SSL VPNs: Great for basic access but not for power users

A recent study from Infonetics research finds that Secure Sockets Layer (SSL) virtual private networks (VPNs) are poised to fill a market niche not covered by traditional Internet Protocol Secure (IPsec) VPNs. Ted Studwell, vice president for engineering and strategy at Virtella Communications, a VPN service provider in Greenwood Village, Colo., breaks down the differences between IPsec and SSL VPN technologies. Studwell says that when it comes to VPNs IT managers need to pick the right tool for the job.

Between SSL VPN and IPsec VPN, which technology offers more benefits to network managers? IPsec VPN, because the

SSL VPN functionality is pretty rudimentary. So if somebody wants to do Web access to Outlook, if they want to get access to local area network (LAN) drives, SSL is good for that. If you want to run more sophisticated applications like CRM, it's not going to work right now. But that may change over time. Right now the functionality is great for somebody who doesn't want much, but for people who need access to more than just simple applications, it's not going to work. What is the difference between an SSL VPN and an IPsec VPN? These devices (SSL VPNs) allow you to provide remote access to people without having to load software onto PCs. There are three ways people access corporate information today. They build a private dial-up modem bank, which is OK but it's very costly to do that. Another way that people do it is basically don't do anything, and they hope and pray that nothing happens. The third way, which is to use an IPsec VPN client on a PC, works really well. The issue is then if I'm on the road traveling or if I don't have my PC then what do I do? So basically what SSL (VPN) devices allow you to do is to put a device behind the corporate firewall, and basically establish an SSL session from pretty much any browser. Basically these devices will negotiate the session and determine what you'll have access to. Is an SSL VPN easier to install and configure? That is the primary advantage of SSL VPNs, because with traditional VPNs, you have to go to every PC and install something or configure something. With an SSL based VPN there's nothing to do at the PC. It's all done in this one device. So basically you can install the SSL VPN device, configure it, get it up and running and then the end user with a PC doesn't have to do anything but log in. Do VPN service providers favor one technology over the other at this point? They're all using IPsec today. The problem again with SSL is that it does have limited functionality which works great in some cases but doesn't fix the problem for 90% of corporate IT infrastructure. If you have 10 corporate offices and you want to connect them together with a VPN, SSL is never going to fix that problem. You are always going to have to use IPsec, because the amount of traffic going through there is going to be pretty significant and you're always going to need functionality. Is one technology more secure than the other? If so why or why not? One of the issues with the SSL (VPN) is that when you set up the SSL connection, it's pretty much open ended on the back end. With an IPSec VPN you can have limit what one user gets versus other users. There is a lot granularity of control as far as what you can do with an IPsec VPN, as far as access, policies and things such as that. That might be something that the SSL VPN guys develop over time, but right now you don't have such fine granularity for control. Who makes SSL VPNs? There's a bunch of companies such as uRoam, Neoteris and Netilla. Those are the big ones. Are there any short falls to SSL VPNs compared to IPsec VPNs? The one shortfall is that you can't run everything and you can't access everything. So if you're what I would call a power user, you're going to have issues because you're going to find out you can't run a lot of stuff.

For more information
Best Web Links on virtual private networks

Ask VPN expert Mark Tuomenoksa a question

Talk with your peers about VPNs

Usually when you establish an IPsec client with a remote access VPN, effectively you would think that you were at work. So I can initiate my Outlook and it would be just like I'm at work. With the SSL devices it doesn't work that way. You can't just go and open your Outlook Exchange and all your messages pop up. They are not sophisticated enough to support all applications. I suspect if you come back two years from now they will have solved all those issues. Today I would categorize it as it works great for people who need very basic access.

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close