Enterprise Basics: IPSec vs. SSL VPN

Which one is right for you?

As enterprises expand their data networks to achieve business goals, providing remote workers, branch offices, and business partners real-time access to centralized corporate applications and data is no longer an option—it’s a necessity. As enterprise networks expand and the number of endpoints grows exponentially, IT managers must balance the cost of expansion against the security, reliability, and scalability of the solution. Based on these factors, IP-based Virtual Private Networks, or IP VPNs, are emerging as the solution of choice to enable secure remote access.

VPNs, however, are available in multiple flavors. Depending on the unique goals and needs of your enterprise, selecting the right type of VPN is a critical step in determining whether your investment will be an effective business tool or an expensive IT toy.

The two most popular VPN types are based on two different protocol sets—IPSec (Internet Protocol Security) and SSL (Secure Sockets Layer).

IPSec (Internet Protocol Security) VPNs are based on a set of security protocols that operate on the network layer (Layer 3 of the OSI model). They involve a head-end device and remote site clients that communicate to form a secure encrypted tunnel over which data can be transmitted safely. All of today’s major equipment manufacturers, such as Cisco, Nortel, Checkpoint and SonicWALL, include IPSec support in their network devices.

SSL (Secure Sockets Layer) VPNs are based on a commonly used protocol for managing the security of data transmissions on the Internet. SSL VPNs can be used with or without a client, and use a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers for communication. SSL support is included with Microsoft and Netscape browsers, as well as with most web server products. Proprietary, appliance based VPNs are also available from vendors. The following comparison focuses on key areas that IT managers should consider when determining which type of VPN best meets their enterprise needs.

Security

With VPN technology, corporate data travels over a public network infrastructure (the Internet). This data can be viewed, intercepted, and reproduced by unauthorized users if not secured in the proper fashion. In addition, deployment of a VPN creates new network endpoints, which can serve as a means of entry into the corporate network for malicious hackers. Hence, data security and integrity should be a major concern when evaluating VPN solutions.

IPSec provides two types of security services: Authentication Header (AH), which enables end-user authentication, and Encapsulating Security Payload (ESP), which supports both end-user authentication and data encryption. Separate key protocols such as the ISAKMP/Oakley protocol can be selected. IPSec facilitates two-way authentication using one of the strongest encryption algorithms available, TripleDES (3DES).

SSL, on the other hand, uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate. As any Web-enabled machine can be used to access a SSL based VPN, two-way authentication is not available. Anyone with the correct username and password can access the SSL VPN from any PC connected to the Internet. Preferred Solution: IPSec VPNs offer better end-user authentication and data encryption at the network layer rather than the session layer, making them much more secure than a SSL VPN solution.

Total Cost of Ownership (TCO)

The TCO of a VPN solution consists of three parts: equipment costs, deployment costs, and on-going support costs. With tight economic conditions, cost and return-on-investment are important criteria for any IT purchase. VPN solutions are no exception.

Part One: Equipment Costs

At the Host Site: Both IPSec and SSL VPN solutions need a head-end device located at the corporate data center to terminate all VPN tunnels. In the case of an IPSec VPN solution, this will be a router/concentrator device from a company such as Cisco, Nortel, or Checkpoint. With an SSL VPN solution, this will be a server with proprietary software installed by the SSL VPN provider. Generally, the costs for the two device types are similar.

At the Remote Site: With IPSec VPN solutions you will need a VPN client (either software or hardware) to establish and maintain the VPN connection. Most software clients are available free of charge with the purchase of the head-end device, while hardware clients can cost $500-$1000 per device depending on manufacturer and feature preferences. With most SSL VPN solutions, there is no remote site client required and therefore no associated costs.

Part Two: Deployment Costs

At the Host Site: IPSec host-site device configuration is much easier because the devices have built-in GUIs to facilitate the process. Also, the secure connection is application independent, which means once the connection is established, all applications can be accessed and operated from any point on the network. Not so for SSL host site devices. Each application has to be individually configured to work with the SSL host site device. This extended effort requires a dedicated team from the VPN vendor, translating into significantly higher costs. Hence, deploying a SSL host site device can be much more expensive and time consuming than deploying an IPSec host site device.

At the Remote Site: A small amount of initial configuration is required on IPSec VPN clients, which can be performed centrally at minimal cost. With SSL solutions no VPN client is required, so no costs are involved.

