IPSec Vs. SSL: Picking The Right VPN
Mike Fratto, Editor
September 01, 2005
Organizations often base their VPN choice on cost, configuration and usability. If you're looking for a network-to-network VPN, the only real choice is IPsec. Check Point Software Technologies, Cisco Systems, Juniper Networks, Nortel Networks, Sonicwall and WatchGuard all offer IPsec VPNs with integrated firewalls. If you go this route, look at the vendor's customer-support track record, determine if security is built into its product and find out what features will be available down the line.
The Easier Path?
IPsec VPN solutions generally are a lot easier to manage. The client-to-gateway tunnel forms a network connection similar to that of dial-up networking. Ephemeral TCP/UDP ports are natively supported. If your traveling users are employing SIP (Session Initiation Protocol)- or H.232-based applications, IPsec has a clear advantage over SSL VPN because it's hands-free on the client side. Once the software is running, users interact with their software and remote services seamlessly.
The IPsec VPN is an open network from the desktop client to the destination network, but that doesn't mean the desktop is just an IP router. Because of the possible split tunneling problem--simultaneous access to a trusted and a nontrusted network--you can limit access through policies set on the IPsec gateway. However, as SQL Slammer demonstrated, a worm-infected host that connects to an internal network over IPsec can infect the internal network. Use the embedded IPsec gateway firewall or place a firewall between the gateway and the rest of the network for added protection.
The leading IPsec VPN gateways from Cisco and Nortel are easy to manage and offer hierarchal group management, tight integration with external authentication servers and extremely useful and detailed event logging on the gateway. The latter is critical when troubleshooting remote-user connection problems.