There's a great deal of confusion as to what "SSL VPN" means. One meaning is a traditional VPN that provides network-to-network communication in an application agnostic way. These types of SSL VPNs, exemplified by the open source OpenVPN, are very much like IPsec except that they use the SSL protocol for key negotiation and other administrative tasks. Because they usually operate in user space rather than the kernel, many experts believe that they have a security edge over an in-kernel IPsec implementation. On the other hand, they may suffer some performance degradation due to the need for application scheduling and repeated context switching between the kernel and user space. SANS has a nice white paper that discusses this type of virtual private network.
The other type of SSL VPN is actually an application gateway that uses SSL to encrypt network traffic between a client computer and an enterprise network. These types of virtual private networks are mostly useful for HTML-aware applications and a few other common applications (email, terminal access, etc.) for which the VPN device has built in "application translators." The advantage of these type of VPNs is that they use a standard Web browser and therefore don't require a special client or other software to be loaded on the client computer.
If your client is mostly concerned with allowing secure, remote access to Web-based applications and doesn't want to deal with the administrative headaches of loading additional software on each client machine and schooling employees in its use, then an SSL gateway is a simpler solution, both for the users and network administrators. On the other hand, if the client's users want access to the enterprise network -- so they can connect to their desktop computers, for example -- then IPsec or an SSL VPN like OpenVPN is the preferred solution. Some SSL VPNs perform both functions, but generally not as well as one dedicated to one or the other.
Dig Deeper on MSPs and cybersecurity
Related Q&A from Jon Snader
Learn how to set an IP address on the network interface of a FTP/Web/mail server when a client has only one public IP address. Continue Reading
To connect to a WAN remotely, your client can use a VPN client or a leased line. Learn the pros and cons of WAN connectivity with each option, such ... Continue Reading
When using ISA 2000, some users can lose connection to the network and experience packet loss even if the VPN client is still connected. Learn how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.