SSL vs IPSec VPNs

Management is finally listening to my concerns about securing any external access to the network. They understand that some additional software may be necessary on remote PCs accessing our network and that some training may be needed by remote users as well as the staff administering the VPN system. In doing research on the best system to purchase for our needs, I have seen two - one that mentions the use of  IPSec and the other, an  SSL-based VPN. Which is best?
- Via the Internet
 
The IPSec-based VPN is what you might think of as the "conventional"-type VPN. This can use up to Triple-DES encryption to secure the communications from the remote users to your network. This requires that software be installed on remote users’ machines. This can add additional steps users must take before gaining access to your network. Examine different vendors’ solutions in this area and you should be able to find one that will allow you to send a CD or floppy with a scripted install that would require little to no input from the user during the installation process.
 
When implementing this type of solution, you may want to think about mandating some type of software policy for remote users that requires you be notified of software before it is installed on machines or that your department does the installation. While this may seem like unnecessary overhead, it can help you catch a problem before it becomes an issue. I have seen situations where seemingly "innocent" software, such as some of the game simulation packages or drivers for some multifunction printers (i.e. printer/copier/scanner), has caused the VPN software to stop working.
 
The other VPN solution using SSL doesn’t require any software installation on remote PCs. Since this option uses a Web browser and an SSL connection to establish the connection, you will need to look at what resources users need to access to know if this will work. Since you won’t be able to map any drives directly (unless the SSL VPN vendor has included additional functionality in its product), you’ll be limited to whatever Web-based applications your company is currently using. This type of remote access can be cheaper to implement and/or operate than its IPSec counterpart but with tradeoffs that may limit how well it can address your remote access needs.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Management is finally listening to my concerns about securing any external access to the network. They understand that some additional software may be necessary on remote PCs accessing our network and that some training may be needed by remote users as well as the staff administering the VPN system. In doing research on the best system to purchase for our needs, I have seen two - one that mentions the use of  IPSec and the other, an  SSL-based VPN. Which is best?
- Via the Internet
 
The IPSec-based VPN is what you might think of as the "conventional"-type VPN. This can use up to Triple-DES encryption to secure the communications from the remote users to your network. This requires that software be installed on remote users’ machines. This can add additional steps users must take before gaining access to your network. Examine different vendors’ solutions in this area and you should be able to find one that will allow you to send a CD or floppy with a scripted install that would require little to no input from the user during the installation process.
 
When implementing this type of solution, you may want to think about mandating some type of software policy for remote users that requires you be notified of software before it is installed on machines or that your department does the installation. While this may seem like unnecessary overhead, it can help you catch a problem before it becomes an issue. I have seen situations where seemingly "innocent" software, such as some of the game simulation packages or drivers for some multifunction printers (i.e. printer/copier/scanner), has caused the VPN software to stop working.
 
The other VPN solution using SSL doesn’t require any software installation on remote PCs. Since this option uses a Web browser and an SSL connection to establish the connection, you will need to look at what resources users need to access to know if this will work. Since you won’t be able to map any drives directly (unless the SSL VPN vendor has included additional functionality in its product), you’ll be limited to whatever Web-based applications your company is currently using. This type of remote access can be cheaper to implement and/or operate than its IPSec counterpart but with tradeoffs that may limit how well it can address your remote access needs.

Read more about security in Network World's Security section.