By Bill Clancy – Technical Consultant
Most IT professionals who are asked this question will immediately respond with something close to this: “The obvious choice is SSL VPN.” If you inquire further, you might hear reasons like “IPSec is a pain to configure, and SSL VPN is so much easier” or “SSL VPN doesn’t require installing client software and that all you need is a browser to connect.” While these answers have some validity, neither are entirely accurate. To get to the bottom of it all, I suggest reviewing the configurations, the client’s software requirements, and the security advantages of each.
Configuration
Let’s first clear up one misconception that seems to be a popular argument: “SSL VPN is easier because no special client software is needed and all you need is a browser.” This is not true.
Again, this is partially right, but not the entire story. This type of connection is referred to as WebVPN. The user opens a browser, logs in, and is then presented with a menu from which to select a variety of company resources. But this type of VPN is limited to specific applications. For the more traditional (and more common) remote-access connection, a software client needs to be installed — even with SSL VPN.
The good news is, that the VPN server can be enabled to automatically upload the client software via a browser connection. Once connected thru the browser, the VPN server begins uploading the VPN application. When it’s finished installing, the user simply closes the browser and launches the newly installed SSL client.
But here is where the “SSL vs IPSec client” argument is moot because the process is the same regardless of either IPSec or SSL. An IPSec-based VPN server can just as easily be configured to do exactly the same thing and automatically upload the client software. So in each case (unless you want to only offer limited browser-based resources), a client-side VPN application will be needed in each case. And, if we consider that a typical laptop deployment already includes this client software, then the user will never need to deal with this anyway. Once the software is installed, the user experience is exactly the same for both IPSec or SSL VPN. So for this part of the argument, the answer is both will work.
There are exceptions, of course. Depending on the model and version, some VPN servers may not have this feature of automatically uploading the client software. Or in some cases, maybe the IPSec client is not available for upload, and SSL may be the only option. It all depends on which VPN server you are using, what hardware and which version and features are included.
Security and Encryptionare
There are a few differences. IPSec, (short for “Internet Protocol Security) runs at layer 3 (IP layer) and can either encrypt the entire packet and header, aka Transport Mode or it can encrypt only the data portion, aka Tunnel mode. SSL, (Secure Socket Layer), runs at layer 7 (the application layer. Basically, SSL VPN is a secure application, whereas IPSec VPN is a secure protocol and working directly at the IP layer. As far as the encryption goes, IPSec uses a pre-shared key to set up the encryption, whereas SSL generates session keys during the handshake process. So which one is more secure?
At first, it may seem that IPSec is the more secure method because it can encrypt the packet at a much lower level. And with a pre-shared key (which is typically kept secret by the IT department), it seems even more secure. But, is there really a security threat if your SSL VPN session is intercepted? What could be learned by stealing a few VPN packets off the wire? Certainly not your login credentials. And it’s unlikely that anyone will be able to see your data. As far as the authentication goes, both VPN types can be configured for a variety of authentication methods, including certificate-based, two-factor, Active Directory, etc.
Client Software Requirements
Another aspect of security relates to control and the limit of available resources. It has been suggested that SSL VPN allows for finer control of the available corporate resources, whereas an IPSec user has complete access to the corporate network just as if the user is sitting in the office. While this advantage might be true for the more limited SSL WebVPN solution, it is not the case when using a VPN client. Whether using SSL or IPSec, the server configuration still includes a set of access-list rules that permit or deny access to various IP subnets or IP hosts.
Therefore the statement that an IPSec VPN connection has access to everything and is just like sitting in the office, is simply not true. Both types of VPN need configuration requiring the selection of matching IP subnets or hosts and can easily limit access by modifying a few basic rules. Next up is the ease of configuration. There is a popular belief out there that IPSec VPN is a very complicated configuration and if you want to save yourself a lot of trouble, go with SSL VPN. Well, the truth is, they are both a pain to configure. There are many parts to any VPN configuration and none of the commands or syntax are obvious. Without an example to work from, the configuration would be nearly impossible in either case. While it is true that IPSec has a slightly more complex way of establishing the VPN connection, and therefore does have a slightly more complicated configuration, it’s not really a deal-breaker.
The list of differences goes on and on. In most cases, the manufacturer charges a license fee based on the number of concurrent VPN users. Usually, this cost is higher for SSL VPN. There is also the number of VPN connections that can be supported by the hardware, and this number is not the same for IPSec and SSL.
Which One to Choose?
It depends on the hardware, and the OS and features, and how each manufacturer chooses to implement their VPN solution. For example, a Cisco ASA firewall (with the proper license) has a relatively easy to configure and easy use an SSL VPN solution. The keyword here is “relative.” Any firewall or other network configuration can be complicated, and VPN is no exception. But once it is understood, the Cisco SSL VPN can be deployed without too much difficulty. As another example, the Juniper SRX firewall has a fairly easy to use IPSec VPN solution. The configuration is certainly complicated, but it is also easily available via Google. Simply make a few changes to the DHCP range, interface names, and cut/paste the config directly into the Firewall. Because the firewall has the IPSec client stored on its disk, all the user has to do is connect one time with a browser, and the client software is automatically installed. In each case, whether using Cisco’s SSL client, or Juniper’s IPSec client, the users will never know the difference. They just want it to work.
The Bottom Line
There is no right answer. Your choice may come down to the cost of the license and what the hardware can support. If you are configuring existing hardware, choose the path of least resistance. If SSL is easy to get working, go with SSL. If not, maybe the IPSec solution is easier. Ultimately both will do the job.