The pros and cons of IPSec

* IPSec's remote-access drawbacks

There are two major types of Internet-based VPNs: IPSec VPNs and SSL VPNs. Each has significant advantages - and disadvantages - in the corporate networking environment.

The greatest advantage of IPSec is its transparency to applications.  Since IPSec operates at Layer 3, it has essentially no impact on the higher network layers.  As implied by its name, IPSec runs at the IP layer and, as such, is indifferent as to whether application traffic is being transported using TCP or UDP protocols.  Consequently, IPSec is equally as appropriate for securing real-time traffic (such as VoIP) as it is for traditional data applications.

Additionally, since IPSec is usually deployed for inter-site connections, it is quite possible that the computers attached to the network at a given site may not even have IPSec capabilities running on the attached PCs.  In a remote-access environment where there is no IPSec-enabled router, however, the PC must run a copy of the IPSec stack.

The disadvantage to an IPSec remote-access approach is that once a computer is attached to the IPSec-based network, all of the additional devices attached to that local network might also be able to gain access across the WAN to the corporate network.  So it's possible that a worm on the "kid's computer" could easily spread to shared drives on the corporate network.

In other words, any vulnerabilities that exist at the IP layer in the remote network could be passed to the corporate network across the IPSec tunnel. Making sure that this doesn't happen is doable, but results in higher support costs.

By contrast, SSL VPNs run at higher network layers so they don't expose network drives to remote workers, shielding the network against vulnerabilities like worms.

Another IPSec disadvantage is that if you're working off-site, say, at a partner location, connecting to your own company's network is difficult if not impossible due to restrictions in most corporate firewalls.

Finally, for part-time teleworkers, it is becoming difficult to use the home Internet connection for corporate network access if using an IPSec-encrypted VPN tunnel. Increasingly, ISPs consider anything IPSec-encrypted to be a "business-class" transmission. As such, they want to charge higher rates for IPSec traffic and will block IPSec traffic if the service type is not business class.

Next time we'll conduct a similar evaluation of SSL.

Copyright © 2004 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022