| QUESTION & ANSWER |
Choosing between IPsec and SSL VPNs |
 |
By Crystal I. Ferraro, Site Editor
09 Dec 2003 | SearchSecurity.com |
|
|
When choosing a virtual private network (VPN) for remote access, IT managers have two options: IP Security (IPsec) or Secure Sockets Layer (SSL). SearchSecurity.com recently spoke with David Passmore via e-mail to shed some light on how the two technologies work. A Burton Group research director, Passmore is also a network architecture expert known both for creating his firm's reference architecture and for extensive work in architecture consulting for large companies and service providers. In this interview, Passmore offers his insight on IPsec and SSL VPNs and offers ideas on how to determine which technology best suits your enterprise's needs. How do IPsec and SSL VPNs differ in the way they provide secure remote access?
David Passmore: IPsec will work with any application but requires an IPsec client to be installed on each remote device (PC, PDA, etc.) to add the encryption.
In contrast, SSL is built into every browser, so no special client software is required. However, because of its dependence on browsers, SSL normally only works with Web-based applications (e.g., not Microsoft Outlook for e-mail). There is a workaround to this that requires enterprises add a separate SSL tunnel-termination gateway box at their central sites; this box then front-ends traditional client-server applications that aren't accessible from a browser.
What are the benefits of using SSL over the more traditional IPsec?
Passmore: Besides SSL not requiring any special client software, there's one other benefit. Most [telecommuters] with residential broadband services (e.g., DSL, cable modem) use IP VPNs based on either IPsec or SSL-encrypted tunnels to protect against eavesdropping. Some residential broadband services have started blocking IPsec traffic from home users unless that customer pays ... much more expensive business (as opposed to residential) rates. These same broadband providers can't block SSL, since everyone routinely uses SSL to access their bank accounts or to make credit card purchases from e-commerce Web sites. Thus, SSL (compared to IPsec) is immune to attempts by residential broadband service providers to force [telecommuters] (or their employers) to pay more for the same service.
Finally, some NAT (network address translation) routers don't work well with IPsec traffic, whereas SSL passes through NAT routers just fine.
Should an enterprise use SSL or IPsec for particular kinds of traffic?
Passmore: SSL is preferred for remote access to those applications that are browser-based (i.e., have a Web-based user interface). IPsec will be used principally for site-to-site communications (rather than individual client remote access). In-between is the situation of remote access to non-browser applications (e.g., remote access to e-mail). SSL VPN products have a solution to this: running a Java applet in the client to encrypt/decrypt non-browser traffic and encrypt/decrypt it at the other end in an SSL VPN hardware gateway device. No software need be installed in the client -- applets are downloaded on the fly, as needed.
Can you compare the performance load of SSL versus IPsec VPNs?
Passmore: There's no real difference, as each typically uses the same encryption algorithm, e.g., 128-bit triple DES.
How do SSL and IPsec compare in terms of security? Is one more vulnerable than the other?
Passmore: There's really no difference. Both are equally secure; both use the same type of encryption. In the real world, one might consider SSL slightly less secure for remote access only because most applications using SSL don't authenticate the client -- but this is not the fault of SSL; it's an implementation issue.
| | | SSL is preferred for remote access to those applications that are browser-based (i.e., have a Web-based user interface). IPsec will be used principally for site-to-site communications (rather than individual client remote access).
- David Passmore, Burton Group research director | | | |
What questions should an organization ask when determining whether to deploy IPsec or SSL?
Passmore: Are applications all browser-based? Do browser-based applications already use SSL, in which case there's no need for additional VPN functionality to be added? Do organizations want to avoid installing IPsec software on all user client computers or PDAs? Are residential broadband providers blocking and/or charging more for IPsec traffic? Are remote access users coming in through NAT routers?
How will things change with IPsec v6? What does it mean for SSL?
Passmore: As you know, IPsec is included in the IPv6 standard and will be included in all IPv6 end node implementations. But it doesn't have to be turned on. If someday IPv6 ever caught on and most applications turned on the IPsec feature, then SSL would be unnecessary. But this is many years away, and, in the meantime, SSL has other benefits, such as greater compatibility with NAT routers, no need to install client software, etc.
Are SSL and IPsec VPNs complementary remote access solutions, or will one replace the other?
Passmore: Most remote access will migrate to SSL (for the advantages already discussed). However, IPsec will continue to play a major role for site-to-site VPNs, for example, linking enterprise sites across the public Internet.
|
|
|
|
