|
Good Sportsmanship?
VPNs are all about encryption and keeping data safe as it travels between endpoints.
IPSec VPNs secure connections using two protocols: Authentication Header (AH), which authenticates users, and Encapsulating Security Payload (ESP), which encrypts data. IPSec VPNs make two-way authentication possible through the TripleDES algorithm and, by their nature, are impervious to attackers modifying data packets on the network.
But, IPSec configurations are complex and must be done manually; and, with thousands of enterprise users on a network, the complexity around managing clients and configurations deepens.
SSL, conversely, encrypts data exchanged between applications. It typically uses RC4 128-bit encryption to secure data and digital certificates for authentication. SSL establishes secure proxied connections to only those applications the user is authorized to access, making it safer to use from public access networks like kiosks, partner machines or home PCs.
"SSL is good enough from an encryption standpoint; it's got the necessary horsepower," says Forrester's Whiteley. "After all, it's used to secure all of e-commerce."
SSL, however, can't connect to applications that aren't configured for the Web without costly customized programming and management. While many vendors provide APIs for accessing legacy and mainframe applications via SSL VPNs, many older applications simply won't work through this channel.
"You might get sold on the clientless solution, but then you find out it only works for subsets of apps," says Whiteley. "If you've got 'Webified' apps, then there's no problem."
However, this drawback isn't hampering SSL VPNs' increasing popularity.
"I think SSL is more robust. The only trade-off is that it gives access to any device on the Internet with an SSL browser. Your remote clients could be anywhere, so there's no control over location," says Doug Torre, director of IT with Catholic Health Systems of Buffalo, N.Y. "But even with an IPSec VPN, a user may choose to fire up an application in a public access area, and you're susceptible to shoulder surfing.
"SSL insulates your network. You're not making it a network-to-network connection, it's at the application level instead," Torre adds. "It's a more perfect fit where you access only the application, not the network or ports. SSL minimizes your exposure."
Catholic Health Systems uses Juniper Networks' NetScreen SSL VPN appliance (originally developed by Neoteris). According to Torre, it worked practically out of the box and supported RSA Security's SecurID tokens for multifactor authentication to meet HIPAA requirements--a critical consideration for the health care organization.
"In our world, in terms of managing infrastructure, complexity is a factor," Torre says. "As an IT director and engineer for 15 to 20 years, I think it's a very rare situation when you find a product and solution [like SSL] that does all that."
Security and network managers are finding room for both SSL and IPSec in their infrastructures. IDC reported last year that while 44.1 percent of enterprises are using IPSec VPNs, 29 percent are using both.
Whiteley, however, contends that most enterprises are likely to stop further IPSec client deployments and go with SSL, paving the way for a wholesale refresh--only the most aggressive enterprises are doing a full rip-and-replace.
He recommends enterprises assess their applications and ensure internal compatibility with their VPN plans. Exhaustive SSL VPN evaluations should be conducted, and IPSec should be maintained for specialized applications that are not Web-enabled.
"SSL VPNs will soon become functionally equivalent to IPSec," Whiteley said.
The Sports Authority's Girodo, meanwhile, doesn't miss the days of timeout issues with legacy systems, nor the complaints from The Sports Authority workforce about the inability to access files.
"I'm a staff of one," Girodo says. "Secure remote access is always challenging. It's gotten better with SSL and is a lot easier to administrate."
| Where to find SSL VPNs |
| SSL VPNs are a maturing technology and are gaining a foothold in the market, as reflected by the variety of offerings available from major security vendors and startups alike. Here's a representative sampling of the current offerings: |
 |
|
|
