IPSec or SSL

IPSec needs compatible hardware or software, often from a single vendor, at both endpoint locations. IPSec VPNs remain viable solutions for connecting trusted endpoint devices that are directly managed by IT (such as branch or remote office computers), but not for mobile or personal devices.

Still, IPSec VPNs are not the best choice for today’s modern mobile workforce.

Today’s highly mobile teleworkers demand more secure access to more resources from more remote devices and platforms than ever before. Corporate boundaries are blurring. In daily operations, partners, vendors and consultants have become as crucial as employees. The old corporate network has inverted. The enclosed perimeter model has evolved into a distributed global network that connects employees, partners and customers over multiple Internet, intranet and VoIP channels.

IPSec VPNs: Designed for Site-to-Site

Virtual private networks (VPNs), initially based on the IPSec protocol, were originally developed for site-to-site communications between branch offices. These site-to-site VPNs are an economical way to extend the corporate network to remote offices over the public Internet, avoiding the high cost of private wide area network (WAN) connections. The resulting secure connection between trusted private networks offers access similar to that of the corporate network. As companies broadened their use of VPNs to meet other remote access needs, proprietary extensions had to be added to the IPSec standard, or to vendor implementations of the protocol, to address the complexity of adding individual end users to the remote access equation.

An IPSec VPN works by establishing a tunnel over the Internet to connect users outside a corporate firewall or gateway to the internal network. It requires compatible hardware or software—almost always from a single vendor—on both ends of the tunnel. With IPSec, the corporate IT department dictates the technology used on both ends of the tunnel. Although this can work well for systems managed by the IT department, few companies are willing or able to fully control or trust the end point environments of remote devices used by teleworkers, business partners or customers.

At one time, a traditional Internet Protocol Security (IPSec) virtual private network (VPN) was the only option for secure remote access. However, because IPSec solutions were designed for trusted site-to-site connectivity and not with a highly-mobile workforce in mind, IPSec solutions have limitations for supporting untrusted end point locations that are not directly managed by IT. In response to increasing user demands for remote access, a new kind of VPN emerged—SSL VPNs. These new VPNs, based on the Secure Sockets Layer (SSL) protocol that safeguards the world of e-commerce, have quickly become the leading option for secure remote access.

IPSec VPNs are best suited for point-to-point access. Open tunneling protects data between two private networks or between IT-managed machines and a private network. IPSec is a perfectly viable solution when a permanent connection is required between two specific locations, for example between a branch or remote office and a corporate headquarters. It can also be used successfully to provide access to a small finite number of remote workers using tightly-controlled corporate-issued laptops.

Many existing IPSec implementations will continue to work well for the use cases for which they were originally deployed. IT might consider keeping IPSec in these limited areas and extend remote access to other areas, such as trusted partners or extranet users, via a parallel SSL VPN solution. While a parallel VPN implementation is a viable choice for some enterprises, transitioning all access use cases through a single SSL VPN gateway might ultimately cost less and be easier to manage.

Secure Remote Access with SSL VPN

SSL is the standard protocol for managing the security of message transmission on the Internet. SSL is a higher-layer security protocol than IPSec, working at the application layer rather than at the network layer. By operating at the application layer, SSL can provide the highly granular policy and access control required for secure remote access. Because SSL is included in all modern browsers, SSL VPNs can empower today’s mobile workforce with clientless remote access—while saving IT departments the headache of installing and managing the complexity of IPSec clients. By extending the workplace to home PCs, kiosks, PDAs, and other unmanaged devices, SSL VPN solutions increase workforce productivity, resulting in a greater return on investment. And by eliminating the need to deploy and support “fat” clients, SSL VPN reduces IT overhead, resulting in a lower total cost of ownership.

An SSL VPN uses SSL to provide end users with authorized and secure access for Web, client/server and file share resources. SSL VPNs deliver user-level authentication, ensuring that only authorized users have access to the specific resources allowed by the company’s security policy. SSL VPNs start with providing access via a Web browser, removing the need for IT to provision clients to the end point device. For advanced access, agents may be required but SSL VPNs allow IT to have agents provisioned and activated within the context of the Web browser where Active X or Java based “thin” clients are transparently pushed through the browser, Alternatively, most SSL VPNs allow IT to pre-provision the agents directly to a user’s device, allowing the user to directly access the SSL VPN without having to open a Web browser.

Today’s modern mobile workforce demands more secure access to more resources from more remote devices and platforms than ever before. Corporate boundaries are blurring, with partners, vendors and consultants playing as vital a role in daily operations as employees do. These changes suggest the need for an inverted model for the corporate network, evolving from the traditional enclosed-perimeter model to a distributed global network that connects employees, partners and customers over multiple Internet, intranet and VoIP channels. IT managers must now assume that any user and device is a potential risk point, whether the user is accessing remotely or plugged directly into the LAN. Disaster recovery and business continuity initiatives pose additional incentive to provide remote access from any end point location. Policy based granular access control becomes imperative.

Conclusion

Whether an IPSec or SSL VPN is the right choice ultimately depends on the extent of your company’s secure remote access needs:

IPSec VPN technology is designed for site-to-site VPNs or for remote access from a small finite number of tightly-controlled corporate assets. If these are the primary needs of your company, IPSec performs these functions quite well.

SSL VPN technology, on the other hand, works much better for secure remote access. SSL VPN technology is an ideal replacement for—or adjunct to—IPSec, because it increases productivity by allowing access to more resources from more end points; lowers costs by easing administration with clientless (and easy-as-clientless) access and centralized control; and adds security with granular access and end point control. Best practices for transitioning to an SSL VPN include establishing a corporate security policy, conducting a lab environment pilot and implementing a phased migration.

SonicWALL has a VPN solution to match your specific requirements. SonicWALL TZ and NSA Series appliances offer integrated IPSec VPN for secure site-to-site remote access scenarios. SonicWALL SSL VPN appliances offer secure remote access to end points beyond IT control, without the costly overhead needed to deploy and maintain per-seat “fat” clients, boosting workforce productivity, easing manageability, and enhancing enterprise network security. SonicWALL SSL VPNs offer easy, effective solutions for the evolving remote access demands of today’s mobile workforce, including remote access, disaster recovery, wireless networking, extranet access, mobile networking, policy enforcement, and network access control.

SonicWALL can help your organization deliver anywhere access to any application from the broadest range of devices and help you lower costs and increase the productivity of both your end users and IT staff.