Software:SSL-Explorer: Community Edition

From HandWiki
SSL-Explorer: Community Edition
Sslexplorer-community.gif
SSL-Explorer
Developer(s)3SP Ltd
Stable release
1.0.0 RC17 / March 18, 2008
Operating systemMicrosoft Windows, Linux, Mac OS X
TypeSSL VPN
LicenseGNU General Public License
WebsiteSSL-Explorer: Community Edition Home Page

SSL-Explorer: Community Edition was an open-source SSL VPN product developed by 3SP Ltd, a company acquired by Barracuda Networks. It is licensed under the GNU General Public License (GPL), and is aimed primarily at smaller businesses that need remote access to internal network resources.

The product is designed to be installed on a standalone server. It allows a user to connect remotely to internal corporate resources such as intranet websites, network file shares, ‘fat client’ applications, and other data via a regular web browser. It gives end users access to applications that they would use every day at work through a simple web browser, without the necessity of installing dedicated VPN client software.

History, versions and discontinuance

The product was first released on the SourceForge.net website in August 2004 and has since had over 275,000 downloads of the main product distribution as of December 2007 [1]. All versions of the core Community Edition product were licensed under the GPL while the commercial Enterprise Edition product, which was built upon the Community Edition but with additional functionality, was licensed separately under a commercial license. A fork of the last GPL release has been created named Adito, which was later renamed to OpenVPN ALS[2].

Around March 2008, 3SP Ltd announced that they discontinued development of the Community Edition [3].

SSL-Explorer was known to install and function on the following operating systems:

As with any product previously licensed under the GPL, the source code is still available via SourceForge.net. However, future updates to the source code or pre-built binaries will not be forthcoming from 3SP Ltd.

As of November 18, 2008, 3SP Ltd. is now part of Barracuda Networks [5]. The technology behind SSL-Explorer is now incorporated into the Barracuda SSL VPN.

How It Works

SSL-Explorer is an application written in Java and contains its own database and web server that is used to serve secure web pages in order to access back-end network resources. While the product is ideally installed upon a standalone server, it may be installed as a service and run in the background to other processes if desired.

The product acts as a web-based proxy that mediates requests for resources from external users while also providing a means of authenticating these users' identities by querying a number of user databases including Microsoft's Active Directory. Access rights are enforced by the principle of role based access control and other secondary access control measures such as NTFS filesystem permissions can also affect the resources that a user may access.

Some resources (e.g. remote desktop access) require the use of port forwarding to operate successfully. For this purpose a lightweight Java applet known as the 'SSL-Explorer Agent' is downloaded and launched by the client browser. The applet intercepts TCP/IP requests on certain configurable ports and forwards them to the SSL-Explorer server which in turn routes them to the appropriate endpoint on the network.

Using a combination of various techniques such as web proxying and port forwarding, most corporate applications can continue to function unimpeded with their data tunneled transparently between the end point and the client (via SSL-Explorer) using the HTTPS protocol.

Network resources that may be externalized by SSL-Explorer include the following:

  • Intranet websites
  • Rich web-based applications such as Microsoft Outlook Web Access
  • Access to workstation desktops
  • File resources published on FTP/SFTP/SMB file mounts
  • Other company resources accessible by TCP/IP, e.g. databases and other custom applications

The actual VPN server itself may be placed inside either the DMZ or within the trusted network itself with incoming connections on port 443 forwarded directly to SSL-Explorer by firewall rules. One of the main advantages associated with SSL VPN products lies in the fact that when correctly set up it should be technically possible to close all other firewall ports apart from the HTTPS/SSL port 443.

While often lumped together as similar solutions, SSL-Explorer is conceptually different from OpenVPN in that it provides controlled and authenticated access to services and applications within a network rather than full, unchallenged network access [6].

Who is it intended for?

