The great VPN debate
Consider the strengths and weaknesses of IPSec and SSL before picking the technology that's right for your virtual private network
- By David Essex
- Apr 28, 2006
The saga of the Labor Department's attempt to outfit Mine Safety and Health Administration employees with remote access through virtual private networks serves as a minihistory of the technology. In 2003, the agency tried VPNs based on the most popular technology of the time: Internet Protocol Security, which essentially provides a direct pipe to the agency network. But administrators got bogged down in tech support. IPSec requires installing a tricky-to-configure program on every remote machine. Plus, firewall and other network conflicts can mean help desk nightmares.
The following year, the agency moved to Secure Sockets Layer VPNs. Touted as IPSec's heir apparent, SSL VPNs employ Web browser technology that requires little or no client software. The agency installed SSL VPN appliances from Juniper Networks and by spring 2005 had 2,200 employees using remote access'and a huge drop in service calls.
Many agencies, if they have not already done so, will soon face the issue of what technology they should use to connect remote workers. While the push for more telecommuting by federal employees is a major driver of VPN demand, experts also cite strong interest from agencies implementing disaster recovery plans.
'A lot of governments feel they need to have fail-safes in place so that if up to 75 percent of the employees have to work at home, they will be able to handle that spike,' said Robert Whiteley, senior analyst at Forrester Research.
In fact, VPN sales are skyrocketing across all industries. According to International Data Corp., a market research firm, worldwide sales of just $75 million in 2003 nearly tripled to $200 million the following year and were estimated to close out 2005 at $325 million.Pros and cons
In a nutshell, a VPN is a way to link network nodes over the public Internet while keeping the connection private, using encryption and other security techniques.
Here's the critical difference between the two main technologies: IPSec essentially opens a fully functioning pipeline directly to the internal LAN, while SSL provides access to a select group of applications.
'IPSec is like an extension of your LAN,' Whiteley said. 'It's a Layer 3 pipe, and pretty much every application will run over it. SSL sits above that, in Layer 4 or 5, so it doesn't necessarily work with all applications.' Still, SSL vendors have found ways around these limitations, Whiteley said.
In practice, the difference in client-side software means IPSec may be preferable for securely linking two computers in different locations, called a site-to-site VPN. IPSec proponents also say it is superior for transferring large files.
With its simple setup, SSL is generally better for quickly activating large numbers of remote users, even on an ad hoc basis.
'IPSec VPNs are the clear choice when you have two dedicated endpoints,' said Tim Simmons, product marketing manager at Citrix Systems, a maker of SSL VPN appliances and remote-access servers for the Defense Department and other large agencies. 'SSL VPNs really excel at the connections to multiple unknown clients.' Several SSL-oriented vendors say they invested in the technology precisely to help organizations avoid problems they had getting IPSec to traverse network address translation and firewalls.
Going forward, though, IPSec and SSL may start to look more alike. It used to be safe to say that SSL required no special client software. But SSL VPN vendors have been adding features that require small Active X or Java applets to be downloaded on the remote device'and sometimes they use IPSec for the download. 'Everybody is moving toward full VPN clients,' Simmons said. 'SSL VPNs are starting to look a lot like IPSec VPNs.'
'The problem is not having a client on the endpoint, per se, it's 'How do you get that client to the endpoint?' ' said Niv Hanigal, product manager for Juniper. Hanigal said users of Juniper VPNs don't have to worry about software. 'They go to the Web site to log in, and in the background, something's being downloaded,' he said. 'It's usually only 500K.'
It's not always an either/or choice between IPSec and SSL. A few vendors, among them CheckPoint, Cisco and Nortel, offer hybrids, giving remote users more connection choices. Some SSL vendors rely on IPSec to provide client/server access or to string SSL appliances together. And several companies offer various flavors of VPN to meet agencies' unique requirements.Security profiles
While all VPN products support a slew of government-endorsed encryption schemes, such as Advanced Encryption Standard and Triple Data Encryption Standard, those meeting the most stringent standards go through testing overseen by the National Institute of Standards and Technology to achieve certification for Federal Information Processing Standard 140-2. A few are now also being certified under Common Criteria encryption and authentication testing by the National Information Assurance Program, a NIST partnership with the National Security Agency.
