The pros and cons of IPSec

There are two major types of Internet-based VPNs: IPSec VPNs and SSL VPNs. Each has significant advantages - and disadvantages - in the corporate networking environment.

The greatest advantage of IPSec is its transparency to applications. Since IPSec operates at Layer 3, it has essentially no impact on the higher network layers. As implied by its name, IPSec runs at the IP layer and, as such, is indifferent as to whether application traffic is being transported using TCP or UDP protocols. Consequently, IPSec is equally as appropriate for securing real-time traffic (such as VoIP) as it is for traditional data applications.

Additionally, since IPSec is usually deployed for inter-site connections, it is quite possible that the computers attached to the network at a given site may not even have IPSec capabilities running on the attached PCs. In a remote-access environment where there is no IPSec-enabled router, however, the PC must run a copy of the IPSec stack.

The disadvantage to an IPSec remote-access approach is that once a computer is attached to the IPSec-based network, all of the additional devices attached to that local network might also be able to gain access across the WAN to the corporate network. So it's possible that a worm on the "kid's computer" could easily spread to shared drives on the corporate network.

In other words, any vulnerabilities that exist at the IP layer in the remote network could be passed to the corporate network across the IPSec tunnel. Making sure that this doesn't happen is doable, but results in higher support costs.

By contrast, SSL VPNs run at higher network layers so they don't expose network drives to remote workers, shielding the network against vulnerabilities like worms.

Another IPSec disadvantage is that if you're working off-site, say, at a partner location, connecting to your own company's network is difficult if not impossible due to restrictions in most corporate firewalls.

Finally, for part-time teleworkers, it is becoming difficult to use the home Internet connection for corporate network access if using an IPSec-encrypted VPN tunnel. Increasingly, ISPs consider anything IPSec-encrypted to be a "business-class" transmission. As such, they want to charge higher rates for IPSec traffic and will block IPSec traffic if the service type is not business class.

Next week we'll conduct a similar evaluation of SSL.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/22/cdex/

CDex

CDex can extract the data directly (digital) from an Audio CD, which is generally called a CD Ripper or a CDDA utility.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia