Problem solve Get help with specific problems with your technologies, process and projects.

IPsec vs. SSL VPNs: Choosing the best virtual private network for your customer

SearchNetworkingChannel's VPN expert clarifies how SSL and IPsec VPNs work, and under what circumstances each is the better choice.

What are some general guidelines I should consider when determining whether to recommend an SSL or IPsec VPN to a customer?

There's a great deal of confusion as to what "SSL VPN" means. One meaning is a traditional VPN that provides network-to-network communication in an application agnostic way. These types of SSL VPNs, exemplified by the open source OpenVPN, are very much like IPsec except that they use the SSL protocol for key negotiation and other administrative tasks. Because they usually operate in user space rather than the kernel, many experts believe that they have a security edge over an in-kernel IPsec implementation. On the other hand, they may suffer some performance degradation due to the need for application scheduling and repeated context switching between the kernel and user space. SANS has a nice white paper that discusses this type of virtual private network.

The other type of SSL VPN is actually an application gateway that uses SSL to encrypt network traffic between a client computer and an enterprise network. These types of virtual private networks are mostly useful for HTML-aware applications and a few other common applications (email, terminal access, etc.) for which the VPN device has built in "application translators." The advantage of these type of VPNs is that they use a standard Web browser and therefore don't require a special client or other software to be loaded on the client computer.

If your client is mostly concerned with allowing secure, remote access to Web-based applications and doesn't want to deal with the administrative headaches of loading additional software on each client machine and schooling employees in its use, then an SSL gateway is a simpler solution, both for the users and network administrators. On the other hand, if the client's users want access to the enterprise network -- so they can connect to their desktop computers, for example -- then IPsec or an SSL VPN like OpenVPN is the preferred solution. Some SSL VPNs perform both functions, but generally not as well as one dedicated to one or the other.

Dig Deeper on MSPs and cybersecurity

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.