Increasingly, organizations are demanding more time from
their employees than the usual office timings, which is one of the reasons
mobility technologies are becoming so popular. Besides mobile devices and
wireless technologies, another critical element that's required for enabling
true mobility is providing users remote access to your corporate network. The
most popular technology for this job is VPNs or virtual private networks, which
allow users to securely connect to their corporate network over the Internet.
VPNs need no introduction, and for a long time, they've been based on a
technology called IPSec. That seems to be changing now, with another technology
stepping into the arena, called SSL.
Neither VPN nor IPSec nor SSL are new terms for any IT
manager or CIO, but they've never been compared, until recently. IPSec was
always known as the technology that facilitated encrypted communication over a
public network, ie it was always known as a VPN technology. The claim to fame
for SSL or Secure Sockets Layer on the other hand was that it helped make
e-Commerce, as we know it today, a reality. It allowed users to carry out secure
transactions from a web browser. Even today, in online banking, the underlying
protocol to encrypt all your transactions is SSL. So the question now is, if a
bank can provide secure access to its banking applications through a web
browser, why can't the same happen for other applications like email,
messaging, collaboration, or even business apps? Enter SSL based VPNs, and the
whole debate over whether to use it or the older, tried and tested IPSec based
VPNs? Let's analyze each in a little more detail.
Anil Chopra, Associate Editor |
Traditional IPSec VPN based products comprise of a VPN
concentrator on the host network, and a VPN client that must be installed on
every mobile user's machine. A remote user would connect to the Internet, and
then use the VPN client to gain access to his/her corporate network through the
VPN concentrator box. Once inside the network, the user would actually be a part
of the corporate LAN. The user would have the same privileges as being present
on the local network itself, albeit with a limited connection speed. After
gaining access to the network, if all that the employee does is check email or
access some info from the corporate Intranet, then the IPSec VPN seems like an
overkill. If the same thing happened from an SSL VPN however, then things would
be different. An SSL based VPN works on its original principle of proving access
through a web-browser. Users don't need to deploy any additional client
software on their machines. Also, by its nature, users don't really get access
to the entire network, as in IPSec based VPNs. They would primarily gain access
to web-enabled applications like email or Intranet only.
Given the fact that more applications are becoming
web-enabled, SSL VPN has a clear-cut advantage because your users can be given
access to those out of the box. Also, since web-connections are sessions-based,
you can provide more granular access to your internal resources. But thats not
the case of IPSec based VPNs, in which you provide access to the entire LAN, and
the user inherits most of the rights, he/she has to the local network. SSL based
VPNs are also an attractive choice if you'd like to provide access to users
other than your employees, like your customers and business partners. If you
have a particularly large mobile workforce, then again, management of the IPSec
based VPNs becomes an issue. This is largely because you would have to manage
the clients on all the machines. Also, non-traditional devices can be used with
SSL based VPNs, such as a PDA or a smartphone, largely because it's browser
based.
So which technology is better? I would tend to go the SSL
based VPNs way. One of my reasons is that IPSec VPNs follow the traditional
client/server architecture. Install a client on a remote client, and use it to
connect to a VPN server on the corporate network and gain access. The overall
industry trend has been to slowly move away from this tradition. Increasingly,
you'll find that we're moving towards a world of web-enabled applications.
SSL based VPNs therefore offer a distinct advantage on this front, because
that's what they were meant to do by design. Some may argue that today,
configuring an SSL based VPN to provide access to non-web based applications
such as file sharing is fairly difficult. It would require extensive
customizing, which would add to the cost. However, the drive towards web-based
applications is so strong, that it would only be a matter of time before this
issue also gets resolved. Even if this is termed as a disadvantage, IPSec based
VPNs have the inherent disadvantage of client management. So, IPSec based VPNs
would remain for some time, but eventually, SSL based VPNs would own a larger
pie of the VPN market.
Anil Chopra, Associate Editor