25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

Ifyourorganizationisamongthemanythathavestruggledwiththeadministrativeheadachesandcosts
ofIPSecVPNs,going"clientless"soundscompelling.Giventhedemandforsecure,easy,
anytime/anywhereremoteaccessfortravelersandhomeofficeworkers,thesurgeofinterestin
SSL/TLSbasedVPNsisn'tsurprising.ThekeyisdecidingwhentouseIPSecandwhentouseSSL.

It'snotthatoneisrightandoneiswrong.IPSecandSSL
VPNsbothsolvetheproblem,butSSLwasamoretailored
fitforus.
DougTorre
CatholicHealthSystemofWesternNewYork

"It'snotthatoneisrightandoneiswrong,"saysDougTorre,whoisrollingoutNeoterisSSLVPNsto
give500doctorsandcliniciansremoteaccesstomedicalapplicationsandpatientinformationfor
CatholicHealthSystemofWesternNewYorkinBuffalo."IPSecandSSLVPNsbothsolvetheproblem,
butSSLwasamoretailoredfitforus."TorrestillusesIPSecVPNsforsitetositeconnections,suchas
connectingremotesitestothecorenetwork.
InchoosinganSSLVPNoverIPSec,Torrewantedtoavoidtheoverheadofinstallingclientsoftwareand
toleverageoneofSSL'sstrengthsaccesstospecificapplications,ratherthanentiresubnets.
"We'regettingaccesstotheexactthingweneed,whichistheapplication,"saysTorre,directorof
networkingandtechnicalservicesforCatholicHealthSystem,whichincludesfourhospitalsanda
numberoflongtermhealthcarefacilities.

http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

1/9

25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

PRO+
Content
EHandbook

Lessonsandnextstepsincontinuoussecuritymonitoring

EZine

Securityattack?2016defensesfocusondamagecontrol

EHandbook

Howtobuymultifactorauthenticationtools

DoesallthismeanthatSSLVPNsarethewaytogo?Everythingbeingequal,whowouldn'twantto
reducethecostofVPNownershipbyeliminatingclientinstallationandconfigurationandcentralizing
policyadministration,enforcementandaccesscontrol?
It'snotthatsimple,ofcourse.Vendorspromisetodeliversecureaccess,butareSSLVPNsassecure
andreliableasIPSec?WheredoSSLVPNsfitintoyournetworksecuritypolicies,andwhichremote
usercommunitiescantheybestserve?WhatdoesitreallytaketoinstallandadministeranSSLVPN?
SecuringRemoteAccess
BothIPSecandSSLVPNscanprovideenterpriselevelsecureremoteaccess,buttheydosoin
fundamentallydifferentways.Thesedifferencesdirectlyimpactbothapplicationandsecurityservices,
andshapethefactorsthatwillinfluenceyourdecisiononwhichtechnologytodeploy,andwhere.
IPSecVPNsprotectIPpacketsexchangedbetweenremotenetworksorhostsandanIPSecgateway
locatedattheedgeofyourprivatenetwork.SSLVPNproductsprotectapplicationstreamsfromremote
userstoanSSLgateway.Inotherwords,IPSecconnectshoststoentireprivatenetworks,whileSSL
VPNsconnectuserstoservicesandapplicationsinsidethosenetworks.
IPSecVPNscansupportallIPbasedapplicationstoanIPSecVPNproduct,allIPpacketsarethe
same.SSLVPNapplicationservicesvary,becauseeachproducthasitsownwayofpresentingclient
interfacesthroughbrowsers,relayingapplicationstreamsthroughthegateway,andintegratingwith
destinationserversinsidetheprivatenetwork.MostSSLVPNsprovidesecureaccesstoMicrosoft
OutlookWebmail,networkfilesharesandothercommonbusinessapplications.However,theyoften
requirecustomdevelopmenttosupportnonbrowserbasedapps.
http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

