Sales Force Automation (SFA) tools, Customer Relationship
Management (CRM) systems, and Enterprise Resource Planning (ERP) applications, as well as other applications
from companies such as Siebel, Oracle, Remedy, Clarify, and SAP, do not have a standard client. Clients for these
applications are customized for a particular customer. A Siebel implementation at company A is much different
than a Siebel implementation at company B, or at any other company.
For applications that are customized for a specific organization, the SSL VPN vendor can bring in their Professional
Services team to create a custom connector or to “Webify” the product. Since the applications are customized for a
particular organization, the Webification or creation of a custom connector would also be specific to each
customer. The cost of this type of custom programming is significant.
Web-Enabled Applications and SSL VPNs
Many SFA, CRM, and ERP vendors provide a native Web-enabled interface, and it seems attractive to expose this to
remote users, bypassing the restrictions on SSL VPNs mentioned previously.
SSL VPNs are essentially a proxy technology, and as such, have to parse and rewrite links to provide access to
internal Web applications. This means SSL VPNs can only work with Web components which can be read and re-
written on the fly as needed. Java applets, ActiveX, Flash, and other common Web components are executable
binary code, and therefore cannot be rewritten. Unfortunately, many of the stock Web interfaces from SFA, CRM,
and ERP vendors contain these structures, preventing them from being accessed through an SSL VPN. Moreover,
for the Web applications that can be used with an SSL VPN, there is a significant performance degradation due to
the computationally intensive process of parsing the Web page, identifying URLs, rewriting and mapping the naviga-
tion paths to externally accessible URLs, and then reconstructing all the Web pages for the end user.
DRAWBACKS TO STANDARD SSL VPNS
1. Split DNS entries – When connecting to an internal resource, the PC client is looking for an IP address or
server name which cannot be seen outside the firewall (SSL VPNs do not provide transparent access like
IPSec VPNs); therefore the IT administrator has to set up split DNS entries either on the host or on a DNS
server.
For example, an Outlook client is normally set up to look for the Exchange server by name. This server can
be easily found and connected to by name if the PC is inside the network. However, for an outside client, this
server’s DNS name cannot be resolved as typically there is no externally published DNS entry for internal
servers. Even if the entry was published by the enterprise’s public DNS server, the client would not be able
to find a route to the private server since, in most cases, the Exchange server would be using a private or
unroutable IP address.
SSL VPN vendors solve this issue by requiring an IT administrator to set up split DNS entries where, if the PC
Komentáře k této Příručce