VPNs for disaster recovery: IPsec vs. SSL

Numerous tunneling technologies are used in VPN frameworks, but two protocols dominate secure VPN technologies: IPsec and SSL/Transport Layer Security (TLS). Their relative strengths and merits depend on the circumstances surrounding their deployment, the equipment involved, and varying levels of availability that must be delivered.

IPsec VPN strengths and merits
On the positive side, IPsec is integrated into some enterprise routing equipment and public-facing servers, which gives IPsec VPN solutions a distinct competitive advantage. With an IPsec-capable router, an organization can establish one of several failover arrangements that can provide various levels of availability and redundancy.

SPECIAL REPORT Preparing the network for pandemic flu and disaster recovery The network is a key component in battling the threat of avian flu, which may distribute the workforce and rely heavily on remote connectivity. Learn how to put the best plan into place now.   Read the entire report: >> Providing network access in a crisis >> Podcast: Plan for the worst, get the best results >> IP communication tools mobilize workforce when disaster strikes >> The network professional's guide to disaster recovery >> Disaster recovery checklist

Furthermore, IPsec-capable communications equipment can facilitate a variety of dedicated circuit and backup leased line configurations with multi-path redundancy, high availability and cost-effective WAN extranet connections. Primary circuits can be established with doubled-up routing devices and with or without backup links to ferry VPN clients to VPN gateways with minimal service interruptions.

IPsec VPN weaknesses and faults
A dispersed mobile workforce remains a constant challenge for IPsec-derived VPN solutions because its infrastructure is designed to work best for site-to-site business connectivity. As such, IPsec solutions -- in order to work properly -- often require a site-specific configuration for both clients and servers, which makes advance configuration and testing absolutely essential. In fact, IPsec's inflexibility makes it surrender first place to SSL-based VPN solutions, many of which may be accessed easily from any Web-enabled browser on just about any computing platform.

With ever-increasing workforce mobility and end-user demand, an IPsec infrastructure has become almost impractical simply because it's cumbersome to implement and costly to maintain. To complicate matters further, frequent use of incompatible vendor-specific extensions and implementations to the IPsec infrastructure means that IPsec products that manage to interoperate with those from other vendors usually do so in a way that limits overall scope, scalability or capacity.

On the other hand, IPsec is widely distributed at the enterprise level within industrial-grade devices such as Cisco's 7200 Series routers. These routers also support Generic Routing Encapsulation, which permits an unusual rearrangement in the way networks are interconnected and may also be used to tunnel VPN connections in the event of an emergency.

SSL VPN strengths and merits
SSL VPN solutions are generally more universal than the IPsec variety because SSL is standardized and implemented on so many platforms. Unlike Microsoft Windows' inherent reliance on LT2P for IPsec, SSL implementations also work across BSD, Linux, OS X and Solaris platforms, any or all of which might be essential for supporting business-to-client interaction where mismatched IT equipment, protocols and procedures cannot always be easily resolved or rationalized.

More on disaster recovery Disaster recovery checklist for the network professional Disaster recovery success begins and ends with the basics WAN acceleration: Enabling successful disaster recovery

Managing communications within a mobile and portable workforce is best handled with highly flexible SSL VPN configurations -- for several reasons. First and foremost, they are easy to implement and maintain. Second, SSL VPNs are ideal for equipment that lacks remote manageability (such as home PCs, PDAs, smartphones and so forth). Third, SSL VPNs work on just about any device that supports Internet access and a Web browser. SSL is much better at NAT traversal than IPsec (though many modern implementations remedy IPsec addressing issues) because no critical information in SSL packets is lost in the address or port translation process.

Some VPN solutions, such as OpenVPN, can push site-specific information to clients, including DNS server addresses and preferred client-side settings. This lends plenty of transparency, speed and flexibility to emergency-planning failover procedures. Connecting clients can be redirected to alternative gateways as they connect in the wake of a disaster or emergency, and they can then be redirected back to primary gateways as they come back online, without manual reconfiguration on client machines.

SSL VPN weaknesses and faults
SSL VPNs produce overhead with additional layers of encapsulation. Also, when tunnel/tap devices are involved in establishing VPN links, diagnosing connectivity problems can become unnecessarily complicated. For starters, the IP and Ethernet frame headers become encapsulated within the SSL protocol data unit, which may then itself become encapsulated within TCP or UDP protocols. This arrangement is less than ideal for low-speed links and conservative processing resources where a kernel-integrated IPsec solution might deliver better native performance than SSL solutions.

Conclusion
IPsec and SSL VPN technologies adapt differently to similar sets of circumstances, each with its own distinct advantages and disadvantages. IPsec and SSL solutions work at different levels of integration, interoperability and implementation when it comes to delivering failover VPN connectivity. Depending on the circumstances and scenarios that an enterprise may plan to accommodate in its disaster recovery operations, one choice may certainly adapt better than the other, but neither is inherently superior.

About the authors:
Justin Korelc is a longtime Linux hacker and system administrator who concentrates on hardware and software security, virtualization, networking and unusual Linux configurations. Justin has contributed to books on Linux-based home entertainment and TCP/IP course material and writes semiregularly for several TomsHardware sites.

Ed Tittel is a freelance writer who specializes in information security, IT certification and markup languages. He created the Exam Cram series and has contributed to more than 130 computer books. He writes regularly for numerous TechTarget Web sites. Email Ed at etittel@techtarget.com.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Wide Area Networks WAN optimization: A market update Remote Desktop troubleshooting How the NetFlow protocol monitors your WAN Network design: Five ways to lower your costs Remote office backup, archiving and disaster recovery for networking pros Troubleshooting WAN performance issues Cisco CCIP MPLS certification: Introduction Distribution of labels -- Cisco CCIP MPLS certification: Lesson 3 Label imposition -- Cisco CCIP MPLS certification: Lesson 4 Configuring MPLS -- Cisco CCIP MPLS certification: Lesson 5 Network Disaster Recovery Recovering domain controllers after a server disk failure Cisco re-thinks Layer 8 networking with green components Podcast: Data storage for network managers: Avoid remote office disaster Remote office backup, archiving and disaster recovery for networking pros After a server outage what emergency steps secure your network? Network disaster recovery tips for business continuity Disaster recovery: A guide for network professionals Disaster recovery options improve with WAN optimization General Design Considerations -- Chapter 6 of 'Network Security Architectures' What to do when your server goes down Network Disaster Recovery Research Remote Access VPNs Creating Remote Access and Site-to-Site VPNs with ISA Firewalls: from 'The Best Damn Firewall Book Period, Second Edition' Can I set up a VPN on my wireless router? VPN security: Hiding in plain sight, using network encryption SonicWall acquisition could hurt Aventail users Does IPv6 support encryption in the IP stack? What equipment do I use to connect two LANs in different cities? What are the steps? Are there any architectures of IPsec VPN apart from lookaside and flow-through? NAC -- Strengthening your SSL VPN WAN optimization and acceleration appliances tackle SSL traffic Remote access keeps physicians connected Remote Access VPNs Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary disruption-tolerant network  (SearchNetworking.com) graceful degradation  (SearchNetworking.com) loose coupling  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.