VPN Technology Primer and Comparison of VPN Technology Options

Cisco Press

1 2 3 Page 3
Page 3 of 3

SSL is a protocol that encrypts Transmission Control Protocol (TCP) operating at Layer 4 of the OSI stack. Initially developed by Netscape, SSL allows a secure exchange between two workstations communicating over the Internet. Ratified under Transport Layer Security (TLS) by IETF, SSL version 3.0 represents the foundation on which TLS 1.0 was built. SSL and TLS utilize a cryptographic system that uses two keys to encrypt data—a public key known to everyone and a private or secret key known only to the recipient of the message. HTTP is often secured by SSL or TLS to carry out a secure transaction such as a credit card information exchange. Secure HTTP (S-HTTP) is another protocol providing similar functionality to SSL. SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely; S-HTTP is designed to transmit individual messages securely. IETF has approved both protocols SSL and S-HTTP; they are complementary rather than competing technologies.

Finally, split routing is a routing technique to separate IP traffic so that VPNs can be created by separating traffic sourced from specific networks and destined to a designated destination.

Table 3-1 shows a direct comparison between MPLS, IPsec, and SSL in light of VPN solution deployment considerations and helps decision makers to select the appropriate technology to suit their business requirements.

Table 3-1 Comparison of MPLS, IPsec, and SSL Deployments

 MPLS-Based VPNIPsec-Based VPNSSL-Based VPN
TopologySite-to-site VPN: Hub-and-spoke or full-mesh.

Site-to-site VPN: Mainly hub-and-spoke and dual hub for backup.

Remote-access VPN: Mainly VPN head-end with redundancy.
Remote-access VPN: Endpoint to endpoint with load balancing at head-end.
IPsec Session Authentication

Establishes VPN membership during provisioning, based on logical port and unique route descriptor.

Defines access to a VPN service group during service configuration, denies unauthorized access.

Authenticates through digital certificate or preshared key.

Drops packets that do not conform to the security policy.
Handshake process with extension allows clients to initiate session with virtual server.
ConfidentialitySeparates traffic, which achieves same results delivered in trusted Frame Relay or ATM network environments.Uses a flexible suite of encryption and tunneling mechanisms at the IP network layer.Encrypts traffic using standard symmetric ciphers.
Service-Level Agreements Based on Quality of ServiceEnables SLA with a scalable, robust QoS mechanism and traffic engineering capability.Does not address QoS and SLA directly, although Cisco IPsec VPN deployments can preserve packet classification for QoS within an IPsec tunnel.Not applicable; service provider network is unaware of SSL traffic.

Highly scalable because no site-to-site peering is required.

Capable of supporting tens of thousands of VPNs over the same network.

Site-to-site VPN; Acceptable scalability in most typical hub-and-spoke deployments.

Scalability becomes challenging for a very large, fully meshed IPsec VPN deployment; may require supplemental planning and coordination to address key distribution, key management, and peering configuration.

Remote-access VPN: Scalability at the head-end is addressed with VPN concentrator type of device.

Load-balancing required at the head-end because SSL requires point-to-end point connection.

Not applicable on the client site because service provider network is unaware of SSL traffic.

MPLS monitoring, traffic engineering required.

Requires one-time provisioning of customer edge and provider edge devices to enable the site to become a member of an MPLS VPN group.

Reduces operational expense through centralized network-level provisioning for IPsec VPN terminating on CPE.

Uses centralized provisioning for IPsec VPN terminating in the network equipment. Typically mapping to designated instance of MPLS VRF.

Can be deployed across any existing IP networks or the Internet.

Head-end needs to ensure that IPsec connection initiated IKE sessions per second and number of simultaneous IKE negotiations can be processed.

No need to manage client, because SSL support is standard from endpoints.

Head-end needs monitoring and capacity management to ensure that SSL connection per second and number of simultaneous SSL connections can be terminated at the head-end.
VPN Client

Transparent to the endpoint because label-switching knowledge is not required.

MPLS VPN is a network-based VPN service; users do not need VPN clients to interact with the network.

Is required for client-initiated IPsec VPN deployments.

Cisco VPN client software is supported by Microsoft Windows, Solaris, Linux, and Macintosh operating systems.
Is not required; relies on web browser.
Place in NetworkCore network.Local loop, edge, and off net.Local loop, edge, and off net.

Resides at the network layer.

Transparent to applications.

Resides at the network layer.

Transparent to applications.

Resides at the session layer.

Currently, many TCP-based applications work with SSL; however, voice and video for remote clients generally do not run over SSL connection.


MPLS VPN provides security as defined by the legacy technology, such as Frame Relay and ATM. MPLS integrates Layer 2 information about network links such as bandwidth, latency, and utilization into Layer 3 (IP) within a service provider's network to simplify and improve IP-packet exchange.

Building an MPLS VPN provides an efficient transport mechanism of interconnecting business networks, yet provides separation of traffic from other business traffic traversing on the shared infrastructure. MPLS VPNs are flexible because the high availability required for businesses to operate is provided by diverting and routing traffic around link failures, congestion, and bottlenecks.

In addition to data separation, MPLS VPNs also provide quality of service to manage different kinds of data streams based on traffic priority and the business service plan.

IPsec VPN provides the most robust remote access environment to remote users by extending almost any data, voice, or video application available in the office to remote working locations. IPsec VPN client software on the remote system enables a user experience and workflow consistent with the office environment by providing easy application access and system integrity enforcement. IPsec VPN provides the most comprehensive level of network access to remote users, thus extending the productivity of the office to virtually any location. This "any application access" has made IPsec VPN the de facto standard for extending connectivity to home offices, traveling employees, remote workers, and day extenders.

SSL-based VPN is a comparatively new technology that provides remote access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. Although application accessibility is constrained relative to IPsec VPNs, SSL-based VPNs allow for access to a growing set of common software applications. SSL-based VPN requires slight changes to user workflow because some applications are presented through a web-browser interface, not through their native GUI. Client/server application support generally requires specific and sometimes browser-dependent applets to be dynamically downloaded to the remote system. Using web technology for connectivity allows accessibility from almost any Internet-connected system without needing to install additional desktop software. Because SSL-based VPN can provide network access to users from almost any Internet-connected system, it is an emerging option for extending remote access to users who require access to specific applications.

Copyright © 2007 Pearson Education. All rights reserved.

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
SD-WAN buyers guide: Key questions to ask vendors (and yourself)