Part Three: Ongoing Support Costs

At the Host Site: Since head-end devices for both IPSec and SSL VPN solutions tend to be stable, host site maintenance costs are minimal. Hardware replacement contracts are priced comparably and cover most software/firmware upgrades. The only mentionable cost is the one for SSL VPN devices where new applications being rolled-out must be configured to work with the SSL server. IPSec VPN devices are application independent so no such effort is required.

At the Remote Site: IPSec remote site clients and users have to be supported. This increases the training and support costs of the corporate help desk. SSL VPNs do not involve remote clients so there are no associated costs.

Preferred Solution: Clientless SSL VPNs. Though host site costs (one-time as well as ongoing) are higher than IPSec VPNs, SSL VPNs come out ahead in this category as there are no remote site equipment, configuration, or support costs.

Interoperability

Many enterprises prefer a single vendor solution to avoid compatibility and support issues. However, you don't always have control over network environments, especially if they involve multiple business partners, suppliers, government entities, and so on. Interoperability between diverse network devices and components becomes critical to a VPN solution.

IPSec is a standards-based VPN solution, so it has excellent interoperability. Devices from different vendors can be configured to work effectively with each other to create an always-on, point-to-point, secure VPN connection.

Most SSL head-end devices are hardened Linux/Unix servers with proprietary SSL-enabling software loaded. As each vendor develops its own proprietary software, these head-end devices cannot communicate with each other. Thus, SSL VPN solutions from different vendors have very poor interoperability. SSL VPN technology still does not have a stable, reliable device-to-device, always-on secure VPN solution on which standards for different vendors can be developed. However, this may change in the future.

Preferred Solution: IPSec VPNs. A standards-based VPN solution allows devices and components from different vendors to effectively work with each other.

Scalability

Corporations continually add new applications and new users to their existing systems and networks. Giving remote users access to these new applications and data through a VPN solution is vital to maximizing an application’s benefit. The ease with which a new application, location, or user can be added to an existing VPN solution is an important criteria when evaluating VPN solutions.

IPSec VPNs are application independent. As soon as a new application is added to an existing system, VPN network access is enabled. It doesn’t matter if a user is connecting on a LAN or connecting through a VPN tunnel. However, adding new locations and new users does require deployment of additional hardware or software at the remote site. In addition, some configuration at the host site is required to add new locations or new users.

SSL VPNs require either a proxy server or Web-enabled applications. If a mission-critical application (such as CRM or ERP) is deployed, it must be Web-enabled or configured to work with the SSL proxy server. A considerable amount of configuration will be required on a per-application basis. However, as SSL VPNs do not require a remote site client, adding new locations and users is easy. All it requires is adding the particular location or user to the VPN authentication database. An authorized user can access VPN resources from any Internet-enabled machine.

Preferred Solution: Neutral. IPSec VPN solutions scale better in terms of applications. SSL VPN solutions scale better in terms of users.

Final Considerations

In general, if you want to connect remote locations to the corporate data center with an always-on, point-to-point secure VPN, consider IPSec VPN solutions with hardware clients at the remote sites. Since security and reliability of the connection are paramount in this scenario, a site-to-site VPN with always-on connectivity is most desirable. Also, almost all VPN service providers offer service level agreements with pro-active monitoring and problem resolution for site-to-site VPN solutions. To date, SSL has no effective solution for this scenario.

An IPSec VPN solution should also be used if mission critical or legacy applications need to be accessed over the VPN. In this case, the strengths of an IPSec VPN perfectly fit the high security and application independence solution requirements.

A SSL VPN solution is ideal for an enterprise trying to deploy a low cost, remote access solution to a highly mobile workforce requiring limited access to Web-enabled applications such as e-mail and file sharing. Being clientless, a SSL VPN can be accessed from any Web-enabled device. Since data shared in these applications is not highly sensitive, the cost-versus-security equation works out in favor of a SSL VPN solution.

The bottom line: Carefully weigh your enterprise network requirements when choosing the right VPN solution. IPSec VPNs are strong on security, interoperability, and scalability across applications, while SSL VPNs have the edge on TCO and scalability of users. Since both IPSec VPNs and SSL VPNs have explicit advantages and limitations, clearly understanding how they will perform in a particular environment will go a long way in avoiding potential disappointment down the road.