While SSL-Explorer and SSL VPN products as a whole are beneficial to many people, there are a number of distinct groups which benefit greatly from their usage;

  • Road Warriors – Users who spend a lot of time "on the road" who may connect back into the company on an ad hoc basis from a number of different computers.
  • Technical support staff – In many corporations, technical support is often located off site at another branch office. By using an SSL VPN, support can be extended to remote locations.
  • University students – Connecting often from various locations at various campuses, an SSL VPN solution (especially one that is clientless / browser based) is useful to provide ad hoc access to webmail and other basic applications.
  • Telecommuters – By their nature these workers work almost exclusively from their home offices and require dedicated remote working facilities.
  • Collaborative project workers – By extending remote access across geographical boundaries, the limitations of distance and time zones become less restrictive when working on collaborative projects.

Security Measures

The Community Edition of SSL-Explorer provided a number of security features. Features such as One-Time-Password support and hardware token authentication are offered via the commercial implementation, the Barracuda SSL VPN.

  • Granular policy-based rights management
  • Users authenticated via multiple user databases including the built-in database and Active Directory
  • Peer reviewable source code available under GPL license
  • Multiple authentication mechanisms, e.g. personalized security questions
  • Protection from SQL injection attacks
  • Buffer overflow exploit risks mitigated through use of Java source code
  • Supports access through HTTP or SOCKS proxy
  • Local and remote tunneling via SSL
  • Session inactivity timeouts
  • Web application URL masking

Performance Testing

In February 2007, 3SP Ltd conducted performance benchmarking of the SSL-Explorer solution using a test bed platform of three systems using different specifications of hardware. The benchmarking was conducted with the assumption that a minimum 256 kbit/s data throughput rate would be a realistic value to place upon a responsive VPN tunnel for use such as remote desktop access. The BEA jRockit JRE was used in all tests on both Microsoft Windows and Linux systems.

The results obtained indicated that:

  1. An entry-level PC based upon a 1.8 GHz Athlon with 768 MB RAM was able to sustain 144 concurrent tunnels at 256 kbit/s (36 Mbit/s overall throughput on Windows, 46 Mbit/s on Linux),
  2. A mid-spec PC based upon a 2.8 GHz Pentium 4 with 1 GB RAM sustained 192 concurrent tunnels (overall 49 Mbit/s throughput on Windows, 61 Mbit/s on Linux)
  3. A high-spec PC using a Core 2 Duo 6600 with 4 GB RAM sustained 528 tunnels (overall throughput of 135 Mbit/s on Windows, 168 Mbit/s on Linux)

SSL-Explorer is known to operate successfully using the nCipher nFast LN1200 SSL Accelerator card [7].

Technologies used by SSL-Explorer

SSL-Explorer was built using a number of open source software components and frameworks. The most notable projects are summarized here:

  • rPath Linux – Provides an appliance platform for the SSL-Explorer virtualized appliance
  • Apache Struts – MVC framework for development of web applications
  • Jetty 5.0 – High performance Java based web server and servlet container.
  • HSQLDB – Lightweight Java database implementation used for storage of configuration data and internal user database (when used).
  • AJAXTags – Asynchronous JavaScript and XML for responsive web interface.
  • Commons VFS – Used to provide virtual filesystem implementation
  • Log4j – Provides the logging component of SSL-Explorer
  • Rome – RSS feed reader
  • JCIFS – Provides the SMB protocol support for Windows networks compatibility
  • BEA Systems jRockit – Performance optimized Java Runtime Environment used to provide high performance SSL-Explorer installations [8].

Security Vulnerabilities

In June 2007, Secunia published an advisory [9] stating that versions of SSL-Explorer prior to 0.2.13 are vulnerable to cross-site scripting attacks and HTTP header injection attacks. 3SP Ltd fixed this vulnerability in later versions of the product and advised users to upgrade their servers.

Currently there is a US-Cert advisory notice for an unresolved potential security flaw affecting a whole class of URL-rewriting Clientless SSL VPN products including all versions of SSL-Explorer and its derivatives, and many other similar utilities: see [10]

See also

References

External links

  • OpenVPN ALS: Open source continuation of SSL-Explorer Community Edition.
  • OpenVPN ALS wiki: Documentation for the OpenVPN ALS project.
  • SSL-Explorer: Community Edition Sourceforge.net project page.
  • 3SP: SSL-Explorer forum (currently read-only).
  • Barracuda SSL VPN: commercial implementation based on SSL-Explorer technology.