Face Off: IPSec vs. SSL VPNs

Transcription

1 Docid: Publication Date: 0311 Face Off: IPSec vs. SSL VPNs Publication Type: FACE-OFF Preview by: Nils Odhner Copyright 2003, Faulkner Information Services. All Rights Reserved. Internet Protocol security (IPSec) and secure sockets layer (SSL) are two competing technologies used in virtual private network (VPN) deployments today. These technologies are both designed to encrypt and authenticate data in transit from remote end-user locations to resources residing on the corporate network. VPNs based on IPSec and SSL each have a distinctive number of advantages and disadvantages, and are engineered for varying business and end-user needs. This report faces off the two competing technologies, and offers an overview of feature sets, strengths and limitations of each, cost issues, and recommendations for their usage in VPN deployment. Report Contents: Executive Summary Description Solution Set Face-Off Analysis: Strengths & Limitations Recommendation Web Links Executive Summary IPSec and SSL are two competing technologies used by IT managers for VPN deployments in today's small businesses, enterprises, healthcare institutions, and government agencies. SSL, or Secure Sockets Layer, is a protocol originally developed by Netscape Communications to secure Web-based transactions. SSL was developed to make e-commerce as we know it today possible, but is now being used in a much wider context, particularly in regard to accessing enterprise application-based resources. IPSec, or Internet Security Protocol, on the other hand, has been widely deployed in enterprise VPNs for years, but is no longer the dominant choice in VPN deployment that it once was. Both technologies are widely used to deploy VPNs, which provide remote connectivity to a host computer or network so that employees, partners, or customers can access corporate resources or conduct business transactions. Choosing between an IPSec- and SSL-based VPN is no simple matter of black

2 and white. Organizations, led by their IT managers and CIOs, must consider a complex of factors before embarking on deployment. For example, questions such as these must be asked: will the remote connection be used for only, or will it be used to access extensive enterprise resources? Will the remote user be accessing Web-based applications only, or non-web-based apps? What is the enterprise's IT budget, and are there limits on spending? These questions, as well as a basic review of the pros and cons of each technology, are vital in choosing whether an IPSec or SSL VPN is best for an organization. Description The two competing VPN options that businesses of today choose to implement are IPSec and SSL VPNs. Both VPN types deliver secure, enterprise-level remote access, but their architectural and operational approaches differ greatly. These varying approaches significantly influence application and security services, and will in the end determine which technology IT managers and CIOs should implement within the organization, and what circumstances are optimal for each. Essentially, IPSec and SSL are encryption and authentication technologies designed for data in transit, i.e., they serve as secure "tunnels" that protect data traffic and identify it at the receiving end. Both architectures, or methods, should be considered in the context of an organization's overall security architecture and network security policy. A careful examination of the data being transferred, its level of sensitivity to the enterprise, and the impact of unauthorized disclosure are key factors that should be considered when deciding between which architecture to use when implementing a VPN. An analysis of these factors will determine if data transmission channels are accessible and secure, and that the mechanisms in place adequately prevent unauthorized message and traffic flow disclosure. It will also ensure that messages sent and received are one in the same, that a valid source-destination message path has been established, and that security mechanisms are invisible to end-users. Both IPSec and SSL solve the problem of delivering secure remote access to end users, and both use the Internet as the means to provide connectivity. Certain types of businesses with specific goals for employees and customers, however, will find one more beneficial than the other. IPSec VPNs Internet Protocol Security (IPSec) is a series of protocols developed by the Internet Engineering Task Force (IETF) to deliver symmetric key encryption and authentication services at the IP layer. When IPSec is used to design a secure VPN, it operates at the network layer (layer three) of the Open System Interconnection (OSI) network architecture model. IPSec VPNs are extremely flexible in supporting network configurations and applications. They utilize a head-end device and an IPSec-based client that is downloaded and installed on the end-user's computer. IPSec VPNs secure all data between endpoints, "virtually" placing the remote client on the corporate network and allowing for the same level of access that an employee would have working in the office. Moreover, IPSec VPNs deliver two types of security services--authentication Header (AH), which allows for end-user authentication, and Encapsulating Security Payload (ESP), which supports end-user authentication and data encryption. What gives IPSec VPNs their strongest level of security is the TripleDES (3DES) encryption algorithm, which makes two-way authentication possible, while separate protocols such as ISAKMP/Oakley can also be selected as part of the IPSec VPN configuration. SSL VPNs

