September 15, 2009

Forget VPN, Use SSH Instead

A challenge many employees face is remote access to their company network. People want to be able to work remotely exactly as if they were sitting in their office. The IT department needs to help their employees remain productive, while maintaining the high security standards necessary for internal servers and applications. The traditional approach to this problem has been the use of proprietary VPN networking using specific network appliances from companies like Cisco, SonicWall, NetGear, and others. This method requires special software installed on each computer, so your computer will appear as if it is on the company’s local network.

A large challenge with this approach has been the security issues when granting access to people working with the company, but not as employees. A better solution would be to grant different levels of access for each person, rather than granting access to the entire corporate network. A typical VPN solution to this problem has been through the careful configuration of your network. This is clearly a non-optimal answer. More modern VPN techniques such as SSL VPN have attempted to leverage more common standards for connecting client computers, but they suffer from the same basic issues.

Let me suggest a better approach to solving this problem that many technical people are already familiar with, Secure Shell (SSH). People doing software development commonly use source control software such as CVS, Subversion, Git, and others to manage the development of software across many developers. The most common method for access to this common source code is through the use of secure networking via SSH and public key cryptography. An SSH tunnel is used to encrypt all network traffic between their computer and the corporate network computers. Typically developers maintain both a VPN connection for most network services, and an SSH connection for their development work.

My suggestion is that there is no need for two distinct solutions. SSH can be used to provide totally secure point-to-point network communication for source code development, email, web access, and more. This can be controlled on a per-user basis for any number of services. An SSH approach to remote access can be as totally transparent and easy to use as any existing VPN technology. There are a few issues with achieving this simple and intuitive approach that are all easily solvable with the help of major operating system and browser companies. Note that all the solutions below are freely available as part of time-tested open source solutions.

  1. The first step is creation of your private and public key pair. Today you must run a separate application every time you wish to create these keys. Some operating systems have a command built into the system, while others require download of an SSH application such as PuTTY. It’s a simple matter of performing these steps automatically, every time a new user account is created.
  2. A user interface is required to identify which network services should be routed over the secure network using SSH. This is easily done using URLs, for example
  3. The operating system can then identify remote network access to these resources and setup SSH tunnels as required. For example, access to a remote IMAP mail server would actually connect to a local SSH port, which is then sent over an encrypted SSH tunnel to the actual mail server. Accessing a web page on the remote network would similarly connect to a local port, but use the SOCKS protocol to dynamically route traffic to the remote web server. Note that it is important that the SOCKS v5 protocol is used with remote DNS resolution since remote network names are typically not exposed on the public Internet. The operating system and web browser can totally handle setup, teardown, and configuration of these tunnels entirely behind the scenes with no user input being required.
  4. Improved server tools can greatly simplify and standardize making secure configuration of users and services. Open source SSH server solutions permit configuration of each user and the services they are permitted to access based on their public key. Powerful, yet easy to use GUI and browser based solutions are straightforward to build upon this foundation.

SSH offers the best solution for secure remote network access, but it has been relegated to use by the technical elite. Developers, hackers, and sysadmins have used these technologies for years and recognize the value it provides as a superior form of secure communication. Only through the adoption as the defacto method for VPN access by companies like Apple, RedHat, Microsoft, and others, can this powerful technology break into mainstream usage. When it does, everyone will benefit from much more secure, stable, and easy to use networking from any location.