Choosing The Right VPN
by Ian Kilpatrick, director of business development, Wick Hill Group
- Now a choice between SSL and IPsec VPNs
- Key differentiators between the two
- IPsec - built-in authentication through certificates and the option of different encryption levels. Greater security but more difficult to manage and more costly.
- SSL VPNs - no client software making so more cost-effective and easier to mange. Only one encryption option. Security can be enhanced by incorporating third party authentication.
- SSL strengths and weaknesses
- IPSec Strengths and weaknesses
Other factors in choosing right VPN
- Strength of encryption technology used by both types of VPN
- The type of application
- Sensitivity of the data
- Type of user base
- Location of user base
- Size of user base
- Cost factors
- User access to browsers
- Whether you have multiple sites
- Whether it's a business to business or business/organisation to consumer situation
- Whether IT has access to and control of user devices.
- Which types of applications are suited to which VPN, with examples.
- Future developments
Initially, the only VPN (virtual private network) technology available for securing confidential data in transit between two points was the IPSec VPN standard. In 1999, however, a serious challenger emerged based on SSL (Secure Socket Layer), a capability standard in all browsers.
Companies now have a choice of which VPN to use. But which is best for their particular requirements? This article attempts to balance the arguments for and against each option, looking at them from both a technical and business viewpoint. It assumes the reader is familiar with the basic concepts of the two technologies.
Early implementations of SSL VPN technology had numerous technical limitations or issues to overcome e.g. translation of URLs embedded in Java, user account information not being cleared down from the browser after user sessions, point-to-point tunnelling, no support for dynamic port assignment, support only for web-enabled applications.
However, all of these, and other concerns, have been addressed in later releases. The ultimate goal of SSL VPN technology is to allow controlled and managed access to any application, from any device and from any location. IPSec VPN technology has been established much longer and has its own strengths and weaknesses.
The key differentiator at the moment between the two is that IPsec VPNs have built-in authentication through certificates and the option of different encryption levels. This delivers a higher degree of security but makes them more difficult to manage, and more costly. SSL VPNs have no client software making them more cost-effective and easier to mange, but they have only one encryption option. Security can be enhanced by incorporating third party authentication.
- No client software required for accessing web-enabled applications
Benefit: low-cost. Deployment, management and administration extremely simple and effective
- SSL is a de-facto standard
Benefit: interoperability between different vendors and applications
- Included as default in MicroSoft and Netscape web browsers
Benefit: no client software costs
- As commonly deployed, only servers require digital certificates to establish the encrypted session
Benefit: enormous reduction in the requirement to manage certificates
- User authentication not built in. This is a major security weakness
Answer: integration with 3 rd party strong authentication products such as VASCO
- Requires Java or ActiveX downloads to facilitate access to non-web enabled applications
Answer: download is transparent to user. Depending on implementation and network topology, this may cause a problem if the firewall (whether on the server side or on a personal firewall) is set to block Java or ActiveX controls.
- SSL Tunnelling (basically mimics IPSec) is not supported on Linux or non-Windows OS
Answer: True – SSL vendors offering SSL Tunnelling as an option utilise the virtual adapter technology within Windows OS to encapsulate traffic, which is not currently available in other operating systems.
- SSL is processor-intensive leading to poor performance under high loads
Answer: True but can be addressed by clustering, load-balancing multiple appliances, by utilising SSL accelerators such as Radware's CertainT 100 or using traffic prioritisation products such as Allot's NetEnforcer.
- Some enterprises need broader application support than SSL provides
Answer: SSL vendors are addressing this by enhancing proxy support and supporting port redirection.
- No restrictions on applications run through a tunnel
Benefit: wider applicability
- Included in IPv6 client
Benefit: reduced costs compared to current client-side requirement but requires widespread adoption of IPv6, so some way off.
- Stronger end-point security and built in authentication (via certificate)
Benefit: no requirement for 3 rd party authentication
- Lack of standards between different IPSec vendors can create problems for the IT department tasked with setting up a VPN that involves integrating different vendors.
Answer: IPv6 will overcome this limitation
- IPSec VPN does not always offer easy solutions to complex remote access situations involving network address translation (NAT) or firewall traversal.
- Some residential broadband services have started blocking IPsec traffic from home users unless that customer pays more expensive business rates.
Answer: IPv6 may force service providers to remove this additional cost
- IPSec VPNs generate higher demands on support desks than SSL VPNs.
Answer: accepted, but IPv6 should reduce this overhead.
- High management overheads and costs in supporting certificates, software and users.
Answer: True, but should reduce if IPv6 is widely adopted. Even so, unlikely to match SSL in ease of implementation and management.
