Then there are vendor related issues to consider. You should check the vendor and distribution/reseller support infrastructure. Do you need next business day replacement and 24x7 telephone support? If your SSL VPNs (as is likely) are an essential part of your business operations, you want to be sure that you can replace any problematic systems very quickly and that help is always available to keep the VPNs functioning well. It would also be wise to check out the vendor's plans for enhancing the product's functionality and capability, to ensure that it will keep up to date with your changing needs.
Another consideration for the purists is the strength of the encryption technology. SSL uses single DES (56-bit key), IPSec can use 3DES or the emerging AES standard. For the majority of applications and requirements, DES is adequate. However, for highly secure requirements such as military, 3DES/AES is probably mandated. Browser vendors would have to move to supporting 3DES or AES before SSL VPNs could match the encryption strength of IPSec.
Vendors of both IPsec and SSL VPN technologies have recognised the strengths of each other's solutions and introducing hybrid products. For instance, Check Point offers Connectra, an SSL product, as well as its long-established SecureRemote IPSec product. NetASQ has an integrated firewall/ IPsec VPN/SSL VPN appliance.
SSL technology is rapidly maturing to the point where there are few clear differences between SSL and IPsec technology. SSL is gaining the upper hand if you count the number of users, but it remains to be seen what difference the introduction of the IPv6 standard, which includes IPsec, will make. All IPv6 end node implementations will include IPsec as an option, so IPsec advocates hope for a resurgence of IPSec VPNs. If all applications used this feature, then theoretically SSL would be unnecessary. But by then SSL may have become the dominant technology.
A recent report from Forrester Research indicates that SSL will take over. It concluded that spending on SSL VPN technology will increase at a 53% compound annual growth rate and that by 2008 SSL VPNs will have overtaken traditional IPsec VPNs as the remote access security standard.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.