IPsec and SSL VPNs are able to co-exist

By on
IPsec and SSL VPNs are able to co-exist

The combined weight of many marketing machines is trying to persuade us that SSL VPNs will soon replace the old methods of encrypting data, but Mike Smart believes there is still an argument for traditional IPsec VPNs

Virtual Private Networks (VPNs) based on the Internet Protocol (IP) really took off in recent years. As the rest of the IT industry struggled to recover from the economic downturn, IP VPNs continued to show robust growth rates. This growth followed the rise of broadband as companies realized the significant savings on their network costs by encrypting data traffic across the internet.

As IP technologies become more reliable, organizations are increasingly looking at making further savings by web-enabling their IP applications. This is where the case for Secure Socket Layer (SSL), an alternative browser-based VPN security protocol, can be made. Respected analysts like The Tolly Group are predicting that simplifying VPNs by using SSL will trigger a fundamental change in their use. According to their surveys, 75 percent of network managers believe enterprises will choose SSL VPNs when workers access the network externally. They expect this change to occur within two years.

Proponents of SSL VPNs contend that, in the end, it might even be possible for enterprises to dispense with a dedicated corporate network completely, reducing the cost of remote working to almost zero in the process.

Yet IPsec VPN, the more established technology, shows no signs of declining. Indeed, it has many features that give it the edge over SSL VPN. For a start, IPsec VPN is better suited to network-based legacy applications that are not web-enabled. Managing IP VPNs has become a lot easier. The latest security appliances bundle encryption and VPN gateway functions once handled by dedicated software or appliances into an easy-to-manage device. Remote, software-based VPN's are also getting easier to deploy. Some recent appliances enable administrators to define complex network access and personal firewall policies per user, so deploying these policies has been simplified for the mobile worker by asking for a username and password, with the policies synchronized every time users connect.

In IPsec VPNs, the encrypted tunnel is set up between two devices, so the remote machine effectively becomes part of the same network. Critics of IPsec VPNs contend that this technology carries more risk than SSL VPN when dealing with viruses. For example, once past the VPN gateway, a worm can quickly spread from an infected PC across the enterprise.

However, the arrival of security appliances with zone-based security architecture plus built-in intrusion prevention and detection technology has virtually rendered this argument obsolete. Traffic passes between the hosts unhindered as if the remote host was physically plugged in.

IPsec VPNs are the natural choice for remote or branch offices and telecommuters working from home, because these locations will typically require appliance-based firewalls for network protection. Most firewall appliances ship with IP VPN technology already.

SSL VPNs come in two flavors – application-based and network-based. The first uses the browser to access web-based applications without the need for additional software. For this type of deployment, corporate resources need to be web-enabled, or specific software (known as proxies) need to be written by the SSL VPN vendor to talk to particular applications.

Network-based SSL VPN, on the other hand, requires dedicated software, which can be deployed and installed through the browser. It takes all traffic from the client, encrypts it and sends it to the remote host ready for decryption. It is then posted on the network and delivered to the target PC.

This method of SSL VPN can be less flexible than IP VPN client software, because firewall rules or security zone policies cannot be assigned to the client directly. In addition, the software needs to be compatible with the remote host, both with the browser (version and configuration) as well as the target operating system itself.

Most industry observers agree that while SSL and IPsec are alternative technologies, they are not mutually exclusive. SSL is an important technology and is used widely in areas such as secure web transactions, but it is immature in the VPN market. IPsec VPNs are robust, relatively inexpensive and very widely used, which means they are likely to be around for some time.

Mike Smart is European product manager at SonicWALL

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?