Cisco ASA 5510 IPSec VPN vs SSL VPN

I have two questions about VPN access via my Cisco ASA 5510.  We are currently access our corporate office via a Cisco ASA 5510 using IPSec VPN (Cisco VPN client).  After gaining access to the site, our end users can access drives/files on the server and also they access our web-based accounting software.  However, it is slow which causes issues at times accessing the accounting system.  So, this leads to my two questions.

First, would there be any speed difference using SSL instead of IPSec?
Second, we chose IPSec because we could control the computers that the client was installed on, thus having more control over which equipment could remotely access the network.  If we choose SSL instead, is there any way to control which hardware accesses the VPN?

Thank you in advance.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

SebastianAbbinantiConnect With a Mentor Commented:
Yes, you can determine, and even manually issue, certificates to computers. For example you can allow only domain computers to get the certificates. You can also prevent export of the certificates with Group Policy.

Lastly, you can revoke a particular certificate without affecting any other certificate.

To better understand this concept, think of it this way. You will designate a server on your network as a certificate authority. It will issue and sign certificates. You will issue a certificate to the ASA as well as to individual devices. The certificate authority has a special certificate called a Root Certificate. The root certificate is used to verify if a particular certificate has been signed by the Certificate Authority (think secrete decoder ring).

Both the ASA and the connecting device are going to verify each other's certificates. You have complete control because only the certificate authority can issue verifiable certificates.

If you want to get an SSL certificate for a website, it too must be issues from a certificate authority. The difference is this. Microsoft or Apple or what ever operating system you have, has compiled a grouping for Root Certificates for Certificate Authorities they trust, and have included in your trusted root certificate store. You can always add your own, but if your a website, you want your visitors to already have the Root Certificates installed.

Last point, there is something call a certificate revocation list (CRL). This will allow you to revoke certificates if you feel they have been compromised. For example, if a laptop is stolen, you can revoke its certificate. No one else is affected.

SSL uses PKI witch relies on asymmetric encryption which tends to be more resource hungry than AES which is symmetric. As for speed, I'd say it more likely a bandwidth issue than anything use.

As for control, not really much difference. If you are concerned with controlling the devices that can access your vpn, consider Certificate based authentication over a Shared Secrete (Group Password).

Here is the datasheet from cisco:

Shouldn't be a speed difference.  You'll want to go anyway as Cisco AnyConnect VPN Client is the path for Cisco VPN going forward.  Also deployment and upgrades of the AnyConnect client can be done via the web deployment mechanism rather than touching the client.

You'll only be able to connect using computers not mobile devices until you add the AnyConnect Mobile License.  It's not a per client license just a fee you have to pay for the license to allow mobile devices to connect.  With AnyConnect deployed you'll have full access to the client like you do today.
chattiegirlAuthor Commented:
I understand the concept of certificate authentication but is there any way to control the devices the certificates are downloaded to?  I guess I understand CA from the standpoint of verifying that a website is safe, but flipping it to verify that a device logging into a website (i.e., my VPN) is safe is perplexing me.  Thanks for being patient.
chattiegirlAuthor Commented:
Thank you so much for the extensive explanation.  I really appreciate it.
All Courses

From novice to tech pro — start learning today.