As a full network connection, IPSec is more open to exploitation by hackers, especially through underprotected remote machines, according to John Girard, an analyst for Gartner Inc. of Stamford, Conn., who wrote a 2005 analysis of the competing technologies. Because IPSec doesn't force strong authentication, it is accessible through a simple user name and password, increasing the chance of break-ins, Girard said.
But SSL is not without dangers. Thanks to widespread deployment, the total risk from the sheer number of unmanaged PCs is greater. It's a sentiment shared by Sonny Gutierrez, LAN/WAN security specialist at CDW Government, which sells both types of VPN products. 'You can sleep easy at night knowing you're running IPSec tunnels instead of SSL,' Gutierrez said. 'IPSec technology is basically built into every firewall.'
Girard recommends that organizations establish policies to restrict SSL VPN use. Indeed, products geared to large enterprises, such as those from Aventail, F5 and Juniper, enhance security with administrative software. 'We really allow the administrator to control specific applications on a particular user's device,' said Chris Witeck, Aventail's director of product management. 'You're not really authorizing a user to access your network, you're letting them access specific resources.'
Enterprise class VPN products also perform endpoint analysis (also called integrity checking), which tests the remote client for firewalls, antivirus programs, the latest patches, and other requirements specified in an agency's security policy. Such VPNs can limit access to certain applications or move them to a quarantined LAN. As an SSL VPN feature, this capability is especially useful for employees who access VPNs from shared machines, such as airport kiosks and public library terminals. In such situations, SSL VPNs may default to the most basic capabilities supportable in a browser, such as checking e-mail stored on an agency server or browsing the Web. The more advanced endpoint analysis programs will automatically shut down a VPN session if they detect, for example, that the user has turned off the antivirus program.
VPN log-ins are also a good way to beef up security on employees accessing the wired LAN from inside.
'Since the perimeter is going away, you have to look at access control not just for people coming in, but also contractors and partners who are sitting on the inside,' said Sanjay Uppal, executive vice president of product management at Caymas Systems. 'You could PKI-enable all applications, but that is going to be prohibitively expensive.'
Most VPN products are sold as appliances: thin network boxes connected through Ethernet ports. Some come as upgrade boards that fit inside routers and switches.
VPN boxes can sit in a network's demilitarized zone'behind the firewall, as an extra measure of security'or outside the DMZ.
The key feature to look for is the maximum number of concurrent users'the best measure of scalability. Small-office systems top out at a few dozen, while enterprise systems reach several thousand. Some of the highest-capacity appliances also add reliability features that can prevent failures, such as redundant, hot-swappable drives and power supplies. They can also be clustered to expand capacity and improve performance as demand increases, but this can require additional load-balancing hardware.Guard against attacks
Intrusion detection devices and security information management technology, if not already present, can help guard against attacks coming through the VPN. In fact, many of these products come with VPNs built in.
Besides buying hybrid devices, you can mix and match IPSec and SSL devices in the same network, linking their VPNs. 'Crypto is crypto,' said Charles Kolodgy, a research director for IDC of Framingham, Mass., who worked in DOD procurement. 'It's really just being able to create an SSL tunnel to an IPSec tunnel.'
Software is the other option. Cranite Systems often pairs its Safe Connect proprietary software-based VPN with its FIPS 140-2-certified WirelessWall wireless security software, said Mike Coop, the company's vice president for consulting engineering. 'It prevents the Windows stack from being attacked externally,' he said. Blue Coat and Portwise also sell software VPN and other remote-access solutions.
Software VPNs can drain server CPU performance, but they provide the greatest platform flexibility. 'The reason you go to software is if you want to use your own hardware model,' said Zeus Kerravala, vice president of enterprise research at Yankee Group Research of Boston.
Of all the options, appliances are the most expensive'Caymas, for example, charges $15,000-$55,000 for its most popular models for government'followed by add-in cards, then software, said Whiteley.
Gutierrez said many agencies try a limited pilot or deployment before rolling out nationwide. Sometimes, as in the case of the Labor Department, trial and error helps underscore the difference between the main VPN technologies'and leads you to the one that works best for you.David Essex is a freelance technology writer based in Antrim, N.H.