2/9

25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

Beforeyouchoosetodeployeitherorbothyou'llwanttoknowhowSSLandIPSecVPNsstackupas
securitysolutions,andwhatpriceyouhavetopayforthatsecurityinadministrativeoverhead.
First,we'llcomparehowIPSecandSSLVPNsaddressthreeessentialsecurityrequirements:
Authenticationandaccesscontrol.EachVPNtypepresentsdifferentoptionsforuserauthentication,
withclearimplicationsforsecurity.ThefundamentaldifferenceinhowSSLandIPSecVPNs
implementaccesscontrolisanimportantconsiderationinwhereandhoweachtechnologyisbest
applied.
Defenseagainstattack.Strongdataconfidentialityandintegrity,andresistancetomessagereplay
andotherattacks,areessentialtomakeaVPNsecure.
Clientsecurity.Thetunnelcan'tbesecureifthehostclientiscompromised.VPNclientcomputers
needstrongAVandfirewallprotection,andadminsneedawaytocheckonthe"health"ofthose
systems.
Next,we'lllookatwhatittakestoconfigureandadministerbothIPSecandSSLVPNs,andthepayofffor
whatyouputintoit:
Clientvs.clientless.It'snotnecessarilyaclearcutchoice:IPSecclientadministrationandpolicy
distributionheadachesvs.SSLappcustomization.
IntegratingVPNgatewaysintoyournetwork.VPNgatewayshavetofitintoyournetworkandplay
nicelywithyourappservers.Whatdoesittake?
AccessControland
Authentication
BothSSLandIPSecVPNs
supportarangeofuser
authenticationmethods,including
certificates.However,ifyou
chooseanoncertificateoption
(suchaspasswordortokens),
youshouldbeawarethatthe
IPSecchoices,aswe'llsee,are
generallymorevulnerablethan
theSSLalternatives.
Acceptedsecuritybestpractices
includeallowingonlythatwhichis
expresslypermitted,denyingall
others.Inanutshell,SSLVPNs
tendtobedeployedwithmore
granularaccesscontrolsthan
IPSec,butthatalsomeansadminsmayspendmoretimeconfiguringandmodifyingindividualandgroup
accessrules.
Authentication.IPSecemploysInternetKeyExchange(IKE),usingdigitalcertificatesorpreshared
secretsfortwowayauthenticationSSLWebserversalwaysauthenticatewithdigitalcertificates,no
http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

3/9

25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

matterwhatmethodisusedtoauthenticatetheSSLclient.Bothsupportcertificatebaseduser
authentication,thougheachofferslessexpensiveoptionsthroughindividualvendorextensions.They
differsignificantlyonhowtheseextensionsareimplemented,andSSListhemoresecuresolutionfor
companiesthatdecidetoimplementnoncertificateuserauthentication.
IPSecvendors,forexample,offeralternativessuchasExtendedAuthentication(XAUTH)andL2TP
overIPSec.However,XAUTH,whichisfrequentlydeployedusingpresharedgroupsecretsandDHCP,
isvulnerabletoseveralknownattacks.AndwhileL2TPoverIPSecisembeddedinWindows2000/XP,it
isn'tbroadlysupportedbyVPNgatewaysorusedbynonMicrosoftshops.
MostSSLvendorssupportpasswordsandtokensasextensions.Further,SSL'sencryptedtunnel
protectstheuser'sidentityandcredentials,makingasymmetricauthenticationmoresecurethanIPSec
withXAUTH.
SSLisbettersuitedforscenarioswheretrustislimitedorwhereinstalledcertificatesareinfeasible
businesspartnerdesktops,publickioskPCsandpersonalhomecomputers.
Accesscontrol.Ifyoureallyneedperuser,perapplicationaccesscontrol,goSSL.Ifyouneedtogive
trustedusergroupshomogenousaccesstoentireprivateserversandsubnets,goIPSec.
IPSecstandardssupport"selectors"packetfiltersthatpermit,encryptorblocktraffictoindividual
destinationsorapplications.Asapracticalmatter,mostorganizationsgranthostsaccesstoentire
subnets,ratherthankeepupwiththeheadachesofcreating/modifyingselectorsforeachIPaddress
changeornewapp.
SSLVPNproductstendtoprovidemoregranulartoolshowgranularvariesfromproducttoproductbut
howyouusethem(andhowmuchadministrativecostyou'repreparedtoshoulder)isuptoyou.
Becausetheyoperateatthesessionlayer,SSLVPNscanfilteronandmakedecisionsaboutuseror
groupaccesstoindividualapplications(ports),selectedURLs,embeddedobjects,application
commandsandevencontent.
DefenseAgainstAttack
BothSSLandIPSecsupportblockencryptionalgorithmslikeTripleDESCipherBlockChaining,which
arecommonlyusedinVPNs.SSLVPNsalsosupportstreamencryptionalgorithmslikeRC4thatare
oftenusedforWebbrowsing.Givencomparablekeylengths,blockencryptionislessvulnerableto
trafficanalysisthanstreamencryption.
Ifyou'reimplementinganSSLVPN,trytochooseproductsthatsupportTLS,whichisslightlystronger
thantheolderSSLv3.TLSeliminatesolderkeyexchangeandmessageintegrityoptions,ensuringstrong
defenseagainstkeycrackingandforgery.
Inadditiontostrongencryptionsupport,bothtypesofVPNsarebuilttoresistcommonInternetattacks.
However,therearesomeimportantdifferencesthatcanimpactsecurity,performanceandoperability.
Theyinclude:

