– It works on Layer 3 (Network Layer) of OSI Model.
– Since, it works on Network Layer; it secures all data that travels between two end points without an relationship to any specific application.
– Once, it gets connected then the person will be virtually connected to the individual entire network and able to access the entire network
– It defines how to provide data stability, authenticity and secrecy over insecure network like Internet.
– It completes its goal through tunneling, Encryption and Authentication.
– It is complex because the two entities which will interact via IPSEC have to agree on same security policies which must be configured on the both end of the devices.
– A Single IPSec tunnel secures all the communication between the devices regardless of traffic type. It can be TCP, UDP, ICMP etc or any application like e-mail, client-server, database.
– Special purpose software is available for IPSec connections. This can be for PCs, Mobiles, and
PDAs as well as for edge devices like Routers and Firewall.
– It works on Layer 7 (Application Layer) of OSI Model.
– It is a protocol used for secure web-based communication over the Internet.
– It uses encryption and authentication to keep interactions personal between two devices, typically, web server and user machine.
– Like IPSec, SSL also provides mobility by providing level of security.
– Unlike IPSec, SSL helps to protected one application at a time and each application is supported via web browser.
– All basic web browser application such as IE or Mozilla supports SSL, automatically. But, not all the application supports same so it requires upgrading which is very cost consuming.
– Above problem can be settled by purchasing SSL VPN gateway which is deployed at the edge of the corporate network and serve as a proxy to LAN application such as e-mail, file servers and the other resources.
– The browser thinks it is directly communicating with the application and application thinks it is directly communicating with browser.SSL VPN makes it crystal clear to the either side of the network.
SSL VPN provides the following three modes of SSL VPNaccess:
• Clientless—Clientless mode provides secure access to private web resources and will provide access to web content.This mode is useful for accessing most content that you will expect to access in a web browser, such as Internet access, databases, and online tools that employ a web interface.
• Thin Client (port-forwarding Java applet)—Thin client mode extends the capability of the cryptographic functions of the web browser to allow remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Accessprotocol (IMAP), Telnet, and Secure Shell (SSH).
• Tunnel Mode—full tunnel client mode offers extended application support through its dynamically installed Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN.Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.
Strength and Weaknesses:
IPsec ‘s key strength lies in its ability to provide a permanent connection between locations. Working at the network layer (layer 3 of the network stack) also makes it application agnostic: Any IP-based protocol could be tunneled through it. This makes IPsec an attractive option to a costly leased line or a dedicated circuit. It could also serve as a backup link in the event that the primary leased line or dedicated circuit connecting the remote site to the central office goes down.
IPsec’s application-agnostic design is also its weakness, however.Though it provides authentication, authorization and encryption, while basically increasing the corporate network to any remote user, it does not have the potential to restrict access to resources at a granular level. Once a tunnel is set up,remote users can typically access any corporate resource as if they were connected directly into the corporate network.These VPN security concern are made worse because having a mobile workforce requires allowing non-managed IT assets like smartphones and home PCs to access corporate resources.These are assets that IT has no visibility into or control over, and there is no guarantee that these devices comply with the level of security that is typically enforced on managed assets.
IPsec is also more involved to maintain.In addition to setting up the appliance to terminate the tunnels,additional configuration and maintenance are required to support the remote user population. In situations where corporations use Network Address Translation (NAT), special configuration is required to ensure IPsec performs nicely with the NAT setup.
SSL VPNs, on the other hand, have been designed from the ground up to support remote access.They do not require any special software to be installed. Remote access is provided through a browser-based session using SSL.SSL VPNs also provide an enterprise with the ability to control access at a granular level. Specific authentication and authorization schemes for access to an application can be limited to a particular user population. Built-in logging and auditing capabilities address various compliance requirements. SSL VPNs also have the power to run host compliance checks on the remote assetsconnecting to the enterprise to validate they are configured with the appropriate security software and have the latest patches installed.
This does not mean SSL VPNs are the cure to all of IPsec’s weaknesses. If a remote site requires always-on link to the main office, SSL VPN would not be the solution. IPsec, being application agnostic, can support a number of legacy protocols and traditional client/server applications with minimal effort.This is not the case with SSL VPNs, which have been built around Web-based applications. Many SSL VPNs get around this weakness by installing a Java or ActiveX-based agent on the remote asset. This installation is typically achieved seamlessly after the remote asset has successfully authenticated to the SSL VPN appliance, though it should be noted that both ActiveX and Java come with their own security weaknesses that attackers commonly seek to exploit.