• United States
by Chris Hopen

SSL-based VPNs are superior

Aug 04, 20033 mins
Network SecurityNetworkingRemote Access

Secure Sockets Layer VPNs are the superior option for secure “anywhere” remote access.

Secure Sockets Layer VPNs are the superior option for secure “anywhere” remote access. Why? SSL VPNs let companies extend secure remote access to more people, places, devices and network resources than traditional IP Security  VPNs, while lowering deployment and support costs. Enterprise-ready SSL VPN technology is becoming the de facto standard for secure anywhere remote access for a range of reasons. Here are just a few:

The other side by Brian Feng

Forum: Share your thoughts – Debate the issue with Feng and Hopen.

•  SSL VPNs provide strong security for remote access. IPSec VPNs create a tunnel between two points, providing direct (non-proxied) access and visibility to the entire network; once the tunnel is created, it is as if the user’s PC was physically on the corporate LAN. This method creates various security risks, especially if the user has restricted access privileges. SSL VPNs provide a secure, proxied connection just to the resources that the user is authorized to access. As a result, users never have a direct network connection, which is safer. Split tunneling – the ability for an end user to have access to the Internet and internal corporate resources simultaneously – is controllable with SSL VPNs. In addition, SSL VPNs provide detailed access control, making it easy to give different access privileges to different users. This precise access control is often impossible, or at best difficult, and scales poorly, with a remote-access IPSec VPN.

•  SSL VPNs do not require complex, intrusive clients. This makes them easier to install and support, which leads to significant cost savings. SSL is pre-installed on every major browser, making SSL VPNs a clientless solution. IPSec VPNs require a device-specific client installation on the remote end-user side of the secure tunnel, which is often difficult and in some cases impossible to implement on external, non-corporate-controlled devices. In addition, these clients become an ongoing burden to keep up to date.

•  SSL VPNs can extend anywhere remote access to a larger range of locations and network resources from more Internet-enabled devices. SSL VPN communications ride on top of standard TCP/User Datagram Protocol (UDP) transports, enabling SSL VPNs to traverse network address translation (NAT) devices, proxy-based firewalls and stateful inspection firewalls. This ability makes anywhere access possible even from behind a proxy-based firewall on another company’s network or on broadband connections. IPSec VPNs frequently can’t support complex networks because they struggle with firewall traversal, IP address conflicts and NAT. In addition, an SSL VPN provides access from corporate-managed devices and unmanaged devices, such as home PCs and Internet kiosks. With IPSec client issues, an IPSec VPN is practical only from managed or fixed-location devices.

As remote-access demands have snowballed, remote-access IPSec VPNs are too limited in the access they can provide, as well as too costly to administer and support. IPSec continues to be the best solution for site-to-site connections. However, when it comes to providing secure anywhere remote access, SSL VPNs are a better alternative.

Hopen is CTO of Aventail, an SSL VPN vendor in Seattle. He can be reached