Current SSL VPN encryption algorithm using open there have been some security risks, enterprises need to make adjustments for their own situation and the level of security needed to conduct the election.
Vision: SSL trend
The emergence of SSL VPN to ensure the enterprise in the public network transmission of data availability, integrity and confidentiality, while also reducing management complexity and operating costs. Especially the last two years, mobile users remote access to enterprise networks is increasing the demand, business mobility has become a trend, in order to meet the mobile access security, SSL VPN IPSec VPN gradually developed into an effective added, and even to some extent replaced the trend emerged.
Secure remote access solutions with other than, SSL VPN can solve the business launch of the network transmission and application layer security of identity authentication and access control, and with good ease of use, just use a standard Web browsing device, the user can be anywhere convenient, secure access to internal network mail, share files, sharing applications and other resources, but also with existing enterprise authentication systems be well integrated.
Middle ground: security risks arise
However, in the SSL VPN deployment and use of the actual process, the user must be between usability and security coordination, to achieve a balance between the two. The key factor in achieving this balance is used for security encryption algorithm.
As we all know, SSL VPN is often used internationally open some algorithms such as DES, 3DES, AES, etc.. As all kinds of commentary, the browser can be used directly secure login, then the algorithm used by SSL VPN necessary for the browser embedded in the international public of those algorithms.
In fact, last year's experience, this security is worthy of careful evaluation. DES and 3DES algorithms have appeared deciphering tool, and AES encryption algorithm does not support some browsers, but also with the interception for its key exchange tool.
In addition, many information security system of the digest algorithm such as MD5, SHA-1, its security is also under increasing suspicion. In particular, MD5, in the United States there have been special crack kits and hacker forums in major widespread.
In short, a large number of domestic and international frequent "attack" incident that the public cryptographic algorithm based on the security system can not meet the business needs of secure communications environment, so the user is bound to set up SSL VPN-based information security system is the security question, This requires security in the SSL VPN and application flexibility in appropriate balance.
Close Range: independent algorithm baked
Cryptographic algorithm designed to achieve safety and security, the security algorithm for password-based system design is critical. The SSL VPN market, according to the current use of algorithms to be divided by two forms: one is the direct use of the browser has been embedded in the international standard algorithm, another is to use the national provider approved by the authorities is to ensure that confidential business information transmission method The confidentiality and integrity of an important guarantee.
For use in the browser has been embedded algorithm to achieve the SSL VPN, the use of algorithms are: DES, 3DES, RC4; RSA; MD5, SHA-1, etc., can be seen from the above analysis, the security of more and more doubt. Meet the requirements for the national authorities SSL VPN, must be approved by the department in charge of the password algorithm SSL VPN, its implementations are used in the SSL VPN password card to provide high-performance processing capabilities password, the client uses hardware such as USB Key deal with carriers to implement the password in order to achieve a server-side and client-side authentication and transmission encryption between the effective problem.
With the national authorities for approval algorithm algorithms alternative international public, while using hardware, security has been greatly improved, improved security level, but also meet the relevant national policy. But users need to pay attention, this approach will need to install client software, ease of use have a certain degree of reduction.
The author believes that, for security sensitive, want the best security experience of large enterprises and government users, the product can be used independently algorithm in order to achieve security foolproof. Not so sensitive to safety requirements, but experience and ease of connectivity for SMEs demanding users, you can use open algorithm products.