Are there any applications that require an alternative VPN technology to compensate for the limitation of the so-called VPN solution that you are being presented? If so, then it is questionable as to whether or not such a solution has the right to use the term VPN, and should possibly be forced to carry a health warning - "to be used only under certain limited conditions". So examine what is "in the tin" very carefully before signing on the dotted line.
To SSL or Not SSL
The argument as to whether SSL is more or less secure than alternative technologies is to a large extent an irrelevant discussion. As far as support for authentication, encryption, access control, and all the other technology issues both technologies can make an equally strong case.
A favourite argument for the IPsec fraternity is that IPsec is more secure because of advanced cryptographic algorithms, etc. In practice the frequently complex design, married with a myriad of acronyms and settings that most of us cannot understand, gives it a very soft underbelly. How many IT administrators have installed IPsec VPNs by simply selecting the "default" option on the many settings that have to be defined? For all we know we could be setting all security to the Off position, and telling our management board that we're bomb proof because our IPsec VPN supports AES - It may well do, but it's not doing us much use if we switched it off by default - Suggest you go and check just to be on the safe side!
SSL on the other hand is simple and straight forward - Excellent authentication to get the process going, including client side certificates if you want to get ambitious, seamless negotiation of the encryption to be used during the session, and all the necessary bits and bobs to protect against the evil man-in-the middle, and all built into the users PC when they start their browser!
The real benefit of the SSL VPN is that it uses the ubiquitous browser that is found on virtually every machine today. Regardless of how limited one's IT know-how might be you would be hard pressed to find a user who has not used the browser.
So just imagine that you believed what was written on the tin, and then found that it wasn't there when you opened it. Well you may end throwing your tin back at the vendor who sold it to you, but as far as you're users go, the browser is still the browser. Imagine carrying out several IPsec pilots with different vendors. Each time you did so you would be removing and reinstalling client software. The beauty of the SSL approach is you can test as many vendors as you like, and although they all differ in some ways, and some offer less functionality than others, they all have one thing in common - their "VPN client" is the browser!
Oh Yes - the Peripheral Issues
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.