ITPRC.COM
ITPRC News - June 2002
Search The ITPRC:
Career Management
Book Sites
Career Center
Job Databases
Publications
Trade Shows
Training and Certification

Technologies
Physical
Data Link
Content Networking
Directories
IP Routing
Operating Systems
Quality of Service
Storage Networks
TCP/IP
TCP/IP FAQ
Voice & Data
VPNs & Encryption
Wireless

Operations
ISP Resources
Network Management
Network Security 

Other
Guides
Humor
Link of the Week
Miscellaneous
Newsletter Archive

ITPRC NEWS - June 2002 - http://www.itprc.com/

Secure Sockets Layer - A New VPN Choice
By Irwin Lazar

Secure Sockets Layer (SSL) is emerging as a new alternative to IPSec for remote access VPNs.  SSL is not a new protocol, it has been widely used to secure web-based transactions for a number of years.  What is new is a growing number of products that are enabling enterprises to use SSL as a method to provide employees with secure remote access to corporate applications and data resources

SSL in Brief
SSL is a protocol originally developed by Netscape to provide security for web-browser based transactions.  An open standards alternative, transport layer security, has been defined by the IETF in RFC 2246.  SSL operates above the TCP layer, but below application protocols such as HTTP to provide encryption of application layer traffic.  SSL can make use of a variety of different ciphers to provide varying levels of security (see: http://developer.netscape.com/docs/manuals/security/sslin/contents.htm)  for additional information about SSL.  User authentication can be via simple username/password, secureID, or PKI.

SSL VPNs
Many organizations are now adopting SSL as a core component of their remote access strategy.  Since SSL VPNs do not require any custom client configuration or application, all that is necessary is a standards-compliant web browser, SSL VPNs offer significant advantages in ease of use and management when compared with IPSec alternatives. 

There are several drawbacks to using SSL as a primary remote access strategy.  SSL sessions require significant processing power on web servers to conduct encryption and decryption.  Thus, deploying SSL will significantly limit the number of concurrent user sessions that a web server can support.  However, many vendors now offer SSL accelerator devices which can off-load encryption/decryption tasks from web servers.

The other major drawback to using SSL is that traditionally it has only supported a limited number of applications that are based on well known TCP ports (http, pop3/smtp, ftp, nntp).  This makes SSL useless for users who need to synchronize local applications, or who need to access non-web-based applications.  However a slew of new products from companies such as SafeWeb, Aventail, Neoteris and more are now offering SSL-based appliances that can support a variety of applications, including such programs as Lotus Notes and Microsoft Outlook/Exchange.  These new products are greatly expanding the role that SSL VPNs can play in a corporate remote access strategy.

SSL vs. IPSec
Even with the advances provided by many vendors jumping into the SSL-VPN space there are still a few drawbacks when compared with IPSec-based VPNs with the primary one being a lack of end-user device authentication.  Since no client is required to access an SSL-VPN other than a web browser, there is no way to limit access to machines, only to users.  In addition, organizations with home-grown legacy applications may continue to find supporting access via SSL-VPN difficult, especially where synchronization with a local machine is required.

Even with these drawbacks SSL-VPNs are still an attractive alternative to IPSec.  Since no client is necessary, SSL-VPNs are easier to administer, support, and manage than IPSec-based VPNs.

Conclusions
For organizations that only need to provide remote users with access to a limited number of web-based applications, SSL-VPNs are a far more elegant solution than IPSec.  New products are rapidly expanding the breadth of applications that can be supported.  Enterprise organizations would be wise to strongly consider making SSL-VPNs the cornerstone of their remote access strategy.

..............................
Irwin Lazar is a Senior Consultant for The Burton Group. He focuses on strategic planning and network architecture for Fortune 500 enterprises as well as large service providers. He is the conference director for MPLScon and runs The MPLS Resource Center www.mplsrc.com and The Information Technology Professional's Resource Center www.itprc.com. Please send any comments about this article to ilazar@tbg.com ============================================================

All Content Of This Site Is Copyright 2000-2004 - ITPRC.COM
 
Subscribe To Our Free IT Newsletter