Quick overview of IPSEC and SSL VPN
technologies
Introduction
This document is
regarding the quick look out of two VPN technologies. It covers the difference
and strengths of both technologies.
IPSEC:
- It works on Layer 3 (Network Layer) of OSI Model.
- Since, it works on
Network Layer; it secures all data that travels between two end
points without an association to any specific application.
- Once, it gets connected
then the person will be virtually connected to the respective entire
network and able to access the entire network
- It defines how to provide data integrity, authenticity and
confidentiality over insecure network
like Internet.
- It completes its goal through tunneling, Encryption
and Authentication.
- It is complex because the two entities which will communicate via IPSEC have to
agree on same security policies which must be configured on
the both end of the devices.
- A
Single IPsec tunnel secures all the communication between
the devices regardless of traffic type. It can be TCP, UDP, ICMP etc. or any application
like e-mail, client-server, and database.
- Special purpose
software is available for IPsec connections. This can
be for PCs, Mobiles, and
PDAs as well as
for edge devices like Routers and Firewall.
SSL
VPN:
- It works on Layer 7 (Application Layer) of OSI Model.
- It is a protocol used for secure web-based communication over the Internet.
- It uses encryption
and authentication to keep communications privatebetween two devices,
typically, web server and user machine.
- Like IPsec, SSL also provides flexibility by providing
level of security.
- Unlike IPSec, SSL helps tosecure one application at a time and eachapplication
is supported via web browser.
- All basic web
browser application such as IE or Mozilla supports SSL, by default. But, not all the
application supports same so it requires upgrading which
is very cost consuming.
- Above problem
can be resolved by purchasing SSL VPN gateway which is deployed at the edge
of the corporate network and
serve as a proxy to LAN application such as e-mail, file servers and
the other resources.
- The browser thinks it is directlycommunicating with the application and applicationthinks it is
directly communicating with browser.SSL VPN makes it transparent to the either side of the
network.
SSL VPN delivers the following
three modes of SSL VPNaccess:
• Clientless—Clientless mode provides secure access to private webresources and will provide accessto web content.This mode is useful for accessing most content that you would expect to access in
a web browser, such as Internet access, databases, and online tools that employ a web interface.
• Thin
Client (port-forwarding Java applet)—Thin client mode extends the capability of the
cryptographic functions of the webbrowser to enable remote access to TCP-basedapplications such as Post Office Protocol version
3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Accessprotocol (IMAP), Telnet, and
Secure Shell (SSH).
• Tunnel Mode—full tunnel client mode offers extensive application
support through its dynamically downloaded Cisco Any Connect VPN
Client (next-generation SSL VPN Client) for SSL VPN.Full tunnel
client mode delivers a lightweight, centrally configured
and easy-to-support SSL VPNtunneling client that provides network layer access to virtually any application.
Strength
and Weaknesses:
IPsec‘s key strength lies in its ability to provide a permanent connectionbetween
locations. Working at the network layer (layer 3 of the network stack) also makes it application agnostic: Any IP-basedprotocol could
be tunneled through it. This makes IPsec an
attractive alternative to an expensive leased line or a dedicatedcircuit. It could
also serve as a backup link in the event that the primary leased
line or dedicated circuitconnectingthe remote site to the central office goes down.
IPsec's application-agnostic designis also its weakness, however.Thoughit provides authentication,
authorization and encryption, while basically extending
the corporate network to any remote user, it
does not have the ability to restrict access to
resources at a granular level. Once a tunnel is set up,
remote users can typically access any corporate resource as if they were pluggeddirectly into
the corporate network. These VPN security concern are exacerbated
because having a mobile workforce requires allowing non-managed
IT assets like smartphones and home PCs to
access corporate resources.These are assets that IT has novisibility into or control over, andthere is no guarantee that these
Devices comply with
the level of security that is typically enforced on managed assets.
IPsec is also more involved to maintain.
In addition to setting up the appliance to terminate the tunnels,
additional configurationand maintenance are requiredto support the remote user population.
In situations where corporations use Network Address Translation (NAT), special configuration
is required to ensure IPsec plays nicely with the NAT setup.
SSL VPNs, on the other hand, have been
designed from the ground up to support remote access.
They do not require any special software to be installed.
Remote access is provided through a browser-based session using
SSL.SSL VPNs also provide an enterprise with the ability to control access at a granular
level. Specific authentication and authorization schemes for access to
an application can be limited to as particular user population. Built-in
logging and auditing capabilities address various compliance
requirements. SSL VPNs also have the ability to run host compliance checks on the remote assetsconnecting to
the enterprise to validate they are configured withthe appropriate security software and
have the latest patches installed.
This does not meanSSL VPNs are the panacea to all of IPsec’s weaknesses. If a remote site requires analways-onlink to
the main office, SSL VPN would not be the solution.
IPsec, being application agnostic, can support a number of legacy protocols andtraditional client/server applications with minimal effort.This is not the case withSSL VPNs, which
have been built aroundWeb-basedapplications. Many SSLVPNs getaround this weakness by installing
a Java or ActiveX-based agent on the remote asset. This
installation is typically achieved seamlessly after the remote asset has successfully authenticated tothe
SSL VPN appliance, though it should be noted that both
ActiveX and Java come withtheir own security weaknesses that attackers commonly seek to exploit.
IPSEC
or SSL VPN:
Each VPN method
has its place in an enterprise. Ideally, as SSL and
IPsec VPNs serve different purposes and complement each other, they should
both be implemented. IPsec should be leveragedin situations where an always-on connection toremote office locations or partners/vendors is required.
In these instances, granular access control limitations and missing
host-check capabilities should be augmented with aNetwork Access Control (NAC) system, whichcan ensure only approved
remote hosts are allowed to connect to the enterprise.
Enterprises shouldleverage SSL VPNs primarily as a remote access method
for the mobile workforce where granular access control capabilities, auditing
and logging, and security policy enforcement are crucial.
But, regardless of your VPNchoice or specific needs, remember that a
VPN must notonly be updated, tested and monitored for performance, but also employedas part of a
defense-in-depthstrategy that utilizes comprehensive policies and
a variety of network security technologies.
Related
Information