Sunday, June 7, 2015
Quick overview of IPSEC and SSL VPN technologies
This document is regarding the quick look out of two VPN technologies. It covers the difference and strengths of both technologies.
- It works on Layer 3 (Network Layer) of OSI Model.
- Since, it works on Network Layer; it secures all data that travels between two end points without an association to any specific application.
- Once, it gets connected then the person will be virtually connected to the respective entire network and able to access the entire network
- It defines how to provide data integrity, authenticity and confidentiality over insecure network
- It completes its goal through tunneling, Encryption and Authentication.
- It is complex because the two entities which will communicate via IPSEC have to agree on same security policies which must be configured on the both end of the devices.
- A Single IPsec tunnel secures all the communication between the devices regardless of traffic type. It can be TCP, UDP, ICMP etc. or any application like e-mail, client-server, and database.
- Special purpose software is available for IPsec connections. This can be for PCs, Mobiles, and
PDAs as well as for edge devices like Routers and Firewall.
- It works on Layer 7 (Application Layer) of OSI Model.
- It is a protocol used for secure web-based communication over the Internet.
- It uses encryption and authentication to keep communications privatebetween two devices, typically, web server and user machine.
- Like IPsec, SSL also provides flexibility by providing level of security.
- Unlike IPSec, SSL helps tosecure one application at a time and eachapplication is supported via web browser.
- All basic web browser application such as IE or Mozilla supports SSL, by default. But, not all the application supports same so it requires upgrading which is very cost consuming.
- Above problem can be resolved by purchasing SSL VPN gateway which is deployed at the edge
of the corporate network and serve as a proxy to LAN application such as e-mail, file servers and the other resources.
- The browser thinks it is directlycommunicating with the application and applicationthinks it is directly communicating with browser.SSL VPN makes it transparent to the either side of the network.
SSL VPN delivers the following three modes of SSL VPNaccess:
• Clientless—Clientless mode provides secure access to private webresources and will provide accessto web content.This mode is useful for accessing most content that you would expect to access in a web browser, such as Internet access, databases, and online tools that employ a web interface.
• Thin Client (port-forwarding Java applet)—Thin client mode extends the capability of the cryptographic functions of the webbrowser to enable remote access to TCP-basedapplications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Accessprotocol (IMAP), Telnet, and Secure Shell (SSH).
• Tunnel Mode—full tunnel client mode offers extensive application support through its dynamically downloaded Cisco Any Connect VPN Client (next-generation SSL VPN Client) for SSL VPN.Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPNtunneling client that provides network layer access to virtually any application.
Strength and Weaknesses:
IPsec‘s key strength lies in its ability to provide a permanent connectionbetween locations. Working at the network layer (layer 3 of the network stack) also makes it application agnostic: Any IP-basedprotocol could be tunneled through it. This makes IPsec an attractive alternative to an expensive leased line or a dedicatedcircuit. It could also serve as a backup link in the event that the primary leased line or dedicated circuitconnectingthe remote site to the central office goes down.
IPsec's application-agnostic designis also its weakness, however.Thoughit provides authentication, authorization and encryption, while basically extending the corporate network to any remote user, it does not have the ability to restrict access to resources at a granular level. Once a tunnel is set up, remote users can typically access any corporate resource as if they were pluggeddirectly into the corporate network. These VPN security concern are exacerbated because having a mobile workforce requires allowing non-managed IT assets like smartphones and home PCs to access corporate resources.These are assets that IT has novisibility into or control over, andthere is no guarantee that these
Devices comply with the level of security that is typically enforced on managed assets.
IPsec is also more involved to maintain. In addition to setting up the appliance to terminate the tunnels, additional configurationand maintenance are requiredto support the remote user population. In situations where corporations use Network Address Translation (NAT), special configuration is required to ensure IPsec plays nicely with the NAT setup.
SSL VPNs, on the other hand, have been designed from the ground up to support remote access. They do not require any special software to be installed. Remote access is provided through a browser-based session using SSL.SSL VPNs also provide an enterprise with the ability to control access at a granular level. Specific authentication and authorization schemes for access to an application can be limited to as particular user population. Built-in logging and auditing capabilities address various compliance requirements. SSL VPNs also have the ability to run host compliance checks on the remote assetsconnecting to the enterprise to validate they are configured withthe appropriate security software and have the latest patches installed.
This does not meanSSL VPNs are the panacea to all of IPsec’s weaknesses. If a remote site requires analways-onlink to the main office, SSL VPN would not be the solution. IPsec, being application agnostic, can support a number of legacy protocols andtraditional client/server applications with minimal effort.This is not the case withSSL VPNs, which have been built aroundWeb-basedapplications. Many SSLVPNs getaround this weakness by installing a Java or ActiveX-based agent on the remote asset. This installation is typically achieved seamlessly after the remote asset has successfully authenticated tothe SSL VPN appliance, though it should be noted that both ActiveX and Java come withtheir own security weaknesses that attackers commonly seek to exploit.
IPSEC or SSL VPN:
Each VPN method has its place in an enterprise. Ideally, as SSL and IPsec VPNs serve different purposes and complement each other, they should both be implemented. IPsec should be leveragedin situations where an always-on connection toremote office locations or partners/vendors is required. In these instances, granular access control limitations and missing host-check capabilities should be augmented with aNetwork Access Control (NAC) system, whichcan ensure only approved remote hosts are allowed to connect to the enterprise. Enterprises shouldleverage SSL VPNs primarily as a remote access method for the mobile workforce where granular access control capabilities, auditing and logging, and security policy enforcement are crucial. But, regardless of your VPNchoice or specific needs, remember that a VPN must notonly be updated, tested and monitored for performance, but also employedas part of a defense-in-depthstrategy that utilizes comprehensive policies and a variety of network security technologies.