What do you think about network salesmen using the Internet to cut into your network at Starbucks? Are you satisfied with the security of the office's internal network?
It is easy to control security within the physical walls of the factory, but it is challenging to provide externally connected users with secure remote access to internal resources. IPsec (IP security) and PPTP (Point-to-Point Tunneling Protocol) VPNs, sometimes SSH tunnels, are sufficient, but these settings often encounter NAT (Network Address Translation) traversal, firewall and client management issues. An SSL (Secure Socket Layer) VPN should solve these problems while still providing powerful and secure remote access. However, setup has its own difficulties, such as browser support issues, increased privileges required for any tasks other than pure HTTP applications on the client computer, and inherent security issues of cached data on the browser.
The difference between IPsec VPN and SSL VPN
IPsec is a Layer 3 VPN: For branch network to each network and remote access deployment, an encrypted Layer 3 tunnel is established between peers. In contrast, SSL VPN is usually a remote access technology that provides layer 6 encryption services for layer 7 applications and transmits other TCP protocols through a local redirect tunnel on the client. From a purely technical point of view, you can run IPsec and SSL VPN at the same time, unless both IPsec and SSL VPN products use the client software installed on the user's computer. In this case, you may encounter stack conflicts.
Organizations usually choose VPNs based on cost, configuration, and availability. If you are looking for a network-to-network VPN, the only real option is IPsec. Check Point Software Technologies, Fnetlink Group, Cisco Systems, Juniper Networks, Nortel Networks, Sonicwall and WatchGuard all provide IPsec VPNs with integrated firewalls. If you choose this route, please check the vendor’s customer support track record to determine whether its product has built-in security and learn more about the features available.
What is the easier path to manage the two?
IPsec VPN solutions are usually easier to manage. The client-to-gateway tunnel forms a network connection similar to a dial-up network, and the machine supports short-lived TCP/UDP ports. If your traveling users use SIP (Session Initiation Protocol) or H.232-based applications, IPsec has obvious advantages over SSL VPN because it is hands-free on the client side. After the software runs, users can Seamland interacts with its software and remote services.
IPsec VPN is an open network from the desktop client to the target network, but this does not mean that the desktop is just an IP router. Due to the possible split tunneling problem, you can access both trusted and untrusted networks through IPsec The policy set on the gateway to restrict access. As demonstrated by SQL Slammer, worm-infected hosts connected to the internal network via IPsec can infect the internal network, using an embedded IPsec gateway firewall or placing a firewall between the gateway and the rest of the network for additional protection.
Cisco and Nortel's leading IPsec VPN gateways are easy to manage, provide hierarchical group management, tight integration with external authentication servers, and very useful and detailed event records on the gateway, the latter is essential when solving remote user connection problems.
However, in the long run, IPsec VPN may cost more. The cost of IPsec VPN is usually between US$10 and US$25, while the cost of SSL VPN 500 user licenses ranges from US$50 to US$120 per seat. At first glance, IPsec VPN looks attractive. However, once the cost of deploying and managing the IPsec client is taken into account, additional testing is required before patching the OS client (remember that Windows XP Service Pack 2 breaks many client applications, including IPsec) and the productivity loss of the user cannot pass IPsec is connected to the gateway, it may not seem obvious. In addition, many IT managers find that IPsec VPN is very time-consuming for their employees, because end users often need help when downloading software or maintaining their connections.
What is the appeal of SSL?
Due to attractive prices and reduced security risks, most users will jump to SSL VPN when building extranets. SSL can restrict remote access to only the resources needed by the user.
According to Meta Group, in fact, one out of every three major companies uses SSL VPN this year. Researchers said that by 2006, 80% of companies will use SSL VPN as a connection method. There is no doubt that SSL VPN is sold like gelato. Perhaps the biggest driving factor is the ubiquity of port 443 and reduced management overhead. .
Carrying laptops, homes, customer websites, coffee shops, and Internet access via TCP 443 (default HTTPS port) should be available unless you are on a network with strict export policies. With SSL VPN ubiquitous access, any computer with browser and Internet access rights can become a client. We don’t believe that most organizations want to open their key business applications to users in public kiosks, but being able to allow remote users or traveling users to access their web mail and other applications is convincing.
Almost all SSL VPN products support and encourage strict access control policies. In fact, it is usually difficult to allow open access. When adding a resource, you must define its specific access permissions. For non-HTTP applications, it usually involves fast address/port definition. However, depending on the product, HTTP application access can be controlled to URI (Uniform Resource Identifier) and the method used to access resources. For example, if the user can access the Web server instead of the admin directory, the SSL VPN gateway will not grant access, thus adding another layer of protection to the Web server permissions. Similar access control can be applied to ftp and Windows file sharing.
Generally, access to resources can be granted or denied based on the location of the client, whether it is the latest operating system patch or the SSL VPN gateway mobile code can be loaded for cache cleaning, advanced protection functions (such as URI access control and dynamic ACL( Access control list)) varies by vendor.
For users who need secure access to non-HTTP applications, SSL VPN products provide two methods. Using the so-called "clientless" method, users download Java or ActiveX components in their browsers, set up a proxy on the local host address (for example, 127.0.0.1), and temporarily modify the local host file to resolve the host name to the local host address. The user access level required for the client to start the local agent on ports below 1023 and change the local host file vary with each product, and most require local administrator access. In addition, SSL VPN products rarely support the UDP protocol, so make sure you have a firm grasp of the application requirements and ensure that the SSL VPN gateway supports them, and don't neglect internally developed applications.
If you want to use a verified route, please use the installed client on the client and forward sensitive data packets via SSL VPN. Aventail and Juniper support this method. However, there is no content to download or install, and you do not need to use the user's permission to skip any links.
You can use IPsec and SSL VPN at the same time. If your main application is Web-based and you only support a few non-HTTP applications, SSL VPN is a good choice: it is easier to use, and fine-grained access control for remote users is better than IPsec products. However, if your organization must support more complex applications and site-to-site VPNs, then you really cannot block IPsec.
- IPsec VPN opens an unrestricted channel into the network, which depends on the VPN gateway. IPsec works on layer 3 to transmit IP packets bound to the protected network. So in a sense, it is an open channel, but most IPsec VPN gateways have internal stateful packet filtering firewalls, so you can restrict traffic to specific destinations. To get the same result, you can The VPN is placed in the DMZ with strict access rules.
- IPsec VPN is not compatible with NAT. For years, vendors have been encapsulating IPsec traffic into UDP before encapsulating it on the network, so NAT problems are not as common as before. Standardized NAT traversal is an optional component of IKE (Internet Key Exchange) 2, and many vendors use proprietary traversal methods.
- SSL VPN is a clientless VPN. This only applies to direct HTML traffic. Web applications (for connecting back to the server) or non-HTTP applications that use mobile code components (such as Java applet or Flash) or non-HTTP applications usually require a client browser component to transmit traffic through the SSL VPN tunnel. In many cases, remote users must log in as a local administrator to run components dynamically, or they must be installed by an administrator.
- SSL VPN provides secure access from any computer. Again, this only applies to HTML traffic. Many kiosks do not allow users to run as an administrator or install components into the browser. Besides, do you really want your users to download confidential company data to unmanaged computers?
Must read :
Report
