SSL VPNs provide The Sports Authority, and a growing number of enterprises, with cheaper secure remote connectivity. Will they eventually slam dunk IPSec?
|Tale of the Tape|
The following are general characteristics of both SSL and IPSec VPNs. Various implementations will differ by vendor.
Secure remote connectivity hasn't always been a slam dunk at The Sports Authority.
Following its 2003 merger with the U.S.'s second largest sporting goods retailer, Gart Sports Company, the chain grew to 386 stores in 45 states. Providing its remote sales staff and buyers with secure access to the corporate network was as difficult as beating a full-court press.
"Our corporate portal was getting larger and larger, and we needed to distill more information to sales people, for example," says group Unix manager Joseph Girodo. "As we built up the portal solution, the need for access increased."
Girodo resolved a host of connectivity woes by deploying F5 Networks' FirePass 4100 SSL VPN. Gone are dropped Telnet connections, system timeouts and dangling files on the server.
"IPSec was never a consideration for me," Girodo says. "We went straight to SSL. I didn't want to put a client on every PC and maintain and update it. SSL allowed us to customize access and menus for individual and group needs."
It's an increasingly common scouting report. SSL VPNs are rapidly gaining ground on their older, heavier IPSec cousins. Enterprises are turning to SSL VPNs to resolve their application-layer remote connectivity issues, improve security and lower overhead. Security vendors are responding to these demands by improving the implementation of SSL VPNs and adding complementary functions, such as endpoint security checks.
With SSL VPNs on the offense, will IPSec VPNs eventually be benched?
Reversal of Fortune
Maturity is on IPSec's side, meaning that very little innovation is happening in the technology. That's not the case with budding SSL VPN; its market is expected to reach $300 million this year.
"We are in a transition phase," says Forrester Research analyst Rob Whiteley. "We are going to see more SSL deployments until IPSec becomes the niche technology, which is the reverse of today."
IPSec VPN is a layer 3 technology that provides a secure tunnel between a remote location and the corporate network. It requires host-based clients and expensive hardware at a central location; ongoing configuration maintenance and account administration are heavy burdens. Users have full office functionality using IPSec VPNs, but there's very little granularity in access control; access is generally permit-or-deny with most shared network resources available to any user.
SSL VPNs work on the application layer (layer 7) and don't require a client download; remote connections are made via a Web browser or through a downloadable Java or ActiveX agent. Security managers can assign role-based access for each user and application, and client administration is eliminated.
"We have much greater security now [with SSL]; individuals and groups have access to specific re-sources and cannot go anywhere else on the network," says The Sports Authority's Girodo. "Everything else is locked down."
Secure remote connectivity is paramount for The Sports Authority's employees, executives and vendor partners. Sales execs in the field need access to e-mail and file servers, while upper management requires access to sales information. Partners need portal extranet access to data and applications, but shouldn't have the free reign on The Sports Authority network that IPSec would enable.
Maintaining the IPSec client software licenses would have been a significant financial burden for The Sports Authority, whose tech support would have been responsible for the arduous task of installing and configuring the software on remote machines.
"Administration of the SSL VPN takes less time and can be customized and secured per user. And, most updates or patches only have to be done in one place," Girodo says.
The Sports Authority's old private dial-up network was a security nightmare, he adds. Thick clients were installed on remote PCs and laptops, and they gave everyone--employees, partners and third-party vendors--the same network access. All levels of files and messages stored on a particular server were fair game for wandering eyes.
SSL's ability to get granular with access controls sets it apart. While IPSec deployments are generally geared toward power users--employees who need broad network access from remote locations--SSL VPNs, which were originally designed to provide access to e-mail or ERP and CRM apps, offer a similar open door to the network via a Java or ActiveX agent. Thus, SSL VPNs remain the preferred choice for granting telecommuters e-mail access or partners' extranet portal access.
"Security was a major consideration. Going to one specific IP address was a major win for us," Girodo says.
VPNs are all about encryption and keeping data safe as it travels between endpoints.
IPSec VPNs secure connections using two protocols: Authentication Header (AH), which authenticates users, and Encapsulating Security Payload (ESP), which encrypts data. IPSec VPNs make two-way authentication possible through the TripleDES algorithm and, by their nature, are impervious to attackers modifying data packets on the network.
But, IPSec configurations are complex and must be done manually; and, with thousands of enterprise users on a network, the complexity around managing clients and configurations deepens.
SSL, conversely, encrypts data exchanged between applications. It typically uses RC4 128-bit encryption to secure data and digital certificates for authentication. SSL establishes secure proxied connections to only those applications the user is authorized to access, making it safer to use from public access networks like kiosks, partner machines or home PCs.
"SSL is good enough from an encryption standpoint; it's got the necessary horsepower," says Forrester's Whiteley. "After all, it's used to secure all of e-commerce."
SSL, however, can't connect to applications that aren't configured for the Web without costly customized programming and management. While many vendors provide APIs for accessing legacy and mainframe applications via SSL VPNs, many older applications simply won't work through this channel.
"You might get sold on the clientless solution, but then you find out it only works for subsets of apps," says Whiteley. "If you've got 'Webified' apps, then there's no problem."
However, this drawback isn't hampering SSL VPNs' increasing popularity.
"I think SSL is more robust. The only trade-off is that it gives access to any device on the Internet with an SSL browser. Your remote clients could be anywhere, so there's no control over location," says Doug Torre, director of IT with Catholic Health Systems of Buffalo, N.Y. "But even with an IPSec VPN, a user may choose to fire up an application in a public access area, and you're susceptible to shoulder surfing.
"SSL insulates your network. You're not making it a network-to-network connection, it's at the application level instead," Torre adds. "It's a more perfect fit where you access only the application, not the network or ports. SSL minimizes your exposure."
Catholic Health Systems uses Juniper Networks' NetScreen SSL VPN appliance (originally developed by Neoteris). According to Torre, it worked practically out of the box and supported RSA Security's SecurID tokens for multifactor authentication to meet HIPAA requirements--a critical consideration for the health care organization.
"In our world, in terms of managing infrastructure, complexity is a factor," Torre says. "As an IT director and engineer for 15 to 20 years, I think it's a very rare situation when you find a product and solution [like SSL] that does all that."
Security and network managers are finding room for both SSL and IPSec in their infrastructures. IDC reported last year that while 44.1 percent of enterprises are using IPSec VPNs, 29 percent are using both.
Whiteley, however, contends that most enterprises are likely to stop further IPSec client deployments and go with SSL, paving the way for a wholesale refresh--only the most aggressive enterprises are doing a full rip-and-replace.
He recommends enterprises assess their applications and ensure internal compatibility with their VPN plans. Exhaustive SSL VPN evaluations should be conducted, and IPSec should be maintained for specialized applications that are not Web-enabled.
"SSL VPNs will soon become functionally equivalent to IPSec," Whiteley said.
The Sports Authority's Girodo, meanwhile, doesn't miss the days of timeout issues with legacy systems, nor the complaints from The Sports Authority workforce about the inability to access files.
"I'm a staff of one," Girodo says. "Secure remote access is always challenging. It's gotten better with SSL and is a lot easier to administrate."
Dig Deeper on SSL and TLS VPN Security