http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

4/9

25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

Maninthemiddle.IPSecpreventspacket
modificationtothwartmaninthemiddleattacks.
However,thisstrongsecurityfeaturealso
generatesoperationalproblems.NATfrequently
breaksIPSecbecauseitmodifiespacketsby
substitutingpublicIPaddressesforprivateones.
ManyIPSecproductsimplementNATtraversal
extensions,butsupportforthisfeatureisn't
universal,andinteroperabilityisstillanissue.
SSLisalmostastoughagainstmaninthemiddle
attacks,withoutIPSec'sNATconflict.SSLrides
onTCP,soit'sinsulatedfromIPandport
modifications,andthuspasseseasilythrough
NAT.SSLcarriessequencenumbersinside
encryptedpacketstopreventpacketinjection,
andTLSusesmessageauthenticationtodetect
payloadchanges.
Messagereplay.BothIPSecandSSLuse
sequencingtodetectandresistmessagereplay
attacks.IPSecismoreefficient,becauseit
discardsoutoforderpacketslowerinthestackin
systemcode.InSSLVPNs,outoforderpackets
aredetectedbytheTCPsessionengineorthe
SSLproxyengine,wastingmoreresourcesbefore
theyarediscarded.ThisisonereasonwhyIPSec
isbroadlyusedforsitetositeVPNs,whereraw
horsepoweriscriticaltoaccommodatehigh
volume,lowlatencyneeds.
Denialofservice.IPSechasaslightadvantage
againstDoSattacks,suchaspacketfloods,
becauseitusesonlydatagrams,whileSSLuses
TCPsessions.ThisisbecauseIPandUDP(IKE)
datagramfloodsareconceptuallyeasiertodeflect
thanTCPSYNfloods,whichfillsessiontables
andcripplemanyofftheshelfprotocolstacks.
EveryproductmustbehardenedagainstDoSattacks.Lookcarefullyatindividualproductsand
publishedthirdpartytestresultstoassessDoSvulnerabilityineachimplementation.
BusinessgradeIPSecVPNapplianceshavebeenhardenedagainstDoSattacksomeIPSecvendors
haveevenpublishedDoStestresults.WhileIPSecVPNshavebeensubjecttotestingforyears,a
certificationprogramforSSLVPNshasjustbeeninitiated.ICSALabsislaunchingaSSL/TLS
http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

