SSL-Explorer: Community Edition
From Wikipedia, the free encyclopedia
SSL-Explorer: Community Edition | |
---|---|
SSL-Explorer |
|
Developed by | 3SP Ltd |
Latest release | 1.0.0 RC17 / March 18, 2008 |
OS | Microsoft Windows, Linux, Mac OS X |
Genre | SSL VPN |
License | GNU General Public License |
Website | SSL-Explorer: Community Edition Home Page |
SSL-Explorer: Community Edition was an open source SSL VPN product developed by 3SP Ltd. The solution is licensed under the GNU General Public License (GPL) and is aimed primarily at smaller businesses to fulfill a requirement for remote access to internal network resources.
It is designed to be installed upon a standalone server and allows a user to connect remotely to internal corporate resources such as intranet websites, network file shares, ‘fat client’ applications and other data via a regular web browser. From the perspective of the end user the main advantage is that they have access to the applications that they would use everyday at work through a simple web browser without needing to install dedicated VPN client software.
Contents |
[edit] History, versions and discontinuance
The product was first released on the SourceForge.net website in August 2004 and has since had over 275,000 downloads of the main product distribution as of December 2007[1]. All versions of the core Community Edition product were licensed under the GPL while the commercial Enterprise Edition product, which was built upon the Community Edition but with additional functionality, is licensed separately under a commercial license.
As of April 2008, 3SP Ltd has announced that they have discontinued development of the Community Edition [2]. Instead, they have made available a 2-user license to their commercial version at no cost and without support, but under the product's commercial license.
SSL-Explorer was known to install and function on the following operating systems:
- Microsoft Windows 2000, XP, XP x64, 2003 & Vista
- Various Linux distributions including Red Hat Enterprise Linux, Fedora Core, CentOS, Slackware, SUSE Linux, Debian, Gentoo[3], Conary based distributions
- Mac OS X v10.4 or later
- Sun Microsystems Solaris 8 and 9 (on SPARC and x86)
As with any product previously licensed under the GPL, the source code is still available via SourceForge.net. However, future updates to the source code or pre-built binaries will not be forthcoming from 3SP Ltd. The Community Edition webpage at 3sp.com now redirects to the page for the commercial Enterprise Edition product.
[edit] How It Works
SSL-Explorer is an application written in Java and contains its own database and web server that is used to serve secure web pages in order to access back-end network resources. While the product is ideally installed upon a standalone server, it may be installed as a service and run in the background to other processes if desired.
The product acts as a web-based proxy that mediates requests for resources from external users while also providing a means of authenticating these users' identities by querying a number of user databases including Microsoft's Active Directory. Access rights are enforced by the principle of role based access control and other secondary access control measures such as NTFS filesystem permissions can also affect the resources that a user may access.
Some resources (e.g. remote desktop access) require the use of port forwarding to operate successfully. For this purpose a lightweight Java applet known as the 'SSL-Explorer Agent' is downloaded and launched by the client browser. The applet intercepts TCP/IP requests on certain configurable ports and forwards them to the SSL-Explorer server which in turn routes them to the appropriate endpoint on the network.
Using a combination of various techniques such as web proxying and port forwarding, most corporate applications can continue to function unimpeded with their data tunneled transparently between the end point and the client (via SSL-Explorer) using the HTTPS protocol.
Network resources that may be externalized by SSL-Explorer include the following:
- Intranet websites
- Rich web-based applications such as Microsoft Outlook Web Access
- Access to workstation desktops
- File resources published on FTP/SFTP/SMB file mounts
- Other company resources accessible by TCP/IP, e.g. databases and other custom applications
The actual VPN server itself may be placed inside either the DMZ or within the trusted network itself with incoming connections on port 443 forwarded directly to SSL-Explorer by firewall rules. One of the main advantages associated with SSL VPN products lies in the fact that when correctly set up it should be technically possible to close all other firewall ports apart from the HTTPS/SSL port 443.
While often lumped together as similar solutions, SSL-Explorer is conceptually different from OpenVPN in that it provides controlled and authenticated access to services and applications within a network rather than full, unchallenged network access[4].
