In-Depth
The Undervalued Security Benefits of IPsec
IPsec is a secure, robust, and transparent network widely available to businesses with smaller overhead than you might think.
By Rainer Enders
For too long, IPsec struggled with a reputation of being cumbersome to implement and manage. However, even amid the harshest of its critics, its unparalleled ability to secure data has rarely, if ever, come into question. Now, through advancements in the technology's infrastructure, IPsec has become easy to use, while still retaining superior security. Considering this, it's time for even the staunchest SSL supporters to take a second a look at IPsec.
Perhaps the single most beneficial aspect of the IPsec VPN is its robust functionality. IPsec allows for a wider spectrum of standards-based, open protocols and authentication algorithms than SSL, which primarily relies on cryptographic digital certificates for authentication. Such certificates, typically issued by a certificate authority system, can be plagued with security issues and concerns.
Conversely, registered IPsec VPN users will seldom have to worry about such processes being handled incorrectly or malfunctioning when transferring data. There are high expectations today placed on mobile workers to perform their tasks as if in the office, and IPsec's ability to offer secure access to the complete network is a far better choice than SSL, which can more easily offer access to just specific resources.
Along similar lines, IPsec represents a transparent pipe to all IP protocols and applications, ensuring secure access to the largest number of registered devices. Some of the most popular and necessary enterprise applications work seamlessly on IPsec connections; the same applications often pose problems for users on SSL. These include UDP-based applications, with VoIP applications being among their most vital subset. IPsec VPNs are capable of integrating superior security standards across a wider array of protocols, which include the Web-based applications SSLs are so well known for handling. With IPsec, the experience for end users is as if they were within their offices, regardless of where around the globe they are currently located.
The implementation of an IPsec VPN was once considered complicated and labor intensive; this perception was due to however, this is actually caused by the meticulous process inherent in IPsec implementation in making sure every endpoint on the network is accounted for. To further increase security, each designated device on an IPsec-enabled network must be uploaded with the same VPN software. This needs to be done before the device is registered onto the new network.
In contrast, SSL is more browser-based. However, unless only Web proxy functionality is performed, SSLs also require a client and therefore similar user-client privileges on the device. This client is delivered via the browser in-band. Although SSL VPN does not need the additional out-of-band software, it is also subsequently more vulnerable to outside and unwanted devices creeping onto the network, a problem preempted by IPsec VPNs.
Meanwhile, with IPsec clients, chief security officers and those in charge of information security can tie additional security functions onto them, making malicious attacks much harder to accomplish. Examples of such additional security functions include a managed endpoint dynamic firewall, hotspot logon (to keep the client secure in hostile environments), and endpoint protection policies, ensuring that the client has all the relevant security components operational at all times. When these additional security functions are combined with IPsec's exclusive nature regarding client interactions, the VPN essentially acts as a guarded gatehouse, prohibiting unwanted visitors.
To the economically minded CIO, these added security features might lead to the assumption of higher operational costs with IPsec. This has been the primary stigma IPsec has carried with it since its inception. Fortunately, recent advancements in IPsec technology have mitigated the procedural overhead that scared enterprises away years ago.
For example, we at NCP have worked on advancements centered on integrated IPsec management technology. The product technology approach now allows for efficient control over rollout, configuration, and management of the IPsec client, as well as for the seamless integration of IPsec VPNs into existing identity management platforms and processes, including full automation of user provisioning. This degree of integration delivers high-end security with operational efficiency and cost effectiveness.
With the rise of the global workforce and the recent proliferation of mobile devices owned and operated by employees both at home and in the office, the decision on which VPN to employ cannot be overlooked or ignored. At the same time, the surprisingly lax security atmosphere in many IT departments is a disturbing trend, particularly as more sensitive business data is exchanged through the assistance of VPNs.
IPsec is undoubtedly the most secure, robust, and transparent network widely available to businesses, and its overhead is significantly less than what its reputation would hold. Organizations that don't have IPsec on the table when considering remote access solutions are, ultimately, putting their data and the trust of their stakeholders at risk.
Rainer Enders is chief technology officer for the Americas at NCP Engineering. He has 20 years of experience in the networking and security industry. His other areas of expertise include test automation in quality assurance and the testing and verification of complex network and system architectures. You can contact the author at rainer.enders@ncp-e.com