3 Originally developed by Netscape Communications to secure e-commerce transactions, Secure Sockets Layer (SSL) is an oft-used, open standard-based Web protocol that enables such key functions as server authentication, data encryption, and message integrity over TCP/IP sessions. SSL is also referred to as the IETF's Transport Layer Security (TLS) standard, and is used primarily to support private transactions that include bank, online stock trading, and credit card purchases. SSL enables "application layer" VPNs, which operate at layers four through seven of the OSI networking model, and can be used with or without a client. SSL-based VPNs initiate communication by utilizing the program layer between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. In addition, SSL VPNs rely upon reverse proxy technology for enterprise network access, which translates the request from the remote user's Web browser into a command that the corporate network can understand. It is typically required when users are on the road and need access to data located behind a firewall and residing in a non-routable internal IP address space. SSL VPNs typically use RSA's combination public/private key encryption system, which includes a digital certificate option. But because any Web-enabled machine can be used to access SSL-based VPNs, two-way authentication is not possible, but rather any valid username and password will get a user into the SSL VPN. Figure 1 shows the basic architectural differences between IPSec and SSL VPNs. Figure 1. Comparison of IPSec and SSL VPN Architectures Source: TechTarget

4 IPSec and SSL VPN Vendors There are a number of vendors that incorporate IPSec functionality into their network devices, many of which serve as the basis for their IPSec VPN suites. These vendors include Cisco Systems, Nortel Networks, Checkpoint, and SonicWALL. But because IPSec is an older VPN technology, and is more established in many vendors' product and service portfolios, there are more standalone IPSec VPN providers. SSL VPNs, because they are newer, are not offered standalone by as many vendors. There are a few VPN vendors, however, that offer both types, and they perhaps have the biggest edge, considering organizations often need both IPSec VPNs (for site-to-site connectivity) as well as SSL VPNs (for Web-based apps only). The following table lists leading SSL and IPSec VPN vendors. Table 1. IPSec and SSL VPN Vendors Vendor IPSec VPNs SSL VPNs Array Networks Aventail BorderWare Technologies Check Point Software Technologies Cisco Systems Citrix CyberGuard Enterasys Networks esoft Fortinet InfoExpress Microsoft Neoteris Netilla Networks NetScreen Technologies NetSilica Nokia Nortel Networks Novell Permeo Technologies Rainbow Technologies SafeWeb SonicWALL Stonesoft uroam

5 V-One WatchGuard Technologies Whale Communications Solution Set There are a number of key criteria IT managers and CIOs should consider when deciding between implementing an IPSec or SSL VPN. Many factors involve the use of security, which is contingent upon what an organization intends to use the VPN. Key criteria include: Authentication and Access Control--Each type of VPN presents varying user authentication options, which in turn determine the level of security. This determination for a particular VPN type is based on the level of access desired initially. Information Access Level--Related to access control, this determines which devices, locations, and individuals can access information. Attack Defenses--The level of confidentiality and data integrity required will determine the best VPN fit. Client Security--How well is the client secured, if a client is being used in the first place? The level of anti-virus and/or firewall protection will be another determining factor. Application Accessibility--Does the end-user need access to a wide variety of applications on the network, or just a niche or easy-to-use application, such as or collaboration tools? Required Software--Does the VPN implementation require software to get up and running? Scalability--Will the VPN offering be deployed for a whole branch office or a single end-user? This will also determine the type of VPN deployment. Overall Security Coverage--A VPN determination will also be based on how sensitive the information being tunneled from VPN to Web server or corporate network is. How far does the security infrastructure extend? Deployment Scenario--What is the VPN going to be used for, e-commerce or telecommuting from a remote home office? Face-Off Table 2 contrasts the criteria, based on the explanations in the previous section, that IT managers and CIOs should follow when deciding whether to implement an IPSec or SSL VPN. Table 2. IPSec vs. SSL VPN Implementation Criteria

6 Implementation Criteria Authentication and Access Control Access Control Information Access Location Attack Defenses Client Security Application Accessibility Required Software Scalability IPSec VPN Uses Internet Key Exchange (IKE) for authentication, through either digital certificates or two-way authentication; non-certificate authentication more vulnerable. Homogenous access granted to trusted user groups on entire private servers and subnets. Information accessed from designated groups of users or computers. Supports block encryption algorithms such as TripleDES Cipher Block Chaining; prevents man-in-the-middle attacks via packet modification; uses IP and UDP datagram floods to prevent DoS attacks. Session state to detect when secure tunnel has gone away; IPSec clients include integrated desktop security products. Accesses all IP apps, including Web, enterprise, , VoIP, and multimedia. IPSec client software. Highly scalable, up to tens of thousands of customer deployments. SSL VPN SSL Web servers use digital certificates for authentication; non-certificate authentication more secure. Granular-based, per-user, per-application access control. As a result, access determinations made according to ports, selected URLs, embedded objects, content, or application events. Information accessed from any location, including Internet kiosks. Information can be left behind intentionally or unintentionally. Supports block encryption algorithms such as TripleDES Cipher Block Chaining; supports stream encryption algorithms such as RC4; uses TCP and TLS to prevent packet injection. Provides secure browser/client logoff by wiping all traces of user activity; filters individual application commands; use of applets to secure open ports. Accesses mostly Web apps. Standard Web browser. Highly scalable and easy to implement.

