Are SSL VPNs really 'better' than IP VPNs?

Summary:SSL VPNs are often touted as the best thing since sliced bread as far as remote access is concerned. Recently, I even heard them described as "more secure" than traditional IP based VPN clients.

SSL VPNs are often touted as the best thing since sliced bread as far as remote access is concerned. Recently, I even heard them described as "more secure" than traditional IP based VPN clients. In fact, "more secure" depends on perspective and what aspect of security you're looking at. SSL VPNs are more secure in the sense that access to internal corporate resources are more granular. An SSL VPN essentially presents an external portal to an application that is normally only internally accessible within a corporate LAN. An IP VPN normally presents an external portal to an entire internal LAN or at least a portion of it. In this narrow perspective, the SSL VPN is indeed more secure. Unfortunately, reality is not that simple. >

the biggest selling points of SSL VPN is the fact that it is "client-less." Actually, it's an Active X or Java client that is downloaded and installed as a Web browser add-on on demand, but that's never stopped marketing from calling something "client-less" before. But let's not quibble about semantics: SSL VPNs will run without the need to install or configure a complex IP VPN client. This means that you can go on any Internet-connected computer, even those that are not company owned or controlled, to access corporate resources. As convenient as this portability "feature" is, there is an inherent danger in this capability. Any time you access corporate resources on an untrusted computer such as one found in an Internet cafe or an airport terminal, you open yourself to key logging (the process where someone records your key strokes) and that could mean a serious compromise in user credentials. Once a user's credentials are captured and compromised, your corporate resources are wide open to the password thief because they can now log-on to your SSL VPN using your stolen credentials.

IP-based VPN clients are normally only used from trusted corporate computers managed by IT. These typically have the proper anti-virus and personal firewall installed. When software digital certificates are used, this absolutely forces all VPN access to come only from company-controlled computers. When viewed from this perspective, IP-based VPNs are more secure than SSL VPN solutions. From a convenience standpoint, once an IP-based VPN is established from your corporate-issue laptop, it pretty much gives you access to everything you can access when you're actually at the office. The fact that you don't have to use a Web browser is a huge plus in my book. For example, as good as Outlook Webmail 2003 is, it is no substitute for the real Outlook 2003 application.

There are pros and cons to both technologies. There are situations where SSL VPN is more appropriate than IP VPN and situations where the opposite is true. Generally speaking, an IP-based VPN will be compatible with nearly all applications if you take the time to properly deploy it. SSL VPNs are not as flexible but are more convenient from an ease of deployment standpoint. If all you need is Web-based e-mail or some internal Web-based application, then an externally exposed reverse proxy SSL server is all you need. An SSL VPN portal is just a slightly more advanced reverse proxy server because it is designed to proxy some non-Web applications whereas a simple reverse proxy server can only proxy Web applications.

Topics: Tech Industry


George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.