[edit] Who is it intended for?
While SSL-Explorer and SSL VPN products as a whole are beneficial to many people, there are a number of distinct groups which benefit greatly from their usage;
- Road warriors – Users who spend a lot of time ‘on the road’ who may connect back into the company on an ad-hoc basis from a number of different computers.
- Technical support staff – In many corporations, technical support is often located off site at another branch office. By using an SSL VPN, support can be extended to remote locations.
- University students – Connecting often from various locations at various campuses, an SSL VPN solution (especially one that is clientless / browser based) is useful to provide ad-hoc access to webmail and other basic applications.
- Telecommuters – By their nature these workers work almost exclusively from their home offices and require dedicated remote working facilities.
- Collaborative project workers – By extending remote access across geographical boundaries, the limitations of distance and time zones become less restrictive when working on collaborative projects.
[edit] Security Measures
The Community Edition of SSL-Explorer provided a number of security features. Features such as One-Time-Password support and hardware token authentication are offered via the commercial Enterprise Edition product.
- Granular policy-based rights management
- Users authenticated via multiple user databases including the built-in database and Active Directory
- Peer reviewable source code available under GPL license
- Multiple authentication mechanisms, e.g. personalized security questions
- Protection from SQL injection attacks
- Buffer overflow exploit risks mitigated through use of Java source code
- Supports access through HTTP or SOCKS proxy
- Local and remote tunneling via SSL
- Session inactivity timeouts
- Web application URL masking
[edit] Performance Testing
In February 2007, 3SP Ltd conducted performance benchmarking of the SSL-Explorer solution using a test bed platform of three systems using different specifications of hardware. The benchmarking was conducted with the assumption that a minimum 256 kbit/s data throughput rate would be a realistic value to place upon a responsive VPN tunnel for use such as remote desktop access. The BEA jRockit JRE was used in all tests on both Microsoft Windows and Linux systems.
The results obtained indicated that:
- An entry-level PC based upon a 1.8 GHz Athlon with 768 MB RAM was able to sustain 144 concurrent tunnels at 256 kbit/s (36 Mbit/s overall throughput on Windows, 46 Mbit/s on Linux),
- A mid-spec PC based upon a 2.8 GHz Pentium 4 with 1 GB RAM sustained 192 concurrent tunnels (overall 49 Mbit/s throughput on Windows, 61 Mbit/s on Linux)
- A high-spec PC using a Core 2 Duo 6600 with 4 GB RAM sustained 528 tunnels (overall throughput of 135 Mbit/s on Windows, 168 Mbit/s on Linux)
SSL-Explorer is known to operate successfully using the nCipher nFast LN1200 SSL Accelerator card[5].
[edit] Technologies used by SSL-Explorer
SSL-Explorer was built using a number of open source software components and frameworks. The most notable projects are summarized here:
- rPath Linux – Provides an appliance platform for the SSL-Explorer virtualized appliance
- Apache Struts – MVC framework for development of web applications
- Jetty 5.0 – High performance Java based web server and servlet container.
- HSQLDB – Lightweight Java database implementation used for storage of configuration data and internal user database (when used).
- AJAXTags – Asynchronous JavaScipt and XML for responsive web interface.
- Commons VFS – Used to provide virtual filesystem implementation
- Log4j – Provides the logging component of SSL-Explorer
- Rome – RSS feed reader
- JCIFS – Provides the SMB protocol support for Windows networks compatibility
- BEA Systems jRockit – Performance optimized Java Runtime Environment used to provide high performance SSL-Explorer installations[6].
[edit] Security Vulnerabilities
In June 2007, Secunia published an advisory[7] stating that versions of SSL-Explorer prior to 0.2.13 are vulnerable to cross-site scripting attacks and HTTP header injection attacks. 3SP Ltd fixed this vulnerability in later versions of the product and advised users to upgrade their servers.
[edit] See also
- Virtual Private Network
- SSL VPN
- 3SP Ltd
- OpenVPN
- VPN-X