5/9

25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

certificationprogram,andexpectstocompletefirstroundtestingofcryptoimplementationandbaseline
featuresbyyear'send.
ClientSecurity
YourVPNIPSecorSSLisonlyassecureasthelaptops,PCsorPDAsconnectedtoit.Without
precautions,anyclientdevicecanbeusedtoattackyournetwork.
Therefore,companiesimplementinganykindofVPNshouldmandatecomplementaryclientsecurity
measures,suchaspersonalfirewalls,malwarescanning,intrusionprevention,OSauthenticationandfile
encryption.SomeIPSecVPNclientsincludeintegrateddesktopsecurityproductstorestrictaccessto
systemsthatconformtoorganizationalsecuritypolicies.Forexample,CheckPointSoftware
Technologies'VPN1isintegratedwithPestPatrol,andWatchGuardTechnologies'MobileUserVPN
withZoneLabs'ZoneAlarm.
SSLclientdevicespresenttheirownsetofproblems.BecauseSSLVPNsareoftenaccessedby
computersoutsideacompany'scontrolpubliccomputersareaparticularchallengevendorsaddress
theirsecurityrequirementsinseveralways.Forexample:
ManySSLVPNs,includingWhaleCommunications'eGapandAventail'sEX1500,providesecure
browser/clientlogoffbywipingalltracesofactivitycachedcredentials,cachedWebpages,
temporaryfilesandcookiesfromthepubliccomputers.
Nokia'sSecureAccessSystemchecksclientsidesecuritybyinstructingthebrowsertorunan
appletthatlooksforopenportsandverifiesantiviruspresencebeforethegatewayacceptsremote
accessrequests.
SomeSSLVPNscombineclientsecuritywithaccessrules.Forexample,PermeoTechnologies'
ApplicationSecurityoffersmethodsthatfilterindividualapplicationcommands(e.g.,FTPGETbutnot
PUTnoretrievingHTTPobjectsendingin.exe).Thiscouldnarrowpermissionsgiventousersthat
onlymerit"partialtrust"becausetheyuseclientcomputersthatlieoutsideyourorganization's
control.Nokia'sSecureAccessSystemcanlimitapplicationfeaturesandfunctions,dependingon
thesystemfromwhichaVPNsessionisinitiated.Forexample,publickiosksmayberestrictedfrom
uploadingfilesthatcompanylaptopsarepermittedtoaccess.
Sessionstateisadimensionofusabilitymorethansecurity,butit'sworthnotingthatbothIPSecand
SSLVPNproductsoftenrunconfigurable"keepalives"thatdetectwhenthetunnelhasgoneaway.Both
kindsoftunnelsaredisconnectediftheclientlosesnetworkconnectivityorthetunneltimesoutdueto
inactivity.Differentmethodologiesareusedduetodifferentlocationsintheprotocolstack,buttheyhave
thesameneteffectonusers.
Clientvs.Clientless?
TheprimaryallureofSSLVPNsistheiruseofstandardbrowsersratherthanhavingtoinstallclient
software,butthereareanumberoffactorstoconsider.
SSLVPNsdoagreatjobmakingbrowserbasedappsavailabletoremotedevices.However,generally
speaking,themorediversetheapplicationmix,themoreattractiveIPSecappears.Itboilsdowntoa
tradeoffbetweenIPSecclientinstallationandSSLVPNcustomization.Let'sexaminethisinmoredetail.
"Clientless"isn'tentirelyaccurate.Theextenttowhichapplicationscanorshouldbe"Webified"isawild
http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

