National Webcast Initiative
Wireless Security
Wire-Free Does Not Always Mean Risk-Free!
Wednesday, July 20, 2005
These resources are provided because they have information that may be useful and are provided as a general reference only. We do not warrant the accuracy of any information contained in the resources.
IPsec and SSL: Complementary VPN technologies for Universal Remote Access
Executive summary
Rarely is anything black or white. Life and logic are filled with shades of gray, trade-offs and compromises, advantages with constraints, and richness counterbalanced with cost. This immutable reality touches virtually every choice and issue in life. VPN connectivity is no exception.
Enterprises have been quick to see the potential in IP (Internet Protocol) virtual private network (VPN) services—which use Internet technology to extend private networking anywhere within the reach of managed IP networks or the Internet. But when it comes to choosing a VPN protocol, there is no ‘either-or’ path.
For IT managers seeking to define the “right” VPN direction or stalled in indecision to avoid a potential misstep, there’s good news. The prevailing VPN protocols—IPsec and SSL—are complementary, not mutually exclusive. In fact, many IT managers will find they’re better off not standardizing on one specific VPN protocol type and risk constraining their users’ access requirements and overall business reach.
This paper will discuss the merits of deploying both IPsec and SSL VPN by highlighting their respective advantages and limitations.
IPsec—Network-layer security for IP traffic
The IPsec (Internet Protocol Security) suite of protocols secures IP traffic at the network layer through encryption, authentication, confidentiality, data integrity, anti-replay protection, and protection against traffic flow analysis.
IPsec tunnels can secure traffic from one VPN server to another or from a user to a VPN server. An IPsec server (known as a VPN gateway) can secure traffic for many users and devices. A single IPsec tunnel secures all traffic between the devices, irrespective of traffic type (TCP, UDP, SNMP) or application (e-mail, database, client-server).
To establish the encrypted connection, both devices must agree on “security associations”—policies that must be configured on each end of the connection. That means each user (client) device must have special IPsec client software installed. IPsec VPN vendors typically offer client software for user workstations, PCs, laptops, hand-held access devices, edge routers, and firewalls—sometimes auto-downloaded from the IPsec gateway.
Because IPsec operates at the network layer, authorized remote users have the same degree of access as if they were physically in the enterprise building and directly connected to the enterprise LAN. IPsec offers a wide variety of flexible, industry-standard choices as to how these security protections are implemented. For all of this flexibility in choice, IPsec does trade off flexibility in other areas,
such as accessibility from temporary workplaces, ease of management, and configuration complexity.
SSL: Application-layer security
SSL (Secure Sockets Layer) protocol uses encryption and authentication to secure communications between Web browsers and Web servers at the transport layer. However, since an SSL session applies only to one application at a time, and provides application security services and not network security services, many people call it an application-layer security solution.
Originally developed by Netscape Communications Corporation for electronic commerce, SSL is built into most browsers, Web servers, and e-mail applications to provide data encryption, server authentication, message integrity, and optional client authentication between users and their applications—one application at a time.
To use SSL, an end-user device must have SSL capabilities, which are supported by default in most common browsers and e-mail clients such as Internet Explorer and Netscape. Because no client software is required—SSL support is built into the application— users can access Web applications from public kiosks or third-party PCs. This avoids the problem of loading client software on PCs
that don’t belong to the company, and makes SSL a complementary solution to IPsec VPNs for certain extranet applications.
Each application server must support Web access with SSL from standard browsers—usually a given with today’s IP-centric applications, but legacy applications frequently require an upgrade, custom development, or work-around, such as an application proxy.
Which VPN protocol is right for your enterprise?
The quick answer is: it depends. The probable answer is: a combination of both. The “right” VPN protocol is a function of many interdependent variables. Often, the right implementation is actually a hybrid of IPsec and SSL to satisfy the disparate requirements of very different users, whose needs may change from day to day. Here’s a high-level view of the business considerations that apply.
What type of access do users require?
If they need permanent, always-on VPN access between locations, with performance and application accessibility as if they were physically connected to the corporate LAN, an IPsec VPN achieves that with very good security, while providing access to all applications— including voice over IP—in the network segment through a single log-in.
If they are mobile workers needing casual or on-demand access to applications such as e-mail and file-sharing from diverse locations— such as public PCs in Internet kiosks or airport lounges—SSL is the logical choice.
Are users your employees or not?
If all your VPN users are employees using access devices owned and controlled by the enterprise, an IPsec VPN will offer full-service, secure network access using standardized client software that is managed, configured, and maintained by the enterprise IT group.
If not all your users are employees —the VPN must simply and cost-effectively reach business partners, customers, and occasional users, SSL is ideal, because it enables access from any browser or application with embedded SSL capabilities.
What level of access control is required?
If you want to grant access to all applications and resources within a network segment to all users in the IP-VPN, an IPsec VPN will serve well.
If you want to control access to specific applications —particularly for Web-accessible applications only, SSL might be the better choice, because it secures communications from user to application server, rather than from user to site gateway.
If you want variable levels of access control —say, one level of access privileges when the user is in the branch office and another when the user is accessing the network from trade shows, consider using IPsec for the in-office access and SSL for on-the-road access—or run SSL over IPsec for controlled and end-to-end security.
How critical are the resources to be accessed?
If you need strong security tied to specific, approved access devices , IPsec provides a higher degree of protection than SSL, because it requires the use of specially provisioned IPsec client software and controlled workstations.
If you require moderate security —the natural result of allowing access from unknown and uncontrolled devices, SSL will serve the need with greater flexibility and less management complexity.
If security requirements vary by scenario —the same user will be accessing highly confidential resources and standard e-mail and calendar functions, consider using IPsec access for the critical and non-critical resources alike, and also provide the flexibility of SSL access for the e-mail and calendar applications.
What roles will your users have?
If your principal users are in critical functions such as HR, finance, IT, R&D, and operations, their application access requirements will probably be more complex and as such require a higher degree of security and protection afforded by IPsec VPNs.
If your users are in less confidential functions such as sales, marketing, customer, or partner roles that deal with less confidential information, SSL access will provide appropriate confidentiality and security with greater ease of use for these non-technical users.
If users simultaneously have confidential and non-confidential roles such as executives who need to download customer presentations from their hotel rooms and confidential financial reports from their offices, a combination of SSL and IPsec access can provide the premium flexibility needed in one role and the premium security needed in the other.
Which is more important: fast deployment or future scalability?
If it is critical to get up and running quickly with minimal effort for enrolling new users, SSL offers the greatest deployment speed, because there’s no need to provision special-purpose IPsec client software.
If it’s more critical to easily add and change applications later , an IPsec VPN offers greater flexibility, because it opens access to all applications and resources in a network segment, rather than being tightly coupled with applications as SSL access solutions are.
If both considerations are important , consider deploying SSL for basic e-mail, file-sharing, and intranet access to quickly meet immediate access needs while rolling out IPsec VPN capabilities.
What’s the bottom line?
Enterprise networks are by nature heterogeneous. VPN access to corporate resources must serve a broad range of user requirements that change from moment to moment, or day to day. Both IPsec and SSL protocols have their merits. Both are effective, standards-based choices for deploying secure remote access. Both have advantages and limitations, depending on the circumstances—the applications, users, security, confidentiality, and deployment considerations in question. There is no ‘either-or’ path. For these reasons, most enterprises will benefit from the deployment of both SSL and IPsec-based VPNs.
-