Professional Documents
Culture Documents
IPSec VPN
White Paper
Learn About:
• The major differences between IPSec based VPNs and SSL
based VPNs
• The advantages and disadvantages of each
• Which technology is right for you
Introduction
Virtual Private Networks or VPNs allow corporate enterprises to extend access to their internal net-
works to external employees and partners over standard Internet public networks. The primary rea-
son VPNs came to be was the immensely expensive lease line solutions. An enterprise had to have a
physically closed network connection between its partners and remote employees, either through
dial-up RAS (Remote Access Server) solutions into the enterprise network, or lease fractional T1 type
connections between remote offices and partners.
Data privacy - or the ability to hide the data which is being transmitted
Data authenticity and integrity – the mathematical algorithm of encryption give security protocols
the ability to ensure data has not been modified or damaged in transit
Non-repudiation - another feature of the math contained in encryption is the ability to prove an act
occurred
What is IPSec?
IPSec – or Internet Protocol Security, the security protocol most commonly associated with a VPN – is
an encryption protocol which provides for secure encrypted data transmission at the Network Layer
across a public network such as the Internet. Two parties who wish to create an IPSec tunnel must first
negotiate on a standard way to communicate. Since IPSec supports several modes of operation, both
sides must first decide on the security policy and mode to use, which encryption algorithms they
wish to communicate with and what type of authenticate method to use.
In IPSec, all protocols which sit upon the network layer are encrypted (once an IPSec tunnel is created)
between the two communicating parties. TCP, UDP, SNMP, HTTP, POP, AIM, KaZaa etc, are all encrypted
regardless of their built in (or lack of built in) security and encryption.
SSL VPN vs. IPSec VPN p.
In some cases IPSec runs on a network hardware appliance. With these types of solutions most often
both communicating sides must have the same hardware. In addition, the same compatibility issues
with the client software apply to the IPSec enabled hardware.
IPSec clients are bound to a specific laptop or desktop system. This limits the mobility of the users, as
they cannot connect to the VPN without an IPSec client first being loaded on the client system they
use to access the network. No roaming access from airport lounges here...
Issue 2: IT support
IPSec solutions require immense IT support for both implementation and long term maintenance.
Large corporations often have several helpdesk personnel devoted to supporting their employees
who work remotely via IPSec.
This also extends the client support beyond those applications that are “SSL aware” to applications,
such as Web browsers like Internet Explorer and Netscape or email applications such as Outlook and
Eudora and allows any IP based application including TCP, UDP, ICMP etc. Thus enabling a wide range
of applications from web browsing to video conferencing over this ubiquitous tunneling mechanism.
To increase the server’s capacity, SSL proxies may include a SSL accelerator. A SSL accelerator is much
like a math co-processor in the 486SX/DX PC days. The SSL accelerator performs the computation-
ally intense operations formerly performed by the server’s CPU and offloads those operations to a
purpose built processor. The server, which was only able to perform 75 RSA sessions/second, can now
handle well over 800 sessions/second.
You may wonder why would you need an SSL proxy if your server has an SSL accelerator. The ques-
tions to ask are: “How many servers do you have which may need this SSL acceleration? Do you have
the resources to purchase SSL accelerators for each of those servers?” The advantage of an SSL proxy
is that you can utilize the SSL accelerator once for many servers.
SSL VPN vs. IPSec VPN p.
With the Array SP (Security Proxy) from Array Networks, for example, you may open 800 SSL connec-
tions per second to the clients accessing your resource, while maintaining an SSL connection from
the proxy to the back-end server as well. Note the Array SP is able to open a reduced number of SSL
connections to the back-end while serving up to 800 sessions/second on the front of the Array SP. The
advantage of this is your Web server is never overloaded with SSL connection requests.
Reason 2: Authentication
Another issue with traditional SSL protocol is its lack of built-in authentication methods. SSL includes
cryptographic authentication for both the server and the client. However, all of that security is based
on one premise: the client’s cryptographic “private-key” was kept secure. If the key has been compro-
mised or left unattended, you may no longer be able to trust the client. It may be necessary to add ad-
ditional authentication methods on top of SSL to ensure the user or client is who they say they are.
A SSL proxy, however, strongly authenticate clients before they ever connect to the back end re-
source. SSL proxies enforce much stronger authentication methods than a back-end resource could
ever support natively. Many Web servers today do not natively support authentication methods oth-
er than SSL.
&/%50&%(&4&$63*5: &/%50&/%4&$63*5:
*OUFSOFU *OUFSOFU
4FDVSFDPOOFDUJPO 4FDVSF$POOFDUJPO
*OUFSOFU PWFS44-CVUJT *OUFSOFU 0WFS44-
$MJFOU UFSNJOBUFEBUUIF1SPYZ $MJFOU
0UIFS1SPYZ "SSBZ419
/&5803,&%(&
74 /&5803,&%(&
*OGPSNBUJPOJO 0ODFUIFJOUFSOFUDMJFOUJT 4FDVSFDPOOFDUJPOTBSFNBEF
DMFBSUFYUDBOCF BVUIFOUJDBUFEBUUIFñSFXBMMQSPYZ
GSPNUIF"SSBZ41UPUIF $MJFOU/05
JOUFSDFQUFEBOE UIFJSDPOOFDUJPOUPCBDLFOETFSWJDFT TFSWFSTXIJDIUIFDMJFOUJT "VUIPSJ[FE
QSPDFTTFE JTUSBOTNJUUFEJODMFBSUFYU BVUIPSJ[FEUPBDDFTT
With SSL, a secure tunnel is established directly from the client to the resource the client is accessing.
With true end-to-end security, no data is sent in the clear, either on the internal network or on the
Internet. Everything from the client to the resource is securely authenticated and encrypted.
SSL VPN vs. IPSec VPN p.
Array is headquartered in Milpitas, California with sales offices around the world. The company has
approximately 60 resellers and VARs worldwide.