News Stay informed about the latest enterprise technology news and product updates.

Is IPsec on borrowed time?

IT professionals say SSL VPN connections are easier to secure and manage than their IPsec counterparts. But don't count IPsec out just yet.

For proof that hunger is growing in the information security community for Secure Sockets Layer [SSL]-based virtual private networks [VPNs], look at the latest offerings from Check Point Software and Juniper Networks. For insight on what the big deal is, ask Steve Smith, network manager for Erie, Pa.-based Saint Vincent Health System [SVHS].

He'll start by telling you how crazy it was to manage an Internet Protocol Security [IPsec]-based VPN in an organization with 1,650 employees spread across 25 facilities -- including the main campus, a separate hospital in New York, four satellite rehab offices, an outpatient center and 20 outside doctor's offices.

"I walked into a job where all kinds of insecure remote connectivity was in place," Smith said. "We went from zero to 30 VPNs in a month. We were giving outside clients full secure access to our networks."

The trouble with IPsec is that it gets overly complicated and expensive to manage as the user base expands, he said. There's a growing tangle of firewalls as more doctor's offices seek VPN connectivity. IT staffers are forced to become experts on whatever technology the third party is using, which costs additional time and money.

When SVHS discovered the SSL approach, all that pain went away, he said.

SSL vs. IPsec
IPSec VPN is a layer 3 technology that provides a secure tunnel between a remote location and the corporate network. It requires host-based clients and expensive hardware at a central location; ongoing configuration maintenance and account administration are heavy burdens. Users have full office functionality using IPSec VPNs, but there's very little granularity in access control. Access is generally permit or deny with most shared network resources available to any user.

Smith, whose organization is a Check Point customer, said headaches here aren't limited to third-party users.

"We have a group of eight radiologists and they didn't want to be there 24 hours a day," Smith said. "They wanted the ability to work from home. Before SSL, our solution was to put a firewall/VPN connection out of their house so they could access images from the hospital. It worked fine at first. But then we had too many firewalls to manage, too much code to upgrade. We had to pay outside contractors to go out to these places, update code and troubleshoot."

By comparison, SSL VPNs work on layers 4 through 7 and don't require a client download. Remote connections are made via a Web browser or through a downloadable Java or ActiveX agent. Security managers can assign role-based access for each user and application and client administration is eliminated.

Smith likes the latter feature above all. "We're able to rip out firewalls or we let users keep them for their own purposes," he said. "As long as users meet certain baseline criteria, they can use [SSL]."

Now if a doctor's office or home worker needs VPN access, all Smith has to do is determine the level of access they need to do their job and assign them to the most appropriate access folder. If the user's access needs don't fit with the existing folders, he can simply create a new one.

As demand grows, vendors respond
Vendors like Check Point and Juniper see a growing army of users who share Smith's enthusiasm for SSL VPNs. Last week they rolled out new products to satisfy the hunger.

Redwood City, Calif.-based Check Point announced the coming release of Connectra NGX, an enhanced version of its SSL VPN technology. On its Web site, Check Point describes Connectra as "a complete Web security gateway with integrated endpoint security to defend against insecure endpoints and integrated application security to provide protection against malicious activities and attacks over SSL VPN."

Sunnyvale, Calif.-based Juniper Networks announced major enhancements to its Secure Access and Remote Access SSL VPN appliances with a new version of Instant Virtual Extranet (IVE) 5.0 software. In addition to delivering the next generation of its Network Connect product and advanced endpoint remediation capabilities, the new software offers dynamic XML re-writing and a Java Applet Delivery Infrastructure, said Vivian Ganitsky, management director of Juniper's SSL VPN product line.

"People are finding SSL more granular," she said. "The customer has a lot more leeway in determining who gets access to what. With SSL, if a user is logging on from an airport kiosk, which is an untrusted network, you can control what they can access. If you do business with a partner, you don't want to give them full access. IPsec gives them full access, which you don't always want."

Carmi Levi is network and communication team manager for another Check Point client, Tel Aviv-based Zim Integrated Shipping Services, which has 3,000 employees spread across Israel, Europe, Africa, Virginia and Hong Kong. He said IPsec can be problematic when it comes to outer office use. "It's not transparent to the user," he said. On the other hand, he said, "SSL via the Internet is a better fit. It's a VPN that can go everywhere. It's just more flexible and reliable."

End of the line for IPsec?
Despite all the praise for SSL VPNs, don't expect those IPsec connections to go dead anytime soon. Users and vendors alike agree most companies will keep using IPsec even if they've adopted SSL, and with good reason.

"As far as I see it these two technologies are complementary rather than exclusive: Both protocols provide a valid solution for securing remote access users, and each has its own merits," Itay Yanovski, Zim Shipping's information security officer, said by e-mail. "At our organization we use both IPsec and SSL VPNs, and as the company's security officer I wouldn't give up either."

Ganitsky said plenty of Juniper's customers feel the same way. As a result, she said the company's latest product overhaul is designed to make it easier for companies to use both IPsec and SSL.

Related news items

Choosing between IPsec and SSL VPNs

High-severity vulnerability found in IPsec

"The great benefit with IPsec is that it's a fast mode of transport," she said. "It is optimized for quick access to VoIP and screaming media, and fast access to items at the network layer."

But while many companies still use IPsec and SSL, Forrester Research analyst Rob Whiteley believes most will eventually push IPsec to the sidelines and go full-on with SSL.

"We are in a transition phase," he said in an interview with Information Security magazine, a sister publication to "We are going to see more SSL deployments until IPSec becomes the niche technology, which is the reverse of today."

He recommended enterprises assess their applications and ensure internal compatibility with their VPN plans. Exhaustive SSL VPN evaluations should be conducted and IPsec should be maintained for specialized applications that are not Web enabled, he said.

Information Security magazine senior editor Michael S. Mimoso contributed to this report.

Dig Deeper on WAN technologies and services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.