VPN : IPsec or SSL ??
source: Wiley Publishing www.howstuffworks.com.
IT managers typically have two choices to consider when deciding on a virtual private network (VPN) implementation method:IPsec and Secure Socket Layer (SSL).
To help you decide, here are your options :
1st : IPsec
An Internet Protocol Security (IPsec) is a suite of protocols that provides security mitigation features at the Internet layer of the TCP/IP model (the OSI model’s network layer).
The main goal of IPsec: is to provide communications protection and used more for site-to-site VPNs.
Advantages :
1) Performance:
Only IP packets traversing public (unsecure) networks are encrypted. This provides high performance by only
encrypting necessary data.
2) Network layer security:
IPsec operates at the network layer and does not require modification of TCP/IP applications to secure them.
3) Scalability:
IPsec VPNs may be implemented over any IP-capable network backbone, such as the Internet. Simple deployment
also provides organizations with operational cost reduction benefits.
4) Versatile:
Implements various security mechanisms such as data authentication, encryption, digital integrity checking,
and replay protection.
5) Universal acceptance:
IPsec is an industry-recognized IETF standard and is supported by most operating systems.
6) Application independence:
IPsec is transparent to applications (and upper OSI layers) and is not assigned to any one specific application.
Disadvantages :
1) Performance:
IPsec may require large amounts of processing power on VPN endpoints (gateways) to encrypt, decrypt, and
authenticate traffic.
2) Security:
Because IPsec relies on public keys, security mitigation depends on secure key management. Compromised security
keys eliminate the security integrity and benefits of IPsec. Also, vulnerabilities existing at the IP layer of the remote
network can be inherited by the corporate network through the IPsec tunnel.
2) Complexity:
The vast configuration options of IPsec make it very flexible, but also overly complex. Configuration errors can
expose the corporate network to unnecessary security risks and introduce weaknesses in the VPN.
3) Firewall restrictions:
Connecting to an organization’s own network from an off-site location may not be possible due to corporate
firewall restrictions (blocking IPsec-specific UDP ports).
4) Management:
IPsec employs digital signature authentication, which relies on a public key infrastructure (PKI). PKI requires
considerable implementation planning and administrative management. The majority of IPsec VPN solutions have
third-party hardware and software installation requirements. IPsec client software is required on each computer that
needs access to an IPsec-enabled VPN. This is both an advantage (increased security) and a disadvantage
(financial cost and extra VPN management).
Second: SSL
SSL VPN is the abbreviation for Secure Sockets Layer Virtual Private Network. It is a form of VPN that may be used with a standard Web browser and consists of one or more VPN devices to which the user connects by using his Web browser.
The main goal of SSL: is to give remote users access to Web and client/server applications and internal network connections.
Advantages :
1) Interoperability:
Part of TCP/IP de facto standard. SSL is supported by a variety of device and software manufacturers and allows
operability between different vendors and applications.
2) Management:
SSL makes deployment, management, and administration tasks extremely simple and effective.
3) Cost:
The clientless architecture of SSL allows a cheaper deployment alternative than IPsec-based VPNs. No special client
software licenses or other expensive hardware is needed.
4) Granular structure:
Provides finely detailed client access policies based on user identity and profile. This allows an administrator to be
very specific when defining the corporate VPN. SSL allows narrowing down authenticated user access to specific
data, applications, and servers.
5) Firewall and NAT operation:
SSL uses TCP port 443 (HTTPS), which is open on most networks, allowing SSL VPNs to operate without extra
administrative overhead.
6) Security:
By allowing access only to certain applications, security mitigation is increased, and the threat of attack is minimized.
7) Application layer functionality:
Unlike IPsec, which operates at the OSI network layer, SSL eliminates IP-based address management problems by
operating at the transport layer and provides services to the upper layers.
Disadvantages :
1) Web-based:
Works best with HTTP, although in theory, SSL can support any application layer protocol because SSL operates
at the transport layer.
2) Security:
SSL user authentication is optional, which can introduce major network security breaches. Also, standard SSL
encryption is 56-bit DES. IPsec uses DES, 3DES, or AES encryption. SSL provides access to the VPN gateway
from any web-enabled host, which introduces additional intruder vulnerabilities.
3) Performance:
Under extremely high loads, SSL VPNs may overtax the corporate VPN gateway. High CPU overhead may result
from public key operations.
4) Additional software downloads:
Access to non-Web-enabled applications may require Java and Active X software downloads to function properly.
This can cause a problem if a firewall is set to block access to these types of applications.
Tip : Check out " Best IPsec & SSL VPN providers " :
SSL VPNs:
SSL VPN -Best SSL VPN Service Providers
Source : http://www.bestvpn.co.uk
IPsec VPNs:
Best IPSec VPN Providers
Source : http://www.bestvpn.co.uk