The upside and downside of SSL VPN

Clarifying issues surrounding this emerging security architecture

SSL VPN vendors like to point out that their equipment can now equal the functionality of IPSec VPNs for remote access as a way to attract business, but that might not always be a good selling point.

SSL VPN equipment operating at the application layer rather than the network layer gives end users much finer control over what resources individuals and groups can access. This was one of the main points that Network World SSL VPN tester Joel Snyder pointed out during Interop last week at the SSL classes he led.

Essentially, the network-layer access SSL VPNs can provide is IPSec running over SSL transport. When a machine is admitted to the network, it has access to all the network.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

SSL VPN vendors like to point out that their equipment can now equal the functionality of IPSec VPNs for remote access as a way to attract business, but that might not always be a good selling point.

SSL VPN equipment operating at the application layer rather than the network layer gives end users much finer control over what resources individuals and groups can access. This was one of the main points that Network World SSL VPN tester Joel Snyder pointed out during Interop last week at the SSL classes he led.

Essentially, the network-layer access SSL VPNs can provide is IPSec running over SSL transport. When a machine is admitted to the network, it has access to all the network.

In many cases that is fine, but also in many cases that is just what network executives are trying to avoid. For example, a business might want to allow a business partner to access just certain resources on their network. An SSL VPN that is proxying traffic rather than granting network access is much better equipped to allow partners in and keep them corralled where they belong.

SSL VPNs have the added benefit of requiring no firewall rule changes either by the business setting it up or by the partners. And access can be revoked simply by the business hosting the VPN by deleting partners from authorized groups.

An upside of the network-layer VPN access that SSL gateways can provide is that the clients they require are generally simpler to install than IPSec clients, Snyder says.

More on Snyder's observations in the next few newsletters.

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.