The question came up last week regarding the relative advantages of SSL versus IPsec VPNs. It's a good question, since there are still a good number of companies considering the move away from their traditional IPsec based VPNs to an SSL VPN solution. The real question that you need to ask yourself is whether you're considering moving to an SSL VPN because it seems like everyone else is doing it, or if you're moving to an SSL VPN because it will provide you additional business value.
There are two important reasons to consider moving to an SSL VPN:
- More reliable access
- Increased security
IPsec VPNs introduce a number of problems that make reliable access from any location problematic. Consider the following:
- Almost all IPsec VPNs require that you install a client application to support the solution. The exception to this is the Microsoft VPN client, which supports L2TP/IPsec out of the box
- NAT devices can complicate access. The IPsec VPN client and server need to support NAT traversal. The Microsoft L2TP/IPsec VPN client supports NAT traversal, but this functionality is broken with Windows XP SP2 and above and often requires a Registry fix to get it to work, something the average end user is not aware of
- Firewalls can complicate IPsec VPN connectivity either because they are not configured to support the IPsec VPN protocols or because they do not support the IPsec NAT traversal protocol
In addition to the reliability issues, IPsec VPNs introduce security problems:
- The typical IPsec VPN remote access solution allows VPN users full access to the network from an unmanaged client.
- The typical IPsec VPN does not support user/group based access controls to corporate network resources after the IPsec VPN connection is established.
- The typical IPsec VPN does not perform application layer inspection. This can allow exploits extant on the VPN clients to be spread to the corporate network.
SSL VPNs are designed to solve the problems of security and reliability to remote access connections. For example, consider the Microsoft IAG 2007 SSL:
- IAG 2007 allows all protocols to be wrapped in an SSL encrypted HTTP header. Almost all firewalls allow outbound connection through TCP 443, therefore ridding yourself of firewall issues.
- NAT traversal isn't an issue for SSL connections
- The IAG 2007 has a robust endpoint detection feature, so that even unmanaged clients can have their security configuration checked before allowing access -- reduced access rights can be configured for clients who don't pass all security checks
- IAG 2007 allows you to publish only applications -- full network access is not allowed. Users access only applications and data that you explicitly allow access to
- IAG 2007 performs robust application layer inspection through the use of positive and negative logic filters. The negative logic filters protect you against known exploits, and positive logic filters protect you again zero-day exploits by allowing only known-good connections
- Users do not need to pre-install client software to access applications and data using the IAG 2007 SSL VPN. A thin client is automatically downloaded when the user connects to the SSL VPN
As you can see, there are significant access reliability and and security advantages to deploying an SSL VPN. The only downside to an SSL VPN solution is the cost. IPsec VPNs are available at commodity prices these days, and the initial cost is relatively low (the ongoing costs can be quite a bit higher, because of the Help Desk time used to troubleshoot IPsec VPN connectivity issues).
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
MVP - Microsoft Firewalls (ISA)