7 Overall Security Coverage Deployment Scenario Extends security to the remote access level, and enhances end-point security with integrated methods such as personal firewalls. Secure employee and site-to-site access. Limited security measures dictating information access and client environment; better for less-sensitive information. External Web customer access. Analysis: Strengths & Limitations The Argument for and against IPSec VPNs IPSec VPNs offer several primary benefits that SSL either does not offer, or its functionality is lower. These include "always on" protection for all applications independent of user intervention; network layer implementation, which resides below the application layer; full remote end-user access to LAN applications; and most importantly, an IPSec VPN provides a higher level of security, which is consistent for each client or end user residing on each remote computer. Another "stronger security" plus is that IPSec prevents packet modification to stop man-in-the-middle attacks, and defends better against SSL in denial of service (DoS) attacks due to its sole use of datagrams, instead of TCP sessions, which SSL uses. Essentially, IPSec deflects IP and UDP datagram floods, which are easier to block, as opposed to TCP SYN floods, commonly used in SSL, which fill session tables and cripple off-the-shelf protocol stacks. Despite touting greater overall security than SSL, IPSec VPNs are prone to vulnerability when administrators choose a non-certificate options such as password or tokens. In addition, IPSec vendors tend to offer alternatives such as Extended Authentication (AUTH) and L2TP over IPSec. AUTH, however, is often deployed using pre-shared group secrets, which is vulnerable to several know attacks. Moreover, IPSec VPNs tend to be deployed with less granular access controls, making it a time-consuming chore for administrators to configure individual and group access rules. There are other limitations as well. While IPSec offers seamless remote access for end users, its configurations tend to be complicated, requiring (often costly) experts to navigate and troubleshoot complex key settings and encryption algorithms. Additionally, configurations must be performed manually; on this note, client software updates and installations tend to be cumbersome for large user populations. And finally, IPSec is behind the game in terms of supporting PDA and mobile phone clients, as they are just beginning to appear on the market. The Argument for and against SSL VPNs Despite many admonitions about being less secure than IPSec, SSL VPNs provide a secure, proxied connection to only those resources the user is authorized to access. This lack of a direct network connection, combined with split tunneling, in which users have access to the Internet and corporate resources at the same time--tend to be safer. In other words, SSL drills down better to specific applications and services. This is backed by the fact that SSL VPNs employ granular access control, in which varying access privileges are granted to different users. In addition, SSL VPNs extend remote access capabilities to a larger range of network resources and locations from a greater number of network devices. This is made possible because SSL VPNs reside on top of TCP/User Datagram Protocol (UDP) transports, allowing SSL VPNs to travel through network translation address (NAT) devices as well as stateful inspection and proxy-based firewalls. Also, SSL VPNs are engineered to connect to mobile clients such as PDAs and mobile phones, as many vendors

8 have taken advantage of SSL's easy wireless Web-enabled capabilities. In this way, they are better suited for public kiosk PCs, which are often wireless, as well as business partner desktops and personal home computers. One of the key selling points for SSL is that it does not require complex or intrusive clients, i.e., installation of software on end-user computers, which means easier installation, maintenance, and higher cost-savings. For this reason, SSL VPNs are better for smaller budgets. An SSL-connection, however, prevents VPN users from accessing non-web applications, and is limited to only applications such as Web-based business software. Additionally, SSL VPNs complicate functions such as file sharing, automated file transfers, and scheduled file backups. Administrators can add support for non-web based applications, but this requires custom development, including extensive upgrades, patches, SSL gateways, and other add-ons, which tend to be costly and difficult to implement. In addition, end-users are potentially restricted in terms of accessing enterprise resources on Windows, UNI, Linux, or mainframe systems. But by far SSL's greatest limitation is its lack of overall security compared to IPSec. It is less secure because it enables transparent negotiation of encryption algorithms and key materials, defaulting to smaller, weaker keys if a higher key security level cannot be supported in client/server communications. What Are the Costs Involved? When comparing the range of costs associated with IPSec and SSL VPNs, administrators should base their assessments on the costs at both the host and remote site. In general, there are three cost categories to consider for each respective VPN type: equipment costs, deployment costs, and ongoing support costs. Equipment Costs. At the host site, both SSL and IPSec VPNs require a head-end device for operation at the corporate data center to terminate all data tunnels. For IPSec VPNs, this requires a router/concentrator device, and for SSL, a server with proprietary software is required. At the remote site, IPSec VPNs will require a VPN client, either hardware or software, in order to establish a connection. Software clients are usually free when purchased with a head-end device, whereas hardware clients range from $ per device. SSL VPNs, on the other hand, require no client at the remote end and thus no related costs. Deployment Costs. In terms of deployment costs at the host site, IPSec tends to win out over SSL. For IPSec VPNs, host device configuration is much easier, considering the devices have built-in GUIs to bolster the process. Also, once the secure connection is established, all applications can be accessed from any point on the network. This is not true for SSL VPNs, as each application has to be configured to work with the host device. This usually requires a vendor support team, and can be quite costly and time-consuming. At the remote site, however, IPSec VPNs require and initial configuration at minimal costs, whereas SSL VPNs, because they do not require a client, have no associated costs. Ongoing Support Costs. Host site maintenance costs tend to be minimal, since both IPSec and SSL VPN head-end devices are usually stable. Hardware replacement contracts for each type are priced similarly, and include software/firmware upgrades. SSL VPNs, however, require an additional cost when new applications are being rolled out for configuration with the SSL server. IPSec VPNs, being application independent, do not incur such costs. At the remote site, IPSec VPNs must support remote site clients and users, translating to additional help desk training and support costs. SSL VPNs, because they do not have remote clients, incur no costs in this area.

