As businesses open up their networks to remote workers, clients and partners, security issues loom ever larger. Once, traditional Internet Protocol Security (IPSec) virtual private networks (VPNs) were the only real option to secure access to corporate resources.
Now, a new kind of VPN - the SSL VPN - has emerged as the leading solution for remote access and extranet VPNs.
SSL VPNs are based on the Secure Sockets Layer (SSL) protocol that secures the world of e-commerce. They are replacing IPSec VPNs for remote access, leaving IPSec VPNs for their original purpose - site-to-site VPNs. There are numerous reasons for this shift. Among them are changes in the way we work and communicate, cost, convenience and manageability.
New computing and communication devices and the modern anytime, anywhere work paradigm is driving demand for expanded remote access. Users expect easy, clientless access to the network resources they need, from anywhere, at any time, using any device.
However, they want to access corporate resources from environments that IT can't possibly control, such as home PCs or airport kiosks, and they want to use wireless technologies, such public WiFi hotspots and wireless LANs, and even rogue access points set up on company networks. IPSec VPNs simply were not made to handle this environment.
The problem with IPSec
Based on the IPSec protocol, IPSec VPNs were originally designed to facilitate site-to-site communications between branch offices. They work by establishing a "tunnel" over the Internet to connect users outside a corporate firewall or gateway to internal corporate resources.
This requires compatible hardware or software, almost always from a single vendor, on both ends of the tunnel.
While IPSec satisfies the basic requirements when there are a limited number of tunnels to create, when there are thousands of remote users at different locations, distributing and managing the required client software can be cumbersome and costly.
Making use of an IPSec VPN for remote users also creates vulnerabilities. IPSec VPNs create a tunnel between two points, providing direct (non-proxied) access and full visibility to the entire network. This leaves it wide open to hackers and threats not identified on personal client devices that can use the connection as a 'launch pad' to enter the corporate network.
Furthermore, IPSec VPN products and services don't always offer easy solutions to complex remote access situations involving network address translation (NAT), firewall traversal or broadband access.
For example, if a user has an IPSec client on his or her computer, yet is gaining Internet access through another company's network (for example, consultants working at clients' sites), the IPSec will be stopped at that network's firewall unless the user negotiates opening up another port in the firewall with that company's network administrator. The same problem occurs at wireless hotspots that use NAT.
SSL VPNs - platform of the future for remote connectivity
SSL VPNs, on the other hand, are infinitely more suited to current remote connectivity requirements.
SSL is a commonly used protocol for managing the security of a message transmission on the Internet. An SSL VPN will use SSL and proxies to provide authorised and secure access for end-users to HTTP, client/server and file-sharing resources.
Adding proxy technology to SSL offers companies greater security, because it prevents users from making a direct connection into a secured network. User-level authentication ensures only authorised users have access to the specific resources as defined by the company's security policy.
Because SSL is included in standard browsers like Microsoft Internet Explorer, Mozilla Firefox, Netscape and others, SSL VPNs can use any Web browser as the client.
There are also numerous other advantages. SSL VPNs are easier and less expensive to support - and they're faster to deploy. Their 'clientless' connectivity removes the burden of configuring, managing and supporting complex IPSec clients for each user. They also allow integration with a wide range of dynamic authentication methods and protocols, and have the capability for granular policy configuration, providing organisations with complete and fine-grained control over individual user access to specific network applications and resources. In addition, the security and configuration status of a client device is addressed by host integrity checking.
This allows the organisation to extend secure remote access to personal laptops, smart phones, PDAs, public kiosks and other computers that are not controlled and managed by the corporate IT department.
All SSL VPNs are not equal
However, users need to be selective when acquiring this technology. All SSL VPNs are not equal. Because IPSec technology was well-established for site-to-site networking, many IPSec vendors modified existing IPSec technology to accommodate changing user requirements and to offer user-to-network access.
These early SSL VPNs, however, could not handle client/server or back-connect applications, such as those using voice over Internet Protocol (VOIP) or Active FTP.
Consequently, many of these vendors now offer both IPSec and SSL solutions - two separate solutions that achieve the same remote access functionality that leading SSL VPN vendors achieve with a single product.
Objective tests show it is possible to not only replace an IPSec VPN with an SSL VPN for remote access, but an organisation can do so with operational savings and improved security.
While IPSec VPNs will continue to serve a purpose, the SSL VPN is the platform of the future for remote connectivity. It is a new generation of technology that deals with current and evolving business environments, where greater access to resources and collaboration are essential elements, and security is multi-layered.
Share
Editorial contacts