Skip Links

The pros and cons of IPSec

IPSec's remote-access drawbacks

Wide Area Networking Alert By Steve Taylor and Joanie Wexler, Network World
November 11, 2004 12:04 AM ET
Sign up for this newsletter now!

Insightful analysis by consultants Steve Taylor and Jim Metzler, plus links to the latest WAN news headlines

Network World - There are two major types of Internet-based VPNs: IPSec VPNs and SSL VPNs. Each has significant advantages - and disadvantages - in the corporate networking environment.

The greatest advantage of IPSec is its transparency to applications.  Since IPSec operates at Layer 3, it has essentially no impact on the higher network layers.  As implied by its name, IPSec runs at the IP layer and, as such, is indifferent as to whether application traffic is being transported using TCP or UDP protocols.  Consequently, IPSec is equally as appropriate for securing real-time traffic (such as VoIP) as it is for traditional data applications.

Additionally, since IPSec is usually deployed for inter-site connections, it is quite possible that the computers attached to the network at a given site may not even have IPSec capabilities running on the attached PCs.  In a remote-access environment where there is no IPSec-enabled router, however, the PC must run a copy of the IPSec stack.

The disadvantage to an IPSec remote-access approach is that once a computer is attached to the IPSec-based network, all of the additional devices attached to that local network might also be able to gain access across the WAN to the corporate network.  So it's possible that a worm on the "kid's computer" could easily spread to shared drives on the corporate network.

In other words, any vulnerabilities that exist at the IP layer in the remote network could be passed to the corporate network across the IPSec tunnel. Making sure that this doesn't happen is doable, but results in higher support costs.

By contrast, SSL VPNs run at higher network layers so they don't expose network drives to remote workers, shielding the network against vulnerabilities like worms.

Another IPSec disadvantage is that if you're working off-site, say, at a partner location, connecting to your own company's network is difficult if not impossible due to restrictions in most corporate firewalls.

Finally, for part-time teleworkers, it is becoming difficult to use the home Internet connection for corporate network access if using an IPSec-encrypted VPN tunnel. Increasingly, ISPs consider anything IPSec-encrypted to be a "business-class" transmission. As such, they want to charge higher rates for IPSec traffic and will block IPSec traffic if the service type is not business class.

Next time we'll conduct a similar evaluation of SSL.

Read more about lans & wans in Network World's LANs & WANs section.

Steve Taylor is president of Distributed Networking Associates and publisher/editor-in-chief of Webtorials. Jim Metzler is vice president of Ashton, Metzler & Associates.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News