to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Choosing The Right VPN

compliance and privacy

Current News Updates

Choosing The Right VPN

by Ian Kilpatrick, director of business development, Wick Hill Group

Summary

  • Now a choice between SSL and IPsec VPNs
  • Key differentiators between the two
  • IPsec - built-in authentication through certificates and the option of different encryption levels. Greater security but more difficult to manage and more costly.
  • SSL VPNs - no client software making so more cost-effective and easier to mange. Only one encryption option. Security can be enhanced by incorporating third party authentication.
  • SSL strengths and weaknesses
  • IPSec Strengths and weaknesses

Other factors in choosing right VPN

  • Strength of encryption technology used by both types of VPN
  • The type of application
  • Sensitivity of the data
  • Type of user base
  • Location of user base
  • Size of user base
  • Cost factors
  • User access to browsers
  • Whether you have multiple sites
  • Whether it's a business to business or business/organisation to consumer situation
  • Whether IT has access to and control of user devices.
  • Which types of applications are suited to which VPN, with examples.
  • Future developments

Initially, the only VPN (virtual private network) technology available for securing confidential data in transit between two points was the IPSec VPN standard. In 1999, however, a serious challenger emerged based on SSL (Secure Socket Layer), a capability standard in all browsers.

Companies now have a choice of which VPN to use. But which is best for their particular requirements? This article attempts to balance the arguments for and against each option, looking at them from both a technical and business viewpoint. It assumes the reader is familiar with the basic concepts of the two technologies.

Early implementations of SSL VPN technology had numerous technical limitations or issues to overcome e.g. translation of URLs embedded in Java, user account information not being cleared down from the browser after user sessions, point-to-point tunnelling, no support for dynamic port assignment, support only for web-enabled applications.

However, all of these, and other concerns, have been addressed in later releases. The ultimate goal of SSL VPN technology is to allow controlled and managed access to any application, from any device and from any location. IPSec VPN technology has been established much longer and has its own strengths and weaknesses.

The key differentiator at the moment between the two is that IPsec VPNs have built-in authentication through certificates and the option of different encryption levels. This delivers a higher degree of security but makes them more difficult to manage, and more costly. SSL VPNs have no client software making them more cost-effective and easier to mange, but they have only one encryption option. Security can be enhanced by incorporating third party authentication.

SSL Strengths

  1. No client software required for accessing web-enabled applications
    Benefit: low-cost. Deployment, management and administration extremely simple and effective
  2. SSL is a de-facto standard
    Benefit: interoperability between different vendors and applications
  3. Included as default in MicroSoft and Netscape web browsers
    Benefit: no client software costs
  4. As commonly deployed, only servers require digital certificates to establish the encrypted session
    Benefit: enormous reduction in the requirement to manage certificates

SSL Weaknesses

  1. User authentication not built in. This is a major security weakness
    Answer: integration with 3 rd party strong authentication products such as VASCO
  2. Requires Java or ActiveX downloads to facilitate access to non-web enabled applications
    Answer: download is transparent to user. Depending on implementation and network topology, this may cause a problem if the firewall (whether on the server side or on a personal firewall) is set to block Java or ActiveX controls.
  3. SSL Tunnelling (basically mimics IPSec) is not supported on Linux or non-Windows OS
    Answer: True – SSL vendors offering SSL Tunnelling as an option utilise the virtual adapter technology within Windows OS to encapsulate traffic, which is not currently available in other operating systems.
  4. SSL is processor-intensive leading to poor performance under high loads
    Answer: True but can be addressed by clustering, load-balancing multiple appliances, by utilising SSL accelerators such as Radware's CertainT 100 or using traffic prioritisation products such as Allot's NetEnforcer.
  5. Some enterprises need broader application support than SSL provides
    Answer: SSL vendors are addressing this by enhancing proxy support and supporting port redirection.

IPSec Strengths

  1. No restrictions on applications run through a tunnel
    Benefit: wider applicability
  2. Included in IPv6 client
    Benefit: reduced costs compared to current client-side requirement but requires widespread adoption of IPv6, so some way off.
  3. Stronger end-point security and built in authentication (via certificate)
    Benefit: no requirement for 3 rd party authentication

IPSec Weaknesses

  1. Lack of standards between different IPSec vendors can create problems for the IT department tasked with setting up a VPN that involves integrating different vendors.
    Answer: IPv6 will overcome this limitation
  2. IPSec VPN does not always offer easy solutions to complex remote access situations involving network address translation (NAT) or firewall traversal.
    Answer: True
  3. Some residential broadband services have started blocking IPsec traffic from home users unless that customer pays more expensive business rates.
    Answer: IPv6 may force service providers to remove this additional cost
  4. IPSec VPNs generate higher demands on support desks than SSL VPNs.
    Answer: accepted, but IPv6 should reduce this overhead.
  5. High management overheads and costs in supporting certificates, software and users.
    Answer: True, but should reduce if IPv6 is widely adopted. Even so, unlikely to match SSL in ease of implementation and management.

