Virtual Private Network (VPN) is largely used to provide remote access to company’s assets to the users working from home or from public places (providing secure access) and/or to connect the partners/third parties securely to the company’s assets.
Most of us know that there 2 kinds of VPN technology – SSL and IPSec VPN. The question that many of us may have asked or may have in our mind is – which is better??
Although the choice of the technology used largely depends on the business or project requirement; there are some more reason why one if preferred over another.
IPSec VPN which works at the network layer can be used to transmit any IP-based traffic and apart from being used as site-to-site VPN (which allows company offices located in another location and vendors to connect securely to company’s assets) has also been used as client-to-site VPN (VPN client installed on the system).
Whereas SSL VPN on the other hand works at the application layer and is used as client-to-site VPN for connecting the roaming or mobile users of the company (who connects to company’s network from home or public access points).
IPSec is always ON connection and provides remote access without regard to the applications being accessed over it as it works at the network layer. On the other hand, SSL VPN is not always ON but can provide granular control to the asset connecting the company's network such as a compliance checks can be run on the system trying to connect to the VPN to company’s assets; such as whether latest security patches are installed on the system which is trying to connect the company's network over VPN.
Choosing SSL VPN over IPSec VPN for roaming or mobile users
In the past (around 10 years back), we have only used IPSec VPN which is both site-to-site (between company’s gateway devices which are always up and running) and remote access (between a VPN client and a gateway device – which is up only when the user connects).
People who travel a lot might have experienced that sometimes they are not able to connect to their company’s network from a remote location (hotel or home) using remote access IPSec VPN. They can see that the VPN connection has been established but still they are not able to access anything in the company’s environment.
When a user initiates a remote access connection via IPSec VPN, the Security Association (what encryption to use, authentication mechanism, etc.) are negotiated with the company gateway device (mostly a firewall or a VPN device). These security association or to say precisely ISAKMP (Internet Security Association and Key Management Protocol) works over UDP port 500 (ISAKMP port). Once these security negotiations are done, the remote device (trying to connect to the company’s network), send the ESP (Encapsulating Security Payload) to the gateway (at the user location). The gateway device understands UDP and TCP and for the traffic to go on to the Internet; PAT (Port Address Translation) is required to be done. But the gateway device does not know how to handle the ESP header. What most of the stateful inspection devices do is that they insert the port number in the SPI (Security Parameter Index – see ESP Header for details) for port address translation and this is how a user is able to connect remotely.
But what if the device at the remote end is not stateful? It will not be able to insert the port number in the SPI and thus a user will see the VPN is up but still the user is not able to access the company network.
To circumvent the above issue, devices encapsulate the ESP packet into a UDP packet and sends the packet to the remote device. But here is a catch; this is done over UDP 4500 (NAT-Traversal or NAT-T) port number and most security administrator’s by default does not allow such ports to go through the gateway device and the problem remains the same.
To overcome this issue, the ESP packet is encapsulated over TCP 443 which is use by HTTPS and is opened almost 99.999% - which is nothing but SSL VPN. Since most of the perimeter devices will allow TCP 443, therefore establishing an SSL VPN is easy and therefore SSL VPN is popular over IPSec VPN for client-to-site VPN for roaming and mobile users.
We have seen numerous issue around SSL, Heartbleed is one of the example and therefore for the same reason some standards such as PCI DSS does not allow the use of SSL 3.0. How many vulnerabilities we come across over IPSec VPN.
SSL VPN, a preferred way for Remote Access
So in nutshell due to the sheer ease of connecting to company’s network from a remote location for roaming or mobile users, SSL VPN is a preferred way for remote access.
Each remote access technology has its own place with the organization. IPSec is preferred when always ON connection is required for connecting remote offices or partners to company’s network. Whereas the SSL VPN is primarily used for roaming or mobile users where a granular level of access can be implemented.
A poorly configured and maintained VPN can be a cause of the data breach. Thus whatever technology a company chooses for the remote access (IPSec or SSL) must be securely configured and appropriately maintained.