The Cellar

The Cellar (http://cellar.org/index.php)
-   Technology (http://cellar.org/forumdisplay.php?f=7)
-   -   VPN: IPSec vs SSL (http://cellar.org/showthread.php?t=13085)

BigV 01-15-2007 06:08 PM
VPN: IPSec vs SSL
 
I need to provide VPN access to a small network. The network is running nicely right now, but a few people would like to connect to some network resources from outside the office, hence the need for the VPN. I have a fairly clean slate to work from here, and I have read enough to narrow my choices to two different technologies, IPSec and SSL.

From what I've read, they both can create a secure tunnel, so for the user, the end result will be the same. The cost for each solution is pretty close to the other, so there's no natural economic advantage. But I'll be the one who has to install and maintain it, so the other behind the curtain details mean more to me. Here's the short list of the pluses and minuses for each, as I see it. Your input is welcome.

IPSec advantages:
**************
Greater security by virtue of requiring a specific client application.
Greater security by virtue of the fact that the box I'm considering also contains a(nother) firewall, adding to the notion of defense in depth.
Greater control by virtue of finer granularity with respect to access privleges.
I have experience with IPSec vpns (Cisco and WatchGuard), so I'm not starting from zero experience.
Can run all applications, and access all network resources.

IPSec disadvantages:
****************
Higher cost due to the fact that client licenses have to be purchased to use the vpn.
Greater complexity of client software.
More pieces than "built in" SSL solution; more things to be configured, keep track of, buy, fix, maintain, update, etc.
The box has multiple functions, firewall, vpn endpoint, switch, etc.

SSL advantages:
************
Box is less complex, no other functions.
No client required; "built in" browser capability.
No client maintenance/cost, etc.

SSL disadvantages:
***************
Can run only web enabled applications, since it all runs in the browser.
No access to network storage or printers.
"Simpler" solution presents fewer hurdles to unauthorized access.


That's the list I have so far. At this point, I'm strongly in favor of the IPSec solution, since I like the full access to the private network resources. But I would like to hear the input and experience of the cellar. What's your two cen t's worth? (hint: much more than two cents, to me :)) Thanks in advance.

SteveDallas 01-15-2007 06:29 PM
What IPSec solutions are you considering? What kind of client are you planning to use?

Perry Winkle 01-15-2007 06:53 PM
Ever looked at OpenVPN?

IIRC, it's the base for Joel's Aardvark/Co-pilot software.

Clodfobble 01-16-2007 03:54 PM
I don't know jack about squat, but my husband the network administrator says some of your SSL disadvantages are wrong. He says: You can definitely do non-web-enabled applications over SSL; an example program would be the Cisco SSL VPN, which installs an ActiveX applet that remaps network traffic over SSL regardless of port. This also allows for network drive mapping and printer mapping as well.

BigV 01-16-2007 04:27 PM
Quote:
Originally Posted by Clodfobble (Post 307775)
I don't know jack about squat, but my husband the network administrator says some of your SSL disadvantages are wrong. He says: You can definitely do non-web-enabled applications over SSL; an example program would be the Cisco SSL VPN, which installs an ActiveX applet that remaps network traffic over SSL regardless of port. This also allows for network drive mapping and printer mapping as well.
!!

Interesting. That's exactly the kind of reality check I'm seeking. Thank you Clodfobble.

Clodfobble 01-16-2007 04:58 PM
Don't thank me, I don't even really know what most of that gibberish means. But Mr. Clodfobble says, "No problem." :)

BigV 01-17-2007 09:51 AM
*imaginary conversation at House of Fobble*

CF: "Well, if you won't let me post those shower pictures, will you at least look at this computer question?!

mbpark 01-17-2007 10:26 PM
SSL VPNs
 
I have used both, and the issues with port redirection and non-web applications in SSL VPNs have been mitigated by multiple vendors. The really high-end SSL VPNs like the AEP Networks Netilla have application-specific rules.

I just put in a D-Link IPSec (no, I am not kidding) VPN in at a customer linking two sites (the budget just wasn't there to justify a higher expense).

However, I have had great experience with the Juniper products (I use the Netscreen firewalls elsewhere). They make what appears to be a decent SSL VPN at:
http://www.juniper.net/products_and_...re_access_700/

I also know that Cisco makes one, as well as Netgear:

http://www.netgear.com/Products/VPNa...rs/SSL312.aspx

I certainly hope that Netgear has done their best to lose their reputation for crap firmware. Their product does support port forwarding and redirection.

Thanks,

Mitch


All times are GMT -5. The time now is 12:20 AM.

Powered by: vBulletin Version 3.8.1
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.