6/9

25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

cardforSSLVPNs.IfyoucanfindanSSLVPNproductthatmeetsallormostofyourapplicationneeds,
great.Ifnot,youmayspendmoretimeandeffortdevelopingcustomJava/ActiveXpluginsthanyou
wouldhavesupportinganIPSecVPN.
AlthoughSSLVPNtunnelsarelaunchedthroughfromtheuser'sbrowser,oftenadesktopagentaJava
appletorActiveXcontrolmustbedownloadedforaccesstothinclient,client/serverorother
applicationsthatdon'tlendthemselvestoWebpagepresentation(e.g.,Citrix,IBMgreenscreen,
WindowsTerminalService).Moreover,applicationsthatrequireJavaappletsorActiveXcontrolsand
pluginsmayconflictwithabrowsersecuritypolicythatprohibitsactivecontent.Mostorganizations
block"unsigned"Java/ActiveX,whichcanbeusedtoinstallTrojans,retrieveordeletefiles,etc.Some
organizationsblockallactivecontenttobeonthesafeside.Asaresult,youmayhavetoreconfigure
somebrowserclientstouseanSSLVPN.
Anddon'tdismissthe"userfactor."Peoplegrowaccustomedtoexistinguserinterfaces.Theadvantage
ofhavingbrowserinterfacesfornativeappsmaybeoffsetbythetimespentreeducatingunhappyusers.
SSLVPNvendorshavearangeofapproachesonWebification.SomeproductssuchasPermeo's
ApplicationSecurity,Aventail'sEX1500andNokia'sSecureAccessSystemuseclientsidecodeto
supportamorenativerepresentationofapplicationinterfaces.Conversely,solutionssuchasNeoteris'
InstantVirtualExtranet,NetillaNetworks'SecurityPlatformandWhale'seGaparemoreinclinedto
Webifyapplications,evenifthatmeanssomeappswillrequirebackenddevelopmenttoboltthemonto
theVPNserver.
MostIPSecdeploymentsstillrequirethirdpartyclientsoftware.Installingthirdpartyclientsistime
consumingandrequiresaccesstotheusers'desktops.Theproblemisexacerbatedwhenyoufactorin
theincreasedneedtoservicehomecomputersandpartnersites.Inaddition,whileclientsoftwarequality
andcompatibilityhaveimprovedconsiderably,therearestillconflictsparticularlywithhardwaredrivers.
IPSecVPNclientsarenowembeddedinnewerOSessuchasWin2K/XPandMacOSX.Butthese
clientsaren'tasfeaturerichasthirdpartyofferings.Moreover,IPSecclientsaren'twidelyavailablefor
olderWindows,*nix,MacandhandheldOSes.
SomevendorsofferhardwareIPSecVPNclientsfororganizationsthatmustdealwithdiverseOS
platforms.Smallappliances,likeCiscoSystems'VPN3002,sitbetweenaworker'shomePCand
cable/DSLmodem,actinglikeanIPSecVPNclient.Theideaistoinvestinhardwareupfronttoavoid
ongoingcostsofadministeringremotelydeployedVPNsoftware.
OrganizationssometimesuseIPSecenabledSOHOfirewallappliancestoincorporateteleworkers'
LANsintotheirsitetositeVPNtopology,butthissolutionoftenpushestheproblemsofscaleandremote
administrationfromremoteaccesstotheVPNbackbone.
Policydistributionandmaintenanceareoftenhamstrungbyusermobilityandintermittentconnectivity.
ThisisasignificantissueforIPSecVPNs.Wheneverusersgetinvolvedinsecurityconfigurationor
debugging,there'salsoanincreasedriskoferrororunauthorizedchange.

http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

7/9

25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

IPSecadministratorsmustcreatesecuritypoliciesforeachauthorizednetworkconnection,identifying
suchesotericinformationasIKEIdentity,DiffieHellmanGroup,cryptoalgorithmsandsecurity
associationlifetimes.IPSecvendorslikeCisco,CheckPoint,NetScreenTechnologiesandAvayahave
createdproprietary,centralizedpolicymanagementsystemsthatautomatepolicydistribution.These
systemshelp,butkeepingpolicysynchronizedacrosslargeIPSecVPNscanstillbetough.
"WefoundsupportingremoteclientsoveranIPSecVPNtobeproblematicduetotheneedfor
configuringVPNandapplicationsoftware,makingsecuringitabittricky,"saysCatholicHealthSystem's
Torre.
Forthemostpart,securitypolicyforSSLVPNsisimplementedandenforcedatthegateway(SSL
proxy).Thus,there'snouserinvolvementandnoclientpolicytoremotelymanage.
IntegratingVPNGateways
Serversideissuestendtogetlostamidthebuzzaboutclientlesssavings,butunderstandingwhat's
involvedisessentialinVPNproductselection,securesolutiondesignandcosteffectivedeployment.
WhetheryouchooseIPSecorSSL,yourVPNgatewaywillbewheretherubbermeetstheroad.
SignificantserversideVPNadministrationisinevitableforboth.Networkintegrationisanissuefor
IPSecgateways,whileSSLVPNgatewaystendtohaveagreaterimpactonhowyouadministeryour
appservers.
IPSecremotehostsbecomepartofyourprivatenetwork,makingintegrationmorechallengingthanwith
SSLVPNs.TheIPSecdesigntasksthatburnthemostITcyclesinclude:
Addressassignment.IPSectunnelshavetwoaddresses.Outeraddressescomefromthenetwork
wherethetunnelstarts(e.g.,theISP).Inneraddressesareusedtocorrectlyroutetrafficonceitgets
pasttheVPNgateway,insidetheprotectednetwork.Adminshavetoinvesttimeassigningthese
addressestoVPNclientsandmakingroutingchangesonfirewallsandinsidethenetwork.
Trafficclassification.Decidingwhatandwhatnottoprotect,thenconfiguringselectorstomatchthat
objective,takestime.Forexample,"HRclientsshouldbeabletoreachtheHRserver,"mustbe
mappedintotherightsetofusersanddestinationsubnets/servers/ports.
Routing.AddingaVPNgatewaychangesnetworkroutes.You'llspendtimedecidinghowclient
trafficshouldberoutedtoandfromtheVPNgateway,anddeterminingifNATwillinterferewithyour
deployment.
SSLVPNsdon'trequireclientaddressassignmentorchangestoroutinginsideyournetwork,because
theycontrolaccesstoapplicationsandcontent(e.g.,URLs)ratherthannetworklayerentities,suchas
subnetsandhosts.Typically,SSLVPNgatewaysaredeployedbehindaperimeterfirewall,which
requirespunchingaholethroughthatfirewalltodeliverSSLtotheVPNgateway.Thismeansdelegating
trustfromthefirewalltotheVPNgateway,whichenforcessecuritypolicyonSSLencryptedstreams.
SSLVPNgatewayshavegreaterpotentialimpactontheapplicationserversinsideyourprivatenetwork.
Onmostintranetservers,whenITstaffneedtorestrictaccessatafinerthanfirewallgranularity(e.g.,
controluseraccesstoadirectoryonaWebserver),theymustapplyOSlevelaccesscontrols(e.g.,
WindowsNTFS)andperuserorperapplicationauthenticationontheserversthemselves.
http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

