Benefit: no client software costs.
4. As commonly deployed, only servers require digital certificates to establish the encrypted session.
Benefit: enormous reduction in the requirement to manage certificates.
SSL VPN Disadvantages
1. Optional (as opposed to in-built) user authentication. This is a major security weakness.
Answer: integration with 3rd party strong authentication products such as VASCO.
2. Requires Java or ActiveX downloads to facilitate access to non-web enabled applications.
Answer: download is transparent to user. Depending on implementation and network topology, this may cause a problem if the firewall (whether on the server side or on a personal firewall) is set to block Java or ActiveX controls.
3. SSL Tunnelling (basically mimics IPSec) is not supported on Linux or non-Windows OS.
Answer: True - SSL vendors offering SSL Tunnelling as an option utilise the virtual adapter technology within Windows OS to encapsulate traffic, which is not currently available in other operating systems.
4. SSL is processor-intensive leading to poor performance under high loads.
Answer: This can be true, but can be addressed by clustering, load-balancing multiple appliances, by utilising SSL accelerators such as Radware's CertainT 100 or by traffic prioritisation technologies such as Allot's NetEnforcer, or by using high performance SSL appliances such as those from Array Networks.
5. Some enterprises need broader application support than SSL provides.
Answer: Some SSL vendors are addressing this by enhancing proxy support and supporting port redirection.
Cost is another very important consideration. Management of authentication certificates can be very time-consuming and is not necessary with SSL VPNs. This makes SSL VPNs much cheaper and this factor alone may be a key issue when deciding whether to use SSL or IPsec VPNs. Unlike most IPsec environments, you do not need paid-for client software. Additionally, set-up and management is typically much easier.
Choosing a VPN
There are a number of factors to consider when choosing an SSL VPN. What applications do you want to use it for and how many users are there. For small numbers of users connecting to a small number of applications, ease of use and management are key considerations. Suppliers such as Array Networks and NetASQ have low cost solutions designed for SMBs and distributed enterprises.
Other considerations include: Does it have an integrated firewall? The inclusion of this will give maximum flexibility of implementation and granularity. Does it include integrated strong authentication or does it provide scalability and interoperability with third party strong authentication products?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.