9 Recommendation Some of the questions IT staff and executive officers should answer before making a decision upon an IPSec or SSL VPN include: How does the organization communicate, both internally with its employees, and externally with partners, suppliers, and customers? What are the requirements for IP and legacy applications? What protections do the data security policy determine? What applications require remote access, sensitive internal documents or casual use apps such as ? Are user-friendly interfaces required? Does the VPN need to support mobile devices? Are there bandwidth-intensive users that need 24x7, high-level performance? Answering these questions, as well as reviewing the competing architectures and their benefits and drawbacks, will help IT administrators to make the appropriate decision. For example, if an end-user just needs to access Web-based applications using a Web interface, such as and file access, an SSL VPN would be the best bet. This also applies to the filing of remote time and labor applications that can be easily sent at the click of a mouse. Given these requirements, most enterprise end-user needs can be met via SSL. In addition, if a small business systems administrator does not have adequate centralized management capabilities, SSL would also be more optimal, considering SSL VPNs are better at providing access from unmanaged devices, such as Internet kiosks. For end-users accessing non-web-based client/server IP applications, however, an IPSec VPN is the best bet. This is an optimal option for so-called "power users" that need a complete PC-to-gateway IPSec VPN, as well as access to the full gamut of enterprise network resources from home offices and remote sites. A more ideal application for IPSec is for connecting site-to-site VPNs, which is often required in the case of large enterprises that have acquired many smaller offices that are geographically dispersed and need to integrate corporate resources into one model. Also, because IPSec VPNs are inherently more secure than SSL VPNs, they can be easily combined with 802.1x authentication technology and firewalls. The former leverages key authentication protocols such as LEAP to secure not only wired VPN tunnels, but wireless LAN security as well. If an organization is looking to save money, SSL VPNs will accomplish this goal. Because they are typically clientless, SSL VPNs do not require the implementation and maintenance costs associated with configuring an upgrading a VPN client. SSL VPNs, however, are limited in their capabilities. They are ideal if, for example, an organization is looking to provide connectivity, and maybe availability of marketing materials to salespeople. On the other hand, if an entire branch office needs connectivity to the corporate headquarters, and all the materials from human resources, legal, sales and marketing, and financial departments, IPSec VPNs are a must. Choosing between an IPSec and SSL VPN is not a matter of one being better than the other, as each has myriad benefits and drawbacks depending on an organization's needs. A careful evaluation, based on the factors mentioned previously, is a necessity for any organization looking to bolster secure, remote connectivity through the use of a VPN. About the Author Nils Odhner is Senior Editor of Data Networking at Faulkner Information Services. His coverage includes biometric technologies, network and Internet security, VPNs, Wi-Fi, and convergence and data networking

10 issues. Web Links Array Networks: Aventail: BorderWare Technologies: Check Point Software Technologies: Cisco Systems: Citrix Systems: CyberGuard: Enterasys Networks: esoft: Fortinet: InfoExpress: Microsoft: Neoteris: Netilla Networks: NetScreen Technologies: NetSilica: Nokia: Nortel Networks: Novell: Permeo Technologies: Rainbow Technologies: SafeWeb: SonicWALL: Stonesoft: uroam: V-One: Watchguard Technologies: Whale Communications: