abu_qusy
asked on
IPsec Vpn vs SSL VPN
Hello
Please What is Main different between IPSEC VPN and SSL VPN and When to Use any Of them ?
Please What is Main different between IPSEC VPN and SSL VPN and When to Use any Of them ?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Good links above, Narendra, but some narration should be done:
IPSec
I want to contradict some of the statements made in the links about SSL VPN pros:
It is a big lie that you do not need a client for SSL VPN. In all cases I met SSL VPNs a Java client is installed (not just started!) at your client PC. In some cases there is even more to be installed, like an updater, firewall checker, aso.
The client software (sometimes) interfers with other software. Depending on the techniques used, you cannot use the same services on your client that are offered remotely, like RDP or database ports (e.g. the case with Juniper Connect, mapping all remote IPs to 127.0.0.x addresses). Using more than one of SSL VPN is not supported, and often it does not work. (It's the same with IPSec VPNs - I just say that here because "clientless" is an often stated (fake) pro of SSL VPNs.)
And it is not true that you do not need any training with SSL VPNs. Our stuff is all IT, but they refuse to connect to some of our clients exactly because of the complexity in logging in via Web browser, followed by clicking, starting a client software, ... None of the SSL VPNs we have to use to get to some of our clients are user-friendly.
That is why I still stick on client-based VPNs. Even a weak PPTP connection is preferred over a SSL VPN. The free OpenVPN SSL VPN counts as such, since it needs a client and a server, and it is not Web based.
IPSec
allows for site-2-site connections - transparent, full or restricted access to each LAN
needs a client to be installed before anything else, if initiated from a PC
can be handled in hardware, when using routers capable of IPSec VPNs
SSL VPN
needs a client (I know "they" say different, but it is the truth, see below)
needs a Web browser and Java allowed
often does not support LAN access, only access to dedicated applications
allows for automatic downloading of the required software
I want to contradict some of the statements made in the links about SSL VPN pros:
It is a big lie that you do not need a client for SSL VPN. In all cases I met SSL VPNs a Java client is installed (not just started!) at your client PC. In some cases there is even more to be installed, like an updater, firewall checker, aso.
The client software (sometimes) interfers with other software. Depending on the techniques used, you cannot use the same services on your client that are offered remotely, like RDP or database ports (e.g. the case with Juniper Connect, mapping all remote IPs to 127.0.0.x addresses). Using more than one of SSL VPN is not supported, and often it does not work. (It's the same with IPSec VPNs - I just say that here because "clientless" is an often stated (fake) pro of SSL VPNs.)
And it is not true that you do not need any training with SSL VPNs. Our stuff is all IT, but they refuse to connect to some of our clients exactly because of the complexity in logging in via Web browser, followed by clicking, starting a client software, ... None of the SSL VPNs we have to use to get to some of our clients are user-friendly.
That is why I still stick on client-based VPNs. Even a weak PPTP connection is preferred over a SSL VPN. The free OpenVPN SSL VPN counts as such, since it needs a client and a server, and it is not Web based.
SSL VPN is the technology that was touted by major vendors as the clientless, one size fits all solution. The technology started out with the goal and claim to be clientless. However very quickly - as predicted by many experts - limitations were found and a thin client was added. Then after some time the technology came all the way around to a thick client again - just like IPsec. SSL VPN can be very useful if you deal with a just webified environment. However if you have a mix and need seamless access and good performance you should stick with IPsec VPN. I favor a hybrid approach. Also what most SSL VPN vendors don't tell you is that IPsec delivers by far the better data network performance due to less overhead. The main reason SSL VPN was developed was that vendors wanted to address the valid concerns and complains about IPsec VPN such as interoperability, poor manageability and scalability. However there are vendors that have addressed such issues with very good solutions. For example NCP (http://www.ncp-e.com) offers a hybrid IPsec/SSL VPN gateway plus a Management Server that gives you the best of two worlds and allows you to manage your IPsec clients and environment. I never believe in one-size-fits-all solutions. I favor best-of-breed solutions. Even if those big guys want to tell you otherwise - they are just interested in the bottom line, selling you expensive sheet metal that requires costly maintenance and forklift upgrades.
http://www.itsecurity.com/features/beyond-ipsec-move-sslvpn-040507/