VPN: IPSec vs SSL

BigV · 01-15-2007, 06:08 PM

I need to provide VPN access to a small network. The network is running nicely right now, but a few people would like to connect to some network resources from outside the office, hence the need for the VPN. I have a fairly clean slate to work from here, and I have read enough to narrow my choices to two different technologies, IPSec and SSL.

From what I've read, they both can create a secure tunnel, so for the user, the end result will be the same. The cost for each solution is pretty close to the other, so there's no natural economic advantage. But I'll be the one who has to install and maintain it, so the other behind the curtain details mean more to me. Here's the short list of the pluses and minuses for each, as I see it. Your input is welcome.

IPSec advantages:
**************
Greater security by virtue of requiring a specific client application.
Greater security by virtue of the fact that the box I'm considering also contains a(nother) firewall, adding to the notion of defense in depth.
Greater control by virtue of finer granularity with respect to access privleges.
I have experience with IPSec vpns (Cisco and WatchGuard), so I'm not starting from zero experience.
Can run all applications, and access all network resources.

IPSec disadvantages:
****************
Higher cost due to the fact that client licenses have to be purchased to use the vpn.
Greater complexity of client software.
More pieces than "built in" SSL solution; more things to be configured, keep track of, buy, fix, maintain, update, etc.
The box has multiple functions, firewall, vpn endpoint, switch, etc.

SSL advantages:
************
Box is less complex, no other functions.
No client required; "built in" browser capability.
No client maintenance/cost, etc.

SSL disadvantages:
***************
Can run only web enabled applications, since it all runs in the browser.
No access to network storage or printers.
"Simpler" solution presents fewer hurdles to unauthorized access.

That's the list I have so far. At this point, I'm strongly in favor of the IPSec solution, since I like the full access to the private network resources. But I would like to hear the input and experience of the cellar. What's your two cen t's worth? (hint: much more than two cents, to me

) Thanks in advance.

SteveDallas · 01-15-2007, 06:29 PM

What IPSec solutions are you considering? What kind of client are you planning to use?

Perry Winkle · 01-15-2007, 06:53 PM

Ever looked at OpenVPN?

IIRC, it's the base for Joel's Aardvark/Co-pilot software.

Clodfobble · 01-16-2007, 03:54 PM

I don't know jack about squat, but my husband the network administrator says some of your SSL disadvantages are wrong. He says: You can definitely do non-web-enabled applications over SSL; an example program would be the Cisco SSL VPN, which installs an ActiveX applet that remaps network traffic over SSL regardless of port. This also allows for network drive mapping and printer mapping as well.

BigV · 01-16-2007, 04:27 PM

Quote:

Originally Posted by Clodfobble

I don't know jack about squat, but my husband the network administrator says some of your SSL disadvantages are wrong. He says: You can definitely do non-web-enabled applications over SSL; an example program would be the Cisco SSL VPN, which installs an ActiveX applet that remaps network traffic over SSL regardless of port. This also allows for network drive mapping and printer mapping as well.

!!

Interesting. That's exactly the kind of reality check I'm seeking. Thank you Clodfobble.

Clodfobble · 01-16-2007, 04:58 PM

Don't thank me, I don't even really know what most of that gibberish means. But Mr. Clodfobble says, "No problem."

BigV · 01-17-2007, 09:51 AM

*imaginary conversation at House of Fobble*

CF: "Well, if you won't let me post those shower pictures, will you at least look at this computer question?!

mbpark · 01-17-2007, 10:26 PM

I have used both, and the issues with port redirection and non-web applications in SSL VPNs have been mitigated by multiple vendors. The really high-end SSL VPNs like the AEP Networks Netilla have application-specific rules.

I just put in a D-Link IPSec (no, I am not kidding) VPN in at a customer linking two sites (the budget just wasn't there to justify a higher expense).

However, I have had great experience with the Juniper products (I use the Netscreen firewalls elsewhere). They make what appears to be a decent SSL VPN at:
http://www.juniper.net/products_and_...re_access_700/

I also know that Cisco makes one, as well as Netgear:

http://www.netgear.com/Products/VPNa...rs/SSL312.aspx

I certainly hope that Netgear has done their best to lose their reputation for crap firmware. Their product does support port forwarding and redirection.