Other considerations

Another consideration for the purists is the strength of the encryption technology. SSL uses single DES (128-bit key), IPSec can use 3DES or the emerging AES standard. For the majority of applications and requirements, DES is adequate. However, for highly secure requirements such as military, 3DES/AES is probably mandated. Browser vendors would have to move to supporting 3DES or AES before SSL VPNs could match the encryption strength of IPSec.

In deciding which type of VPN to use, it comes down to the application, the sensitivity of the data, the type of audience, the location of the audience, the size of the audience and the cost. It's also quite possible to run both types of VPNs on the same network for different applications.

There are a number of factors to consider, such as whether users have access to browsers. If they don't, then SSL VPNs are not possible. How big is the potential user base? The number of people in your user base is an important factor. The larger the user base, the more you should be leaning towards SSL because it will be cheaper, easier to maintain and easier to manage.

The location of users is a further factor. If you have members of the public dialling in from many different locations, that mitigates towards SSL VPNs, partly because of the numbers and partly because with IPsec, the end users would require client software and would not be familiar with dealing with authentication certificates.

If you have multiple sites within a company, SSL again might be a better option because it's easier to manage. If you have a business-to-business situation, where VPNs are between two or a limited number of sites, then IPsec VPNs, such as those from WatchGuard, could be a better solution.

An important issue is whether you are dealing with a business-to-business or a consumer situation. IPsec involves the management of authentication certificates, which consumers would normally not be familiar with. As a broad generalisation, consumer applications will tend towards SSL VPNs, such as those from Netilla, whereas business applications could use either.

Is the IT department allowed access to and control of user devices? If you are using an IPsec VPN, then you have to be able to manage the client on the user's device. If you can't get that control, then you may want to use SSL VPNs. If NAT (Network Address Translation) is used at the server end, SSL again might be preferable as IPsec requires specific configuration if NAT is used, although IPv6 is meant to come up with a solution to this.

Cost is another very important consideration. Management of authentication certificates can be very time-consuming and is not necessary with SSL VPNs. This makes SSL VPNs much cheaper and this factor alone may be a key decider.

Some applications are obviously suited to one type of VPN or the other. With Internet banking, for example, management could be very costly and difficult if a large number of customers had to deal with the client software used by IPsec VPNs. A combination of SSL VPNs and strong authentication from companies such as VASCO would provide a cost effective, easy-to-use and secure solution. However, if you were doing financial transfers in a corporate situation from point to point, you may well prefer the extra security of IPsec VPNs.

If you were a doctor out on call and wanted to refer back to medical records in the practice, IPSec may be the preferred option. This is because, even though the location is potentially anywhere, the nature of the data being accessed and transmitted
over the Internet is highly sensitive and confidential, so it requires authentication. The number of users is likely to be small, making administration and management easier and the user's access mechanism (laptop) will be a known, controlled and accessible item.

If you are a warehouse-style retail shopping outlet, and you want your customers to have access to stock information, you might veer towards SSL VPNs because of the large numbers, the diverse locations and the costs of managing these. If you were a distributor making pricing information available to a limited number of business partners, you might go for IPsec because of the commercially sensitive nature of the information.

Conclusion

SSL technology is rapidly maturing to the point where there are few clear differences between the options. SSL is gaining the upper hand – but it remains to be seen what difference the introduction of the IPv6 standard, which includes IPsec, will make. All IPv6 end node implementations will include IPsec as an option, so IPsec advocates hope for a resurgence of IPSec VPNs. If all applications used this IPSec feature, then theoretically SSL would be unnecessary.

Vendors are looking at delivering hybrid SSL/IPSec solutions which address both requirements – this could give users the best of both worlds.

However, the perceived wisdom is that, in the future, IPSec will probably be used principally for site-to-site communications, rather than individual client remote access. SSL VPNs will become the dominant and preferred solution for remote access to applications, whether web-enabled or not.

See also


Ian Kilpatrick, the author, is chairman of Wick Hill Group plc, specialists in secure infrastructure solutions for ebusiness. Kilpatrick has been involved with the Group for over 30 years and is the moving force behind its dynamic growth. Wick Hill is an international organisation supplying most of the Times Top 1000 companies through a network of accredited resellers.

Kilpatrick has an in-depth experience of computing with a strong vision of the future in IT. He looks at computing from a business point-of-view and his approach reflects his philosophy that business benefits and ease-of-use are key factors in IT. He has had numerous articles published in the UK and oveseas press, as well as being a regular speaker at IT exhibitions.

CRN 2008 channel awards winnder of ' Channel Personality of the Year', he is never afraid to voice his opinions on all aspects of the industry and on IT security issues in particular. He has an in-depth experience of computing with an excellent understanding of the industry from the vendor, distributor, reseller and end user point-of-view.

He has a strong vision of the future in IT and IT security. His approach reflects his philosophy that business benefits and ease-of-use are key to successful infrastructure deployment.


Please contact Wick Hill on +44 (0)1483 227600, web www.wickhill.com.

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.