8/9

25/2/2016

Tunnelvision:ChoosingaVPNSSLVPNvs.IPSecVPN

IPSecVPNscan'toffloadthesesecurityservicesfromindividualservers.
ByapplyingverygranularaccesscontrolsatSSLVPNsgateways,organizationscaneliminateduplicate
processingfromintranetservers.Thisalsoallowsanorganizationtoenforceuniformpolicyatthe
gateway.Someproducts,suchasWhale'seGapandAventail'sEX1500,canprovidesinglesignon
capabilityforallintranetserversprotectedbyaVPNgateway(see"EmailfromAnywhere").
ButSSL'sfinegrainedaccesscontrolscomeataprice:Extremegranularitymeansmoreplanning,
configurationandverification,whichtranslatesintooverheadand,sometimes,error.FirsttimeSSLVPN
adoptersareadvisedtokeepthingssimplebyapplyingeasilymanagedindividualuserauthentication
andgroupaccesscontrols.
TheTestofTime
AreSSLandIPSecVPNscomplementaryorcompetingremoteaccesssolutions?Theremayberoom
forboth.
"WethinkthatclassicIPSecVPNsaregreatforconnectingtothenetwork,suchashookingupremote
sitestoeachother,orforthepoweruserwhoneedseverytoolinthetoolbox,likeanITuser,"says
CatholicHealthSystem'sTorre."Fortheaverageuser,however,it'soverkill."
"PowerusersliketheideaofafullPCtogatewayIPSecVPN,andoftenbelievetheyneedaccesstothe
fullIPspectrumoftheenterprisenetworkfromtheirhomeoffice,"saysFredAvolio,presidentand
founderofAvolioConsulting."Butmany,ifnotmost,occasionalteleworkersoftenusehomePCsand
onlyneedtoaccessservicesthatareeasilyavailablethroughaWebbrowser,suchasemailandfile
access.AnSSLVPNgivesthemsecureaccesswithoutthehassleofahardtoconfigureclient."
It'squitelikelythatIPSecwillremainattractivetoorganizationswithbroaderneedsthanWebapps.As
userconstituenciesbecomelargerandmorediverse,assetsmustbeseparatedatfinergranularity,
makingSSLmoreattractive.Today,SSLVPNadoptionisdrivenbytightITbudgetsandvendor
promisestoreducetotalcostofownership.AsSSLVPNproductsmature,theymustdeliveronthis
promiseinlargesuccessfuldeployments,growtheirturnkeysupportforcommonbusinessapplications,
anddemonstratetheirabilitytowithstandInternetthreatsandenterpriseperformancedemands.Ifthey
candoallthis,SSLwillgiveIPSecarealrunforthemoneyintheremoteaccessVPNmarket.
LisaPhiferisvicepresidentwithCoreCompetence,aconsultingfirmspecializinginnetworksecurity
andmanagementtechnology.

http://searchsecurity.techtarget.com/feature/TunnelvisionChoosingaVPNSSLVPNvsIPSecVPN

9/9