IPSec VPNs are the best choice

IP Security VPNs remain the best choice for connecting multiple private networks over the Internet. IPSec operates at the network layer, securing all data between endpoints, regardless of application.

IP Security VPNs remain the best choice for connecting multiple private networks over the Internet. IPSec operates at the network layer, securing all data between endpoints, regardless of application. It “virtually” puts remote clients on the corporate network, thus enabling all rights and functionality that users would have if they were in the office.

Forum: Share your thoughts – Debate the issue with Feng and Hopen.

Secure Sockets Layer users are limited to applications that can be accessed from a Web browser. This is fine for newer, Web-based business software, but it prevents users from accessing non-Web applications, and complicates functions such as file sharing, scheduled file backups and automated file transfers. You can add support for non-Web applications with upgrades, patches, SSL gateways and other workarounds, but they tend to be expensive and complicated to implement. IPSec VPNs give users access to the resources that are available on the corporate network regardless of whether they are Web-based, and is the best solution for programs that require two-way automated communication.

SSL is gaining popularity because it is relatively easy to deploy and does not require a software client to establish a VPN connection. Allowing users to access corporate applications from any Internet terminal with an SSL-enabled Web browser has a certain amount of appeal. However, giving users access to corporate networks via unsecured computers, which might be susceptible to keystroke-logging software and Trojan horses, also is a security risk.

IPSec VPNs require remote-access clients to have properly installed and configured IPSec client software or an access device. This provides a higher degree of security because access is limited to specific access devices, software clients, user authentication mechanisms and pre-defined security associations.

Administrators can expect to expend some effort to roll out IPSec client software. However, rollouts are easier than they were. IPSec clients that can be “silently installed” without any necessary user intervention are available. The VPN server can simplify setup for both the administrator and end user by automatically installing and configuring the client package on the end user’s access device.

IPSec and SSL VPN technologies have strengths and weaknesses. IPSec’s ability to deliver complete network-layer connectivity makes it the best option for securely connecting multiple private networks. While SSL’s clientless structure is wellsuited for connecting remote users to Web-based corporate applications from basically any Web browser, it presents some security risks when users are working at public Internet stations. IPSec software clients require some effort to install, and IPSec does not allow access from public Internet stations, but it does provide secure access to Web-based and non-Web applications. For IT administrators, it comes down to choosing which trade-offs to make when designing a VPN strategy that best meets their needs.

Feng is vice president of engineering at ZyXEL Communications, a global provider of broadband access products in Placentia, Calif. He can be reached at bfeng@zyxel.com.