|
Great questions. First, the real issues between SSL-based and IPSec-based remote access have nothing to do with the encryption standards, but the authentication and control. Encryption provides confidentiality and keeps transmissions private from end-point to end-point. SSL and IPSec both provide the same level of security here. But, IPSec excels in authentication and control.
The good news about SSL-based VPN is that one doesn't need special purpose client software and can get to the network from virtually any device. Of course, this is bad news on the security front. I need to pay special attention to user authentication since the device is not locked down and I need to beware of new attacks such as retrieving data from a web cache or programs that capture key strokes. I also, need to make sure that an employee retrieving corporate data from an airport kiosk doesn't walk away with the session active using techniques like timeouts. One other caveat about SSL is that it doesn't support ALL IP applications; IPSec does.
Regarding encryption standards, we're always looking for stronger methods and they will continue to change as processors become more powerful. The availability of new encryption methods doesn't necessarily mean that the older ones are no good. It's just the nature of the game. Although most vendors implement 168-bit 3DES, IPSec has no specific encryption standard and can accommodate new ones as they become available.
|
