Wednesday, September 14, 2005
SSL versus IPSec VPN
Technology Updates
You're comfortable with the security of your network inside the office, but how do you feel about a salesman using his laptop to access your network from the local Starbucks?
It's easy to control security within the physical walls of your plant, but providing secure remote access to internal resources for externally connected users is more difficult. IPsec (IP security) and PPTP (Point-to-Point Tunneling Protocol) VPNs, and sometimes SSH tunneling, are enough, but these setups often have problems with NAT (Network Address Translation) traversal, firewalls and client management. An SSL (Secure Sockets Layer) VPN should solve those problems while still providing robust and secure remote access. However, an SSL setup comes with its own difficulties, such as problems with browser support, required increased privileges on the client computer for anything other than pure HTTP applications and the inherent security problem of cached data on the browser. For more information, see "ABCs of Remote Access".
Compare and Contrast
IPsec is a Layer 3 VPN: For both network-to-network and remote-access deployments, an encrypted Layer 3 tunnel is established between the peers. An SSL VPN, in contrast, is typically a remote-access technology that provides Layer 6 encryption services for Layer 7 applications and, through local redirection on the client, tunnels other TCP protocols. From a purely technical standpoint, you may be able to run both IPsec and SSL VPNs simultaneously, unless both the IPsec and SSL VPN products use installed client software on the user's computer. In that case, you may have stack conflicts.
SSL VPN Vs. IPSEC VPN
Organizations often base their VPN choice on cost, configuration and usability. If you're looking for a network-to-network VPN, the only real choice is IPsec. Check Point Software Technologies, Cisco Systems, Juniper Networks, Nortel Networks, Sonicwall and WatchGuard all offer IPsec VPNs with integrated firewalls. If you go this route, look at the vendor's customer-support track record, determine if security is built into its product and find out what features will be available down the line.
The Easier Path?
IPsec VPN solutions generally are a lot easier to manage. The client-to-gateway tunnel forms a network connection similar to that of dial-up networking. Ephemeral TCP/UDP ports are natively supported. If your traveling users are employing SIP (Session Initiation Protocol)- or H.232-based applications, IPsec has a clear advantage over SSL VPN because it's hands-free on the client side. Once the software is running, users interact with their software and remote services seamlessly.
The IPsec VPN is an open network from the desktop client to the destination network, but that doesn't mean the desktop is just an IP router. Because of the possible split tunneling problem--simultaneous access to a trusted and a nontrusted network--you can limit access through policies set on the IPsec gateway. However, as SQL Slammer demonstrated, a worm-infected host that connects to an internal network over IPsec can infect the internal network. Use the embedded IPsec gateway firewall or place a firewall between the gateway and the rest of the network for added protection.
The leading IPsec VPN gateways from Cisco and Nortel are easy to manage and offer hierarchal group management, tight integration with external authentication servers and extremely useful and detailed event logging on the gateway. The latter is critical when troubleshooting remote-user connection problems.
However, an IPsec VPN may cost you more in the long run. Let's consider license costs: An IPsec VPN typically costs between $10 and $25, while an SSL VPN ranges from $50 to $120 per seat for a 500-user license. At first glance, IPsec VPN seems appealing costwise. But once you factor in the costs for deploying and managing an IPsec client, the additional testing required prior to patching an OS client (remember the Windows XP Service Pack 2 broke many client applications including IPsec) and the lost productivity from users who can't connect to the gateway over IPsec, it may not look like such a bargain. Additionally, many IT managers have found IPsec VPNs to be time-consuming for their staffs to maintain, because end users often need help when downloading software or maintaining their connections.
Source: http://www.secureenterprisemag.com/showArticle.jhtml;?articleID=169400385
You're comfortable with the security of your network inside the office, but how do you feel about a salesman using his laptop to access your network from the local Starbucks?
It's easy to control security within the physical walls of your plant, but providing secure remote access to internal resources for externally connected users is more difficult. IPsec (IP security) and PPTP (Point-to-Point Tunneling Protocol) VPNs, and sometimes SSH tunneling, are enough, but these setups often have problems with NAT (Network Address Translation) traversal, firewalls and client management. An SSL (Secure Sockets Layer) VPN should solve those problems while still providing robust and secure remote access. However, an SSL setup comes with its own difficulties, such as problems with browser support, required increased privileges on the client computer for anything other than pure HTTP applications and the inherent security problem of cached data on the browser. For more information, see "ABCs of Remote Access".
Compare and Contrast
IPsec is a Layer 3 VPN: For both network-to-network and remote-access deployments, an encrypted Layer 3 tunnel is established between the peers. An SSL VPN, in contrast, is typically a remote-access technology that provides Layer 6 encryption services for Layer 7 applications and, through local redirection on the client, tunnels other TCP protocols. From a purely technical standpoint, you may be able to run both IPsec and SSL VPNs simultaneously, unless both the IPsec and SSL VPN products use installed client software on the user's computer. In that case, you may have stack conflicts.
SSL VPN Vs. IPSEC VPN
Organizations often base their VPN choice on cost, configuration and usability. If you're looking for a network-to-network VPN, the only real choice is IPsec. Check Point Software Technologies, Cisco Systems, Juniper Networks, Nortel Networks, Sonicwall and WatchGuard all offer IPsec VPNs with integrated firewalls. If you go this route, look at the vendor's customer-support track record, determine if security is built into its product and find out what features will be available down the line.
The Easier Path?
IPsec VPN solutions generally are a lot easier to manage. The client-to-gateway tunnel forms a network connection similar to that of dial-up networking. Ephemeral TCP/UDP ports are natively supported. If your traveling users are employing SIP (Session Initiation Protocol)- or H.232-based applications, IPsec has a clear advantage over SSL VPN because it's hands-free on the client side. Once the software is running, users interact with their software and remote services seamlessly.
The IPsec VPN is an open network from the desktop client to the destination network, but that doesn't mean the desktop is just an IP router. Because of the possible split tunneling problem--simultaneous access to a trusted and a nontrusted network--you can limit access through policies set on the IPsec gateway. However, as SQL Slammer demonstrated, a worm-infected host that connects to an internal network over IPsec can infect the internal network. Use the embedded IPsec gateway firewall or place a firewall between the gateway and the rest of the network for added protection.
The leading IPsec VPN gateways from Cisco and Nortel are easy to manage and offer hierarchal group management, tight integration with external authentication servers and extremely useful and detailed event logging on the gateway. The latter is critical when troubleshooting remote-user connection problems.
However, an IPsec VPN may cost you more in the long run. Let's consider license costs: An IPsec VPN typically costs between $10 and $25, while an SSL VPN ranges from $50 to $120 per seat for a 500-user license. At first glance, IPsec VPN seems appealing costwise. But once you factor in the costs for deploying and managing an IPsec client, the additional testing required prior to patching an OS client (remember the Windows XP Service Pack 2 broke many client applications including IPsec) and the lost productivity from users who can't connect to the gateway over IPsec, it may not look like such a bargain. Additionally, many IT managers have found IPsec VPNs to be time-consuming for their staffs to maintain, because end users often need help when downloading software or maintaining their connections.
Source: http://www.secureenterprisemag.com/showArticle.jhtml;?articleID=169400385
# posted by David Low @ 10:07 AM 
