This can be defined many ways. Let’s try: “WebVPN is ability to securely access corporate network from anywhere on the Internet without a need for a VPN client”. I must admit this is a definition that popped out my head but I guess that this one is as good as any other.
First question that would come out after this definition is why would we need yet another way of connecting to corporate network? We have (Cisco) VPN client that served us well for so many years. I can think of at least two reasons why. First, we don’t need a client. I will discuss on this later, because they say we don’t, but the truth can be far from that. Second, those guys in charge of firewalls are doing pretty darn good job of blocking our protocols needed for traditional IPSec (UDP/500, UDP/4500, ESP, AH). At least when going out from some another corporation we are currently in and need to access our resources in our own company. Well, enough is enough WebVPN most often uses TCP/443 which is in most organizations allowed to go out.
Now a little bit about that “clientless” thing: for WebVPN we don’t need a client. Well, we sure do! At least we have to have a supported web browser, which is a client, right? And with only a web browser we cannot do much. We need a Java and/or Active-X, we need plugins for some protocols and very often we need a full WebVPN client such as AnyConnect. AnyConnect is clientless in the sense that we don’t have to install it prior VPN session establishment, but is rather installed on demand and optionally removed once the session is over.
The following picture can help comprehend this WebVPN concept.
As we can see, user’s laptop makes a SSL/TLS connection to a gateway, ASA in this case. Depending on how ASA is set up and browser’s capabilities, these two agree on parameters such as encryption algorithm, hashing function, key length and so on. After this a user gets authenticated and session is established. Now some or all traffic gets encrypted on the client, sent to an ASA, decrypted and forwarded to some internal resource. The most important benefit here is the holly trinity in encryption:
- Confidentiality – our traffic is encrypted
- Integrity – the traffic’s integrity is verified
- Authentication – user is authenticated
In the next few blogs I will deal with three basic WebVPN modes:
- Clientless mode
- Thin client mode
- Thick client mode