IPSec Vs. SSL: Picking The Right VPN
Mike Fratto and Editor
September 01, 2005
You can use both IPsec and SSL VPN. If your primary applications are Web-based and you support only a few non-HTTP applications, SSL VPN is a good option: The ease of use is far greater and the fine-grained access control for remote users is superior to IPsec products. But if your organization must support more complex applications and site-to-site VPN, you really can't axe the IPsec just yet.
Mike Fratto, Editor firstname.lastname@example.orgMyth Understandings
Myth #1: IPsec VPN opens an unrestricted pipe into the network. This depends on the VPN gateway. IPsec works over Layer 3 to transport IP packets bound for the protected network. So in one sense, it is an open pipe. However, most IPsec VPN gateways have internal, stateful packet-filtering firewalls so traffic can be restricted to specific destinations. To achieve the same results, you could place the VPN in a DMZ with strict access rules.
Myth #2: IPsec VPNs don't play well with NAT. For several years, vendors have been encapsulating IPsec traffic into UDP before putting it on the network, so NAT problems aren't as prevalent as they once were. Standardized NAT traversal is an optional component of IKE (Internet Key Exchange) 2, and many vendors have adopted proprietary traversal methods.
Myth #3: SSL VPN is a clientless VPN. This is true only for straight HTML traffic. Web applications that use mobile code components (such as Java applets or Flash), which make connections back to the server, or non-HTTP apps often require a client browser component to tunnel traffic over the SSL VPN. In many cases, the remote user must be logged on as a local administrator to run the component dynamically or it must be installed by an administrator.