Thanks,

Mitch

01-15-2007, 06:08 PM	#1
BigV Goon Squad Leader Join Date: Nov 2004 Location: Seattle Posts: 27,063	VPN: IPSec vs SSL I need to provide VPN access to a small network. The network is running nicely right now, but a few people would like to connect to some network resources from outside the office, hence the need for the VPN. I have a fairly clean slate to work from here, and I have read enough to narrow my choices to two different technologies, IPSec and SSL. From what I've read, they both can create a secure tunnel, so for the user, the end result will be the same. The cost for each solution is pretty close to the other, so there's no natural economic advantage. But I'll be the one who has to install and maintain it, so the other behind the curtain details mean more to me. Here's the short list of the pluses and minuses for each, as I see it. Your input is welcome. IPSec advantages: ************ Greater security by virtue of requiring a specific client application. Greater security by virtue of the fact that the box I'm considering also contains a(nother) firewall, adding to the notion of defense in depth. Greater control by virtue of finer granularity with respect to access privleges. I have experience with IPSec vpns (Cisco and WatchGuard), so I'm not starting from zero experience. Can run all applications, and access all network resources. IPSec disadvantages: ************ Higher cost due to the fact that client licenses have to be purchased to use the vpn. Greater complexity of client software. More pieces than "built in" SSL solution; more things to be configured, keep track of, buy, fix, maintain, update, etc. The box has multiple functions, firewall, vpn endpoint, switch, etc. SSL advantages: ******** Box is less complex, no other functions. No client required; "built in" browser capability. No client maintenance/cost, etc. SSL disadvantages: ************* Can run only web enabled applications, since it all runs in the browser. No access to network storage or printers. "Simpler" solution presents fewer hurdles to unauthorized access. That's the list I have so far. At this point, I'm strongly in favor of the IPSec solution, since I like the full access to the private network resources. But I would like to hear the input and experience of the cellar. What's your two cen t's worth? (hint: much more than two cents, to me ) Thanks in advance. __________________ Be Just and Fear Not.

01-17-2007, 09:51 AM	#7
BigV Goon Squad Leader Join Date: Nov 2004 Location: Seattle Posts: 27,063	imaginary conversation at House of Fobble CF: "Well, if you won't let me post those shower pictures, will you at least look at this computer question?! __________________ Be Just and Fear Not.

01-17-2007, 10:26 PM	#8
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	SSL VPNs I have used both, and the issues with port redirection and non-web applications in SSL VPNs have been mitigated by multiple vendors. The really high-end SSL VPNs like the AEP Networks Netilla have application-specific rules. I just put in a D-Link IPSec (no, I am not kidding) VPN in at a customer linking two sites (the budget just wasn't there to justify a higher expense). However, I have had great experience with the Juniper products (I use the Netscreen firewalls elsewhere). They make what appears to be a decent SSL VPN at: http://www.juniper.net/products_and_...re_access_700/ I also know that Cisco makes one, as well as Netgear: http://www.netgear.com/Products/VPNa...rs/SSL312.aspx I certainly hope that Netgear has done their best to lose their reputation for crap firmware. Their product does support port forwarding and redirection. Thanks, Mitch

01-15-2007, 06:29 PM	#2
SteveDallas Your Bartender Join Date: Jan 2002 Location: Philly Burbs, PA Posts: 7,651	What IPSec solutions are you considering? What kind of client are you planning to use?

01-15-2007, 06:53 PM	#3
Perry Winkle Esnohplad Semaj Ton Join Date: Feb 2005 Location: A little south of sanity Posts: 2,259	Ever looked at OpenVPN? IIRC, it's the base for Joel's Aardvark/Co-pilot software.

01-16-2007, 03:54 PM	#4
Clodfobble UNDER CONDITIONAL MITIGATION Join Date: Mar 2004 Location: Austin, TX Posts: 20,012	I don't know jack about squat, but my husband the network administrator says some of your SSL disadvantages are wrong. He says: You can definitely do non-web-enabled applications over SSL; an example program would be the Cisco SSL VPN, which installs an ActiveX applet that remaps network traffic over SSL regardless of port. This also allows for network drive mapping and printer mapping as well.

01-16-2007, 04:58 PM	#6
Clodfobble UNDER CONDITIONAL MITIGATION Join Date: Mar 2004 Location: Austin, TX Posts: 20,012	Don't thank me, I don't even really know what most of that gibberish means. But Mr. Clodfobble says, "No problem."

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)