GUIDE TO SSL VPNS
modified to provide this protection. While this provides a very high degree of control and flexibility
over the application’s security, it may require a large resource investment to add and configure
controls properly for each application. Designing a cryptographically sound application protocol is
very difficult, and implementing it properly is even more challenging, so creating new application
layer security controls is likely to create vulnerabilities. Also, some applications, particularly off-the-
shelf software, may not be capable of providing such protection. While application layer controls can
protect application data, they cannot protect TCP/IP information such as IP addresses because this
information exists at a lower layer. Whenever possible, application layer controls for protecting
network communications should be standards-based solutions that have been in use for some time.
One example is Secure Multipurpose Internet Mail Extensions (S/MIME), which is commonly used
to encrypt email messages.
2
Transport Layer. Controls at this layer can be used to protect the data in a single communication
session between two hosts. Because IP information is added at the network layer, transport layer
controls cannot protect it. The most common use for transport layer protocols is securing HTTP
traffic; the Transport Layer Security (TLS)
3
protocol is usually used for this. The use of TLS
typically requires each application to support TLS; however, unlike application layer controls, which
typically involve extensive customization of the application, transport layer controls such as TLS are
much less intrusive because they do not need to understand the application’s functions or
characteristics. Although using TLS may require modifying some applications, TLS is a well-tested
protocol that has several implementations that have been added to many applications, so it is a
relatively low-risk option compared to adding protection at the application layer. Traditionally TLS
has been used to protect HTTP-based communications and can be used with SSL portal VPNs.
Network Layer. Controls at this layer can be applied to all applications; thus, they are not
application-specific. For example, all network communications between two hosts or networks can
be protected at this layer without modifying any applications on the clients or the servers. In some
environments, network layer controls such as Internet Protocol Security (IPsec) provide a much better
solution than transport or application layer controls because of the difficulties in adding controls to
individual applications. Network layer controls also provide a way for network administrators to
enforce certain security policies. Another advantage of network layer controls is that since IP
information (e.g., IP addresses) is added at this layer, the controls can protect both the data within the
packets and the IP information for each packet. However, network layer controls provide less control
and flexibility for protecting specific applications than transport and application layer controls. SSL
tunnel VPNs provide the ability to secure both TCP and UDP communications including client/server
and other network traffic, and therefore act as network layer VPNs.
Data Link Layer. Data link layer controls are applied to all communications on a specific physical
link, such as a dedicated circuit between two buildings or a dial-up modem connection to an Internet
Service Provider (ISP). Data link layer controls for dedicated circuits are most often provided by
specialized hardware devices known as data link encryptors; data link layer controls for other types of
connections, such as dial-up modem communications, are usually provided through software.
Because the data link layer is below the network layer, controls at this layer can protect both data and
IP information. Compared to controls at the other layers, data link layer controls are relatively
simple, which makes them easier to implement; also, they support other network layer protocols
besides IP. Because data link layer controls are specific to a particular physical link, they cannot
2
Several Request for Comment (RFC) documents from the Internet Engineering Task Force (IETF) define S/MIME, as well
as standards for using it to protect email messages. One example is RFC 3852, Cryptographic Message Syntax (CMS),
available at
http://www.ietf.org/rfc/rfc3852.txt.
3
TLS is the standards-based version of SSL version 3. More information on TLS is available in RFC 4346, The TLS Protocol
Version 1.1, available at
http://www.ietf.org/rfc/rfc4346.txt. Another good source of information is NIST SP 800-52,
Guidelines on the Selection and Use of Transport Layer Security, available from
http://csrc.nist.gov/publications/nistpubs/.
2-2