EXPERT RESPONSE
There's a great deal of confusion as to what "SSL VPN" means.
One meaning is a traditional VPN that provides network-to-network
communication in an application agnostic way. These types of SSL
VPNs, exemplified by the open source OpenVPN, are very much like
IPsec except that they use the SSL protocol for key negotiation
and other administrative tasks. Because they usually operate in
user space rather than the kernel, many experts believe that they
have a security edge over an in-kernel IPsec implementation. On
the other hand, they may suffer some performance degradation due
to the need for application scheduling and repeated context switching
between the kernel and user space. SANS has a nice
white paper
that discusses this type of virtual private network.
The other type of SSL VPN is actually an application gateway that
uses SSL to encrypt network traffic between a client computer and
an enterprise network. These types of virtual private networks are
mostly useful for HTML-aware applications and a few other common
applications (email, terminal access, etc.) for which the VPN
device has built in "application translators." The advantage of
these type of VPNs is that they use a standard Web browser and
therefore don't require a special client or other software to be
loaded on the client computer.
If your client is mostly concerned with allowing secure, remote
access to Web-based applications and doesn't want to deal with
the administrative headaches of loading additional software on
each client machine and schooling employees in its use, then an SSL gateway
is a simpler solution, both for the users and network
administrators. On the other hand, if the client's users want
access to the enterprise network -- so they can connect to their
desktop computers, for example -- then IPsec or an SSL VPN like
OpenVPN is the preferred solution. Some SSL VPNs perform both
functions, but generally not as well as one dedicated to one or
the other.
|
