Securing your data
By Simon Clifford, network consultant at Networks First says there is no need to compromise security for flexibility with remote networking
Many organisations have struggled with Internet Protocol Security (IPsec) Virtual Private Networks (VPN) because of the administrative headaches and costs associated with downloading proprietary software on each device for access to the network. For some companies the option of going clientless is far more appealing. Secure Sockets Layer Virtual Private Networks (SSL VPN) are now emerging as a popular solution.
An SSL VPN is a form of VPN that can be used with a standard web browser so it does not require the installation of specialised client software on end-users' computers. Given the business demand for secure, easy, anytime, anywhere remote access for employees who are working from home or travelling, the surge of interest in SSL -based VPNs is not surprising. The key is deciding when to use IPSec and when to use SSL VPN.
Flexibility is a top requirement. Companies provide access to a mix of third parties including contractors and employees and they need to apply different profiles to suit each party. The SSL VPN model is well suited to this because it cuts out client installation and configuration and opens up policy administration, enforcement and access control.
Improved security is the big question, however, and with integrated host integrity checking and session proxying, SSL VPNs enhance corporate perimeter defences without being over prescriptive.
Are SSL VPNs as secure and reliable as IPSec, however? Both IPSec and SSL VPNs can provide enterprise-level secure remote access, but in totally different ways. IPSec connects hosts to entire private networks, while SSL VPNs connect users to services and applications inside those networks. These differences directly impact both application and security services and will influence the decision on which technology to deploy and where. Both support a number of user authentication processes.
Whether a VPN uses IPsec or SSL VPN, it is only as secure as the application s connected to it, whether these are PCs, laptops or PDAs. Without security precautions, any device can be used to attack a network. Therefore, businesses deploying any kind of VPN should install security measures, such as personal firewalls, malware scanning, intrusion prevention, operating system authentication and file encryption.
The primary allure of SSL VPNs is their use of standard browsers that remove the need to install client software, making it easier to use, saving time and money. But there are a number of factors to consider. SSL VPNs do a great job making browser-based applications available to remote devices. However, generally speaking, the more diverse the application mix, the more attractive IPSec appears. It boils down to a trade-off between IPSec client installation and SSL VPN customisation.
SSL VPN sales remain on a steep growth curve. The products on offer have now matured significantly since the early adopters starting installing them a few years ago and there has been significant consolidation in the market with very few pure play vendors left in the frame. Given the scalability and security advantages over IPSec, SSL VPNs now lead the way as the technology of choice for client remote access.
As user constituencies become larger and more diverse, information on a network must be protected and separated into different divisions to keep it safe. Today, SSL VPN adoption is driven by tight IT budgets and vendor promises to reduce total cost of ownership. As SSL VPN products mature, they must deliver on this promise in large successful deployments, grow their turnkey support for common business applications, and demonstrate their ability to withstand internet threats and enterprise performance demands. If they can do all this, SSL will give IPSec a real run for its money in the remote access VPN market.