IPSec or SSL? Another option

Since their advent, IPSec Virtual Private Networks (VPNs) have revolutionized the way remote workers and business partners connect to a business by establishing a secure tunnel between a remote worker or business partner and the organization they are connecting to.

IPSec VPNs have truly helped initiate a new world of business-to-business productivity by connecting two different companies or organizations to facilitate and accelerate business-to-business transactions. Ultimately, IPSec VPNs have enabled employees to attain immense productivity gains while also reducing the costs for the employers.

But despite the significant benefits that IPSec VPNs deliver for network connectivity and security, the reality is that there are limits in their functionality. IPSec VPNs prevent traveling users from connecting back to their corporate resources while behind the firewall at a customer or partner site.  They also bring along the administrative headaches and high costs of support and configuration primarily from the installation and updating of the IPSec VPN clients. Additionally, and becoming more of an issue on a daily basis, IPSec VPNs have become a prime traversal route for the spread of worms (since secured clients obtain a routable IP address on the private network), which continue to have a decimating impact on business. 

In the wake of these shortcomings, a new form of secure remote access called an SSL VPN arose as an alternative to IPSec. While still providing the secure access required by remote workers and business partners, SSL VPNs primarily operate with web applications over an HTTP connection. They achieve high functionality by parsing web pages at run time to ensure that every web navigation path is routable from the client computer. Since SSL VPNs provide a clientless way to access applications that are internal to an enterprise or organization's network, they eliminate or reduce the administrative headaches and high support costs of IPSec VPN clients. SSL VPNs are fast becoming a technology of choice, and Forrester Research expects SSL VPNs to have a dominant market share by 2008.

However, as with IPSec VPNs, there are also substantial limitations inherent to SSL VPNs. These include the lack of client-server application support without custom connectors, the inability to work with business applications that use binary object technology such as Java Applets and Active X, and the inability to work with peer-to-peer applications such as soft-phones. Additionally, SSL VPNs come with a high price tag, due to high product pricing by all the established vendors, webification services, and custom connector costs. 

The irony is that as more companies make the switch to SSL, they are finding that they still require some of the functionality of IPSec -- and many vendors are now providing both types of solutions in their remote access portfolio and expecting their customers to deploy both types of solutions in separate business scenarios.  Vendors that only have one of these two types of solutions are similarly trying to migrate their solution to have the capabilities of the other type.

Instead of trying to simply cobble the two offerings together, vendors should rethink their approach to VPNs and try to create a single "hybrid" solution that combines advantages of both IPSec VPNs and SSL VPNs, while eliminating the aforementioned shortcomings. The question becomes, is a hybrid approach possible? From a theoretical perspective, it's useful to think about what a hybrid VPN would look like.

At a high-level, a hybrid VPN should combine network layer access with application level encryption in a hybrid technology. A hybrid VPN can accomplish secure remote access as follows.

1. The hybrid VPN exposes a secure web URL, accessible after authentication.
2. The hybrid VPN launches into the user's PC with a per session agent which resides in memory for the life of the session.  The agent is a lightweight packet concentrator.
3. The agent operates in conjunction with the hybrid VPN and maps application connections using a reverse NAT table.
4. During the session, the agent resides in memory and operates at Layer 2
5. While the session is active, the agent encrypts all network traffic destined for the organization's intranet and forwards the packets over an HTTPS session to the hybrid VPN along with user credentials.
6. All traffic is encrypted and sent over SSL

A hybrid VPN sits in an organization's DMZ with access to both the external network and internal network.  A hybrid VPN can also partition local area networks internally in the organization for access control and security between wired/wireless and data/voice networks.  The hybrid VPN essentially acts as a low-level packet filter, with encryption. It drops traffic which does not have authentication or does not have permission for a particular network.  The hybrid VPN has the option of making remote system IP addresses invisible. This adds security to source locations in B2B implementations. This is also valuable to secure the wireless network in a company for their users and visitors (a viable alternative to WEP).

The result is a more well-rounded and flexible VPN that provides users remote access through firewalls and prevents the traversal of worms by not bridging networks.  IT upgrade support costs are eliminated with a URL-distributed client that automatically updates when the user connects to the network.  Users are provided desktop-like network access experience and can access any application in native form without webification or custom connectors.

While SSL VPNs will continue to make inroads in the market, it's important to think about why this is happening. Savvy customers should look to vendors who continue to innovate, working towards providing a better solution. Several innovative vendors (including my company, Net6) are making intriguing inroads here in developing new VPNs. What users need today is universal access:  simple, intuitive access to all applications and resources from anywhere – and a hybrid approach should be on the list of any company evaluating VPN options.

Barry Phillips is director of product marketing for Net6, Inc

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.