Choosing a VPN

There are a number of factors to consider when choosing an SSL VPN. What applications do you want to use it for and how many users are there. For small numbers of users connecting to a small number of applications, ease of use and management are key considerations. Suppliers such as Array Networks and NetASQ have low cost solutions designed for SMBs and distributed enterprises.

Other considerations include: Does it have an integrated firewall? The inclusion of this will give maximum flexibility of implementation and granularity. Does it include integrated strong authentication or does it provide scalability and interoperability with third party strong authentication products?

Can the SSL VPN provide client integrity, i.e. checking the client machine for security threats? Will it support legacy and web applications, and does it provide support for SSL tunnelling, which mimics IPsec. You also need to be sure that it will support any device (PC, lap-top, PDA, Internet Cafe device) to which the SSL owner does not have access rights. As with any VPN system, you will need comprehensive reporting that helps you keep track of VPN tunnels throughout your organisation.

Then there are vendor related issues to consider. You should check the vendor and distribution/reseller support infrastructure. Do you need next business day replacement and 24x7 telephone support? If your SSL VPNs (as is likely) are an essential part of your business operations, you want to be sure that you can replace any problematic systems very quickly and that help is always available to keep the VPNs functioning well. It would also be wise to check out the vendor's plans for enhancing the product's functionality and capability, to ensure that it will keep up to date with your changing needs.

Other considerations

Another consideration for the purists is the strength of the encryption technology. SSL uses single DES (56-bit key), IPSec can use 3DES or the emerging AES standard. For the majority of applications and requirements, DES is adequate. However, for highly secure requirements such as military, 3DES/AES is probably mandated. Browser vendors would have to move to supporting 3DES or AES before SSL VPNs could match the encryption strength of IPSec.

Conclusion

Vendors of both IPsec and SSL VPN technologies have recognised the strengths of each other's solutions and introducing hybrid products. For instance, Check Point offers Connectra, an SSL product, as well as its long-established SecureRemote IPSec product. NetASQ has an integrated firewall/ IPsec VPN/SSL VPN appliance.

SSL technology is rapidly maturing to the point where there are few clear differences between SSL and IPsec technology. SSL is gaining the upper hand if you count the number of users, but it remains to be seen what difference the introduction of the IPv6 standard, which includes IPsec, will make. All IPv6 end node implementations will include IPsec as an option, so IPsec advocates hope for a resurgence of IPSec VPNs. If all applications used this feature, then theoretically SSL would be unnecessary. But by then SSL may have become the dominant technology.

A recent report from Forrester Research indicates that SSL will take over. It concluded that spending on SSL VPN technology will increase at a 53% compound annual growth rate and that by 2008 SSL VPNs will have overtaken traditional IPsec VPNs as the remote access security standard.