This Processor update on the state of virtual private networks (VPNs) clearly leans in favor of the younger approach, which is known as secure socket layer (SSL). The idea is that the graybeard, Internet Protocol Security (IPSec), integrates the off-premise device fully into the network. It requires a client to be downloaded and can present obstacles to computer-challenged employees. SSL, on the other hand, operates through a browser.
The general consensus is that IPSec is stronger when it comes to permanent and relatively stationary remote access tasks, such as connecting a satellite office or telecommuter to headquarters. SSL is thought to be the best bet for highly mobile workers. A good overview of VPNs in general is available at Agnitum.
This long academic-style paper comparing SSL and IPSec VPNs concludes with a chart that summarizes where each stands in 10 categories (applications; encryption; authentication; overall security; users; accessibility; cost; complexity; ease-of-use and scalability). The rundown is very interesting. For instance, on "overall security," the analyst gives SSL a moderate rating, while IPSec gets strong marks. SSL is seen as moderately complex, however, while the complexity of IPSec is deemed to be high.
One of the frustrating things about security is that there often are different technologies or approaches that do about the same thing. This is true of SSL VPNs and network access control (NAC), a means of assessing if an end point is secure and to control where the user goes once network access is granted. In this piece, Network World's Tim Greene acknowledges the overlap and suggests issues of which SSL users should be aware. He compares how SSL operates to NAC in three categories. These are how endpoint data is sent, whether SSL endpoints can check third party software on the device, and how many operating systems can be checked.
The story at vnunet discusses when it is appropriate to use SSL or IPSec. Flexibility is a top requirement, the writer says, and this favors SSL. He then asks the key question: Is SSL as secure as IPSec? At this point, the writer hedges a bit. He describes the differences in the ways the two connect -- IPSec to the entire network, SSL to the discreet services within -- and says that security is only as good as the applications to which the VPN connects. Adjunct technologies, such as malware scanning, personal firewalls and intrusion prevention systems, are still key. This is true, but hardly seems to answer the question.
A final and interesting point questions the common wisdom that SSL is the more convenient form of VPN. This isn't necessarily so. As the mixture of applications grow, IPSec becomes more attractive, he says. He doesn't go too deeply into the subject, but the implication is that a wider range of services adds incremental complexity to SSL. The fact that IPSec integrates the end point into the network may make the initial inconvenience less of a barrier as the complexity of the network grows. Once a user is admitted in the IPSec scenario, he or she is in for everything and uses the network as if it is directly on the local-area network (LAN).
The bottom line is that the VPN market appears to be extremely healthy, with two viable approaches -- each with its unique strengths -- engaged in a competition that won't necessarily have a loser.