The inherent capabilities of IPsec selectors and their use in remote-access VPNs

In a recent SearchSecurity webcast, speaker Lisa Phifer, vice president and owner of consulting firm Core Competence, addressed technological developments in virtual private networks. Here Lisa answers a user-submitted question that she didn't have time to answer during the broadcast. If you missed our webcast New directions in VPNs or would like to review it, you may listen to the recorded

    Requires Free Membership to View

webcast on-demand.

You mentioned during the webcast that IPsec can access the entire network behind the firewall whereas SSL can access only the assigned server. But I noticed that you set that in IPsec by setting the subnet address range rather than the entire network. Am I missing something here?

Good catch. I didn't elaborate on this in the webcast, but there's a difference between the capabilities inherent in IPsec selectors (traffic filters) and the way in which most companies use them. IPsec selectors can be based on entire IP subnets, partial subnets, individual destinations, protocol types and source/destination ports. That means that it's possible to create an IPsec selector that permits encrypted access to just one server and just one application (port) on that server (depending upon product support).

But in practice, most remote-access VPNs are configured with fairly coarse IPsec selectors, allowing access either to an entire subnetwork or (more often) to all destinations ( The latter is very common; to avoid split tunneling, all outbound traffic is sent via the IPsec tunnel. Once the traffic reaches the VPN gateway, it is decrypted and forwarded along to the final destination, whether that's inside the private Intranet or somewhere on the public Internet. This configuration lets the company monitor, log and filter all user traffic, no matter what the destination -- for example, stripping a malicious attachment at the VPN gateway that the user might otherwise pick up while downloading shareware from a public Web site.

SSL VPNs that act as circuit-layer proxies can be configured in a similar fashion to forward all outbound application traffic across the SSL VPN tunnel. However, many SSL VPN products are configured in a more granular fashion to ignore or drop traffic that lies outside the VPN policy and relay only that application traffic covered by the VPN's policy. SSL VPN products do tend to allow more granularity in filter configuration than even the most granular IPsec selectors -- for example, filtering on individual URLs, Web objects or even application commands. Using this kind of fine granularity can require more complex policy maintenance and so is usually done with group-level policies that apply the same complex filters to a set of users, rather than to individual users.

In short, product capabilities vary, but it's more important to decide the level of policy granularity your business requires, and then make sure the product you pick can support than level of granularity without a lot of administrative overhead.


This was first published in March 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.