The Rise of SSL VPNs
by Ian Kilpatrick - chairman Wick Hill Group - Monday, 9 April 2007.
3. SSL Tunnelling (basically mimics IPSec) is not supported on Linux or non-Windows OS.

Answer: True - SSL vendors offering SSL Tunnelling as an option utilise the virtual adapter technology within Windows OS to encapsulate traffic, which is not currently available in other operating systems.

4. SSL is processor-intensive leading to poor performance under high loads.

Answer: This can be true, but can be addressed by clustering, load-balancing multiple appliances, by utilising SSL accelerators such as Radware's CertainT 100 or by traffic prioritisation technologies such as Allot's NetEnforcer, or by using high performance SSL appliances such as those from Array Networks.

5. Some enterprises need broader application support than SSL provides.

Answer: Some SSL vendors are addressing this by enhancing proxy support and supporting port redirection.

Cost is another very important consideration. Management of authentication certificates can be very time-consuming and is not necessary with SSL VPNs. This makes SSL VPNs much cheaper and this factor alone may be a key issue when deciding whether to use SSL or IPsec VPNs. Unlike most IPsec environments, you do not need paid-for client software. Additionally, set-up and management is typically much easier.

Choosing a VPN

There are a number of factors to consider when choosing an SSL VPN. What applications do you want to use it for and how many users are there. For small numbers of users connecting to a small number of applications, ease of use and management are key considerations. Suppliers such as Array Networks and NetASQ have low cost solutions designed for SMBs and distributed enterprises.

Other considerations include: Does it have an integrated firewall? The inclusion of this will give maximum flexibility of implementation and granularity. Does it include integrated strong authentication or does it provide scalability and interoperability with third party strong authentication products?

Can the SSL VPN provide client integrity, i.e. checking the client machine for security threats? Will it support legacy and web applications, and does it provide support for SSL tunnelling, which mimics IPsec. You also need to be sure that it will support any device (PC, lap-top, PDA, Internet Cafe device) to which the SSL owner does not have access rights. As with any VPN system, you will need comprehensive reporting that helps you keep track of VPN tunnels throughout your organisation.

Then there are vendor related issues to consider. You should check the vendor and distribution/reseller support infrastructure. Do you need next business day replacement and 24x7 telephone support? If your SSL VPNs (as is likely) are an essential part of your business operations, you want to be sure that you can replace any problematic systems very quickly and that help is always available to keep the VPNs functioning well. It would also be wise to check out the vendor's plans for enhancing the product's functionality and capability, to ensure that it will keep up to date with your changing needs.

Other considerations

Another consideration for the purists is the strength of the encryption technology. SSL uses single DES (56-bit key), IPSec can use 3DES or the emerging AES standard. For the majority of applications and requirements, DES is adequate. However, for highly secure requirements such as military, 3DES/AES is probably mandated. Browser vendors would have to move to supporting 3DES or AES before SSL VPNs could match the encryption strength of IPSec.


Vendors of both IPsec and SSL VPN technologies have recognised the strengths of each other's solutions and introducing hybrid products. For instance, Check Point offers Connectra, an SSL product, as well as its long-established SecureRemote IPSec product. NetASQ has an integrated firewall/ IPsec VPN/SSL VPN appliance.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th