Cisco ASA 5510 IPSec VPN vs SSL VPN

Posted on 2012-09-10
Last Modified: 2012-09-19
I have two questions about VPN access via my Cisco ASA 5510.  We are currently access our corporate office via a Cisco ASA 5510 using IPSec VPN (Cisco VPN client).  After gaining access to the site, our end users can access drives/files on the server and also they access our web-based accounting software.  However, it is slow which causes issues at times accessing the accounting system.  So, this leads to my two questions.

First, would there be any speed difference using SSL instead of IPSec?
Second, we chose IPSec because we could control the computers that the client was installed on, thus having more control over which equipment could remotely access the network.  If we choose SSL instead, is there any way to control which hardware accesses the VPN?

Thank you in advance.
Question by:chattiegirl
    LVL 6

    Expert Comment

    SSL uses PKI witch relies on asymmetric encryption which tends to be more resource hungry than AES which is symmetric. As for speed, I'd say it more likely a bandwidth issue than anything use.

    As for control, not really much difference. If you are concerned with controlling the devices that can access your vpn, consider Certificate based authentication over a Shared Secrete (Group Password).

    LVL 5

    Expert Comment

    Here is the datasheet from cisco:

    Shouldn't be a speed difference.  You'll want to go anyway as Cisco AnyConnect VPN Client is the path for Cisco VPN going forward.  Also deployment and upgrades of the AnyConnect client can be done via the web deployment mechanism rather than touching the client.

    You'll only be able to connect using computers not mobile devices until you add the AnyConnect Mobile License.  It's not a per client license just a fee you have to pay for the license to allow mobile devices to connect.  With AnyConnect deployed you'll have full access to the client like you do today.

    Author Comment

    I understand the concept of certificate authentication but is there any way to control the devices the certificates are downloaded to?  I guess I understand CA from the standpoint of verifying that a website is safe, but flipping it to verify that a device logging into a website (i.e., my VPN) is safe is perplexing me.  Thanks for being patient.
    LVL 6

    Accepted Solution

    Yes, you can determine, and even manually issue, certificates to computers. For example you can allow only domain computers to get the certificates. You can also prevent export of the certificates with Group Policy.

    Lastly, you can revoke a particular certificate without affecting any other certificate.

    To better understand this concept, think of it this way. You will designate a server on your network as a certificate authority. It will issue and sign certificates. You will issue a certificate to the ASA as well as to individual devices. The certificate authority has a special certificate called a Root Certificate. The root certificate is used to verify if a particular certificate has been signed by the Certificate Authority (think secrete decoder ring).

    Both the ASA and the connecting device are going to verify each other's certificates. You have complete control because only the certificate authority can issue verifiable certificates.

    If you want to get an SSL certificate for a website, it too must be issues from a certificate authority. The difference is this. Microsoft or Apple or what ever operating system you have, has compiled a grouping for Root Certificates for Certificate Authorities they trust, and have included in your trusted root certificate store. You can always add your own, but if your a website, you want your visitors to already have the Root Certificates installed.

    Last point, there is something call a certificate revocation list (CRL). This will allow you to revoke certificates if you feel they have been compromised. For example, if a laptop is stolen, you can revoke its certificate. No one else is affected.


    Author Comment

    Thank you so much for the extensive explanation.  I really appreciate it.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now