I'm assuming you're interested in SSL VPNs and not the secure (SSL/HTTPS) connection function of a normal Web server. Even the term SSL VPN is ambiguous because it is used in two ways. One type of SSL VPN is the IPSec-like VPN that connects two networks and operates at the network layer, but uses SSL for key management and session establishment. OpenVPN is an example of this type of VPN. While similar to IPSec, it is easier to install and maintain and is often used in IPSec's place.
The other type of SSL VPN operates at the application layer by connecting the client's Web browser with an application through a normal SSL connection. This type of VPN is well-suited for mobile users or for partners and customers whose computers are not under your client's control. Their main advantage is that they don't require special software to be installed on the user's computer, although some application-specific software may be dynamically loaded at session establishment time. This white paper from Juniper Networks has an excellent analysis of when to use each type of VPN.
Get more VPN security tips in our Virtual Private Networking Project Guide for resellers and systems integrators.
This was first published in July 2007