Making the right connection: Which VPN – SSL, IPsec or both?

What does the future hold for secure virtual private networks? Illena Armstrong gazes into her crystal ball to look for the answer.

Choosing the ideal virtual private network is difficult enough for enterprise buyers, without the decision being complicated by rumblings that up-and-coming secure socket layer (SSL) VPNs will quickly overtake, and maybe replace, traditional internet protocal security virtual private networks (IPsec VPNs). Nonetheless, insistence that the IPsec VPN will soon become the ugly stepsister to the Cinderella-like SSL VPN is fueling the latest industry buzz.

"Rumors of IPsec's death are premature, but there is definitely a very aggressive movement away from IPsec in the remote access space, and that [stems] from some very practical reasons," says Jude O'Reilley, senior product marketing manager of Aventail.

Making headway

Infonetics Research, an international market research and consulting firm, and a leading expert in the VPN space, has reported that SSL VPNs are making so much headway that 2003 will continue to see many IPsec VPN vendors announcing plans for SSL-based products. This is already happening, with the likes of Nokia, Cisco and other large players launching solutions that will place them right in the middle of the SSL fracas.

Despite this, SSL will not replace IPsec, says Jeff Wilson, executive director at Infonetics. "There is no good SSL solution for site-to-site connectivity, and when it comes to remote access, many companies will look at and likely deploy both SSL and IPsec for different remote access," he says. "But, I don't think this will be a dominant trend in the near future."

What he does believe is that IPsec still remains the prevailing tunneling and encryption technology for VPNs, according to his recently published study User Plans for VPN Products and Services, North America 2003. At the same time, though, SSL will continue to gain some traction. Noting that by 2005, 74 percent of mobile workers will rely on VPNs (an increase of 15 percent from 2003), Wilson says projected growth rates can largely be attributed to SSL offering an alternative to IPsec that skirts the complexities and labor demands of deploying and managing the necessary client software.

The trouble now, he explains, is that at this early stage in the market many vendors seem to be waffling on how to position their SSL-based products. Whether to push SSL VPNs, also referred to as application-layer VPN gateway products, as competitive with IPsec or complementary to it is proving a marketing conundrum.

"Ultimately, we believe that they are best positioned as complementary, and most IPsec vendors will develop or purchase application-layer VPN technology to add to their arsenal. This complementary positioning is key to the success of the market (and our forecasts), and if the market-leading vendors in this space over the next 12 months choose to start a war between SSL and IPsec, the entire market ... will suffer," maintains Wilson.

What's the difference, really?

By design, an IPsec VPN is an infrastructure security technology, says Wei Lu, CTO of Permeo Technologies, a company specializing in enterprise application security. The real value of these VPNs is that they strive to make the IP environment as secure as possible. The problem is that to deploy IPsec requires quite a large infrastructure change to allow remote access. The value is there, but management costs are high. As such, IPsec is still the option for site-to-site connections, but interest in SSL VPNs has arisen for other remote access activities.

Yet, when IPsec VPNs, also called IP VPNs, first hit the scene, they were viewed as a huge advantage over other remote access solutions, says Grahame Smee, director of equIP Technology in the U.K. Part of the IPsec VPNs' appeal was based on their centralized security and policy management components that eased a lot of maintenance demands.

"However, recently we have seen the emergence of two main problems with traditional IP VPNs," he says. "Firstly, the client software presents a labor overhead that many companies wish to avoid and, secondly, certain security issues have also become apparent, mainly centered around creating an open ended network layer connection."

The solution of choice

But many experts say that IPsec is unbeatable for direct secured access to the corporate network usually demanded by a typical corporate power user and LAN-to-LAN connectivity. The typical SSL VPN, however, is considered best for the average remote worker for gaining access to web-based applications. Therefore, IPsec is the choice when seeking more comprehensive access that is for both browser-based applications and private networks, as well as for remote workers and to interconnect offices, says Susanne Scheuermann, IPsec product manager at BT Global Services.

SSL VPNs, on the other hand, require no additional client software to be loaded onto end user PCs and laptops. This clientless feature is a key factor for some companies when opting for SSL over IPsec, says Scheuermann.

And, this clientless feature adds to other often-touted attributes of SSL VPNs, which include reduced cost of deployment, alongside a decrease in the demand for ongoing support and administration, adds equIP's Smee. Moreover, "because all external-internal traffic" normally goes through a single hardware appliance, access to resources and URLs can be controlled.

"With the launch of these clientless VPN products ... users can connect from any internet-connected device and get secure access through an SSL tunnel. This involves the addition of hardware behind a corporate firewall, but gives the corporation one device to manage and no client software to maintain, upgrade and configure," he further explains.

Because end users can avoid carrying a laptop and gain access through any internet-connected device, most employee demands for connectivity while on the road can be met more easily with SSL. The issue with this, however, is that SSL VPNs typically have lower encryption levels than IPsec VPNs, says Bob Brace, vice president of Nokia Internet Communications. So, while they cost less to deploy, less to support, allow an organization to offer email access to employees from home, laptop and otherwise, or even offer up extranet access to partners quickly and easily, they still have their shortcomings.