Another consideration for the purists is the strength of the encryption technology. SSL uses single DES (128-bit key), IPSec can use 3DES or the emerging AES standard. For the majority of applications and requirements, DES is adequate. However, for highly secure requirements such as military, 3DES/AES is probably mandated. Browser vendors would have to move to supporting 3DES or AES before SSL VPNs could match the encryption strength of IPSec.
In deciding which type of VPN to use, it comes down to the application, the sensitivity of the data, the type of audience, the location of the audience, the size of the audience and the cost. It's also quite possible to run both types of VPNs on the same network for different applications.
There are a number of factors to consider, such as whether users have access to browsers. If they don't, then SSL VPNs are not possible. How big is the potential user base? The number of people in your user base is an important factor. The larger the user base, the more you should be leaning towards SSL because it will be cheaper, easier to maintain and easier to manage.
The location of users is a further factor. If you have members of the public dialling in from many different locations, that mitigates towards SSL VPNs, partly because of the numbers and partly because with IPsec, the end users would require client software and would not be familiar with dealing with authentication certificates.
If you have multiple sites within a company, SSL again might be a better option because it's easier to manage. If you have a business-to-business situation, where VPNs are between two or a limited number of sites, then IPsec VPNs, such as those from WatchGuard, could be a better solution.
An important issue is whether you are dealing with a business-to-business or a consumer situation. IPsec involves the management of authentication certificates, which consumers would normally not be familiar with. As a broad generalisation, consumer applications will tend towards SSL VPNs, such as those from Netilla, whereas business applications could use either.
Is the IT department allowed access to and control of user devices? If you are using an IPsec VPN, then you have to be able to manage the client on the user's device. If you can't get that control, then you may want to use SSL VPNs. If NAT (Network Address Translation) is used at the server end, SSL again might be preferable as IPsec requires specific configuration if NAT is used, although IPv6 is meant to come up with a solution to this.
Cost is another very important consideration. Management of authentication certificates can be very time-consuming and is not necessary with SSL VPNs. This makes SSL VPNs much cheaper and this factor alone may be a key decider.
Some applications are obviously suited to one type of VPN or the other. With Internet banking, for example, management could be very costly and difficult if a large number of customers had to deal with the client software used by IPsec VPNs. A combination of SSL VPNs and strong authentication from companies such as VASCO would provide a cost effective, easy-to-use and secure solution. However, if you were doing financial transfers in a corporate situation from point to point, you may well prefer the extra security of IPsec VPNs.
If you were a doctor out on call and wanted to refer back to medical records in the practice, IPSec may be the preferred option. This is because, even though the location is potentially anywhere, the nature of the data being accessed and transmitted
over the Internet is highly sensitive and confidential, so it requires authentication. The number of users is likely to be small, making administration and management easier and the user's access mechanism (laptop) will be a known, controlled and accessible item.
If you are a warehouse-style retail shopping outlet, and you want your customers to have access to stock information, you might veer towards SSL VPNs because of the large numbers, the diverse locations and the costs of managing these. If you were a distributor making pricing information available to a limited number of business partners, you might go for IPsec because of the commercially sensitive nature of the information.
SSL technology is rapidly maturing to the point where there are few clear differences between the options. SSL is gaining the upper hand – but it remains to be seen what difference the introduction of the IPv6 standard, which includes IPsec, will make. All IPv6 end node implementations will include IPsec as an option, so IPsec advocates hope for a resurgence of IPSec VPNs. If all applications used this IPSec feature, then theoretically SSL would be unnecessary.
Vendors are looking at delivering hybrid SSL/IPSec solutions which address both requirements – this could give users the best of both worlds.
However, the perceived wisdom is that, in the future, IPSec will probably be used principally for site-to-site communications, rather than individual client remote access. SSL VPNs will become the dominant and preferred solution for remote access to applications, whether web-enabled or not.
Ian Kilpatrick, the author, is chairman of Wick Hill Group plc, specialists in secure infrastructure solutions for ebusiness. Kilpatrick has been involved with the Group for over 30 years and is the moving force behind its dynamic growth. Wick Hill is an international organisation supplying most of the Times Top 1000 companies through a network of accredited resellers.
Kilpatrick has an in-depth experience of computing with a strong vision of the future in IT. He looks at computing from a business point-of-view and his approach reflects his philosophy that business benefits and ease-of-use are key factors in IT. He has had numerous articles published in the UK and oveseas press, as well as being a regular speaker at IT exhibitions.
CRN 2008 channel awards winnder of '
Channel Personality of the Year', he is never afraid to voice his opinions on all aspects of the industry and on IT security issues in particular. He has an in-depth experience of computing with an excellent understanding of the industry from the vendor, distributor, reseller and end user point-of-view.
He has a strong vision of the future in IT and IT security. His approach reflects his philosophy that business benefits and ease-of-use are key to successful infrastructure deployment.
Please contact Wick Hill on +44 (0)1483 227600, web www.wickhill.com.