"There are downsides, and these typically involve client-side security and performance issues," says Brace. "For email and intranet, an SSL VPN is fine, but for more complex applications which need higher levels of security, IPsec VPNs are required."

Connecting the enterprise

Regardless of the view that SSL is really only good for accessing web-based applications, as opposed to direct corporate network access, and is more suitable for less technical users than for power users, a bigger picture is emerging, say some.

"You're seeing this huge emergence in evolution towards SSL being used as an infrastructure technology as opposed to making SSL just a technology that is associated with web application servers ... that can be deployed in appliances like other pieces of infrastructure in the network," says Jason Matlof, vice president of marketing and business development for Neoteris.

And, with some SSL technologies on the market, you can extend the network to power users that you would usually trust to have a network connection from a fixed device where there is a known PC, with a firewall, anti-virus and other protections. Simply put, adds Matlof, it

is just a VPN that offers all the desired features for all users with the basic difference of traversing over SSL.

Still, there is definitely a case for organizations to use both SSL and IPsec VPNs, according to Aventail's O'Reilley. But, he just does not feel there is a case for using both for remote access. "I think IT organizations are voting with their feet on this issue right now, meaning within the network they are moving their IPsec technologies to LAN-to-LAN and they are focusing on SSL VPN for their ongoing remote access work," he says.

He illustrates his point by citing a meeting he had with a major technology company with some 20,000 employees internationally. Many of these end users work remotely from branch offices, home offices, airport kiosks, and more. Even though their traditional IPsec remote access technology is up for renewal, explains O'Reilley, company executives have no intentions to renew that and, instead, are moving all their remote access users to SSL VPNs.

"I think it has something to do with the kind of access you're providing to your end users. I don't think that kind of access is actually related to applications so much," he says.

Whatever the buzz about SSL VPNs, companies should keep in mind that these technologies will fail to solve all problems to everyone, warns Joel McFarland, manager of product marketing within the VPN and security business unit at Cisco Systems, Inc. To him, all the chatter about SSL VPNs is merely "a market indicator that says that this is another way of solving certain classes of problems, not all problems, but certain classes."

Client or clientless?

Therefore, IPsec is strongly asserted as the primary means for providing site-to-site connectivity where you have infrastructure-to-infrastructure communi- cation over WAN, and SSL VPNs' clientless feature helps to reduce costs and lessen worries about maintenance of remote desktops.

"But, what that limits me to is connectivity through a web browser to assets I connect through a web browser. So, it requires you have applets for certain applications to be able to effectively access them. The things that I have more difficulty connecting to are corporate assets or applications that don't have applets available and, therefore, I cannot run it in a clientless environment because it requires a kind of a client-rich interaction system," he says.

"There are definite efficiencies and benefits to running clientless, but there are performance, application coverage issues and compatibilities that make it a bit more challenging to solely go with that approach. It is an approach to solve the OS client issue, the client maintenance issue, but it is certainly not a wholesale replacement for IPsec VPNs because there are two different problems that each is trying to solve with very little overlap."

Illena Armstrong is U.S. and features editor for SC Magazine.

SSL vs. application security An alternative viewpoint

For most companies requiring remote access, application support should encompass any application that a company needs to maximize its efficiency, productivity, and profitability, says Wei Lu of Permeo Technologies. While application security offers this breadth of coverage, SSL VPNs are very limited in the types of applications they can support.

Most SSL VPNs are HTTP reverse proxies, which lend themselves well to web-enabled applications, simply accessed via any web browser. HTTP reverse proxies can support other query/ response applications, such as basic email and many of the enterprise productivity tools, such as ERP and CRM client/server applications. For accessing these types of applications, the SSL VPN offers a simple, cost-effective option for remote connections. It is plug-and-play, and does not require any additional client side software or hardware.

This same benefit, however, is also the source of the SSL VPN's greatest limitation - the fact that the user can only access a subset of the applications and data resources they require. SSL VPNs do not provide a complete solution for remote application access because they do not facilitate access to legacy or homegrown applications, nor complex ones such as those that require multiple channels and dynamic ports and use multiple protocols.

Yet this is a key requirement for corporations and their remote users. For example, SSL VPNs do not have the architecture to support instant messaging, multi-cast, data feeds, video conferencing and VoIP.

While SSL secures a TCP channel created by HTTP, it does not work on a UDP channel, for example. Application support for today's business, however, requires support for all types - TCP and UDP, client/server and web, off-the-shelf and in-house programs.

An application-independent application security solution enables out-of-the-box support for any standard TCP or UDP. Application security technology supports any solution that uses the physical networks. In addition to supporting all of today's programs, application security will also support all of tomorrow's solutions, regardless of protocol or design.

Wei Lu is CTO of Permeo Technologies, Inc. (



Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.