IPSec and SSL: Complementary approaches to ensure digital data protection and
integrity
Fred Weiller, is director of marketing for Nortel Networks Security Solutions.
--------------------------------------------------------------------------------
In this age of digital piracy it is extremely important to make sure that
participants of a given transaction are really who they say they are and that
the content is not altered in any way during the transaction. Authentication of
both client and server sides, as well as encryption of content in transit, is
critical to limit exposure on both ends of the transaction. Filtering of
encrypted content provides additional services like content abuse protection.
SSL and IPSec VPN technologies both serve this purpose in the communications
infrastructure. Each has merits and shortcomings. Each has certain scenarios in
which it shines.
Unless rigidity and an inflexible network are the objective, there's a place for
both remote-access protocols, working together to satisfy a broader range of
access scenarios than either one alone could provide.
The proven and popular protocols available to implement secure VPNs are IP
Security (IPSec) and Secure Socket Layer (SSL):
IPSec refers to a suite of IETF security protocols that protect Internet
communications at the network layer through encryption, authentication,
confidentiality, data integrity, anti-replay protection and protection against
traffic flow analysis at the network layer.
Secure Socket Layer protocol encrypts communications between Web servers and Web
browsers for tunneling over the Internet at the application layer.
Because both protocols have merits, the only loser is the enterprise that
chooses a wait-and-see strategy and forfeits the productivity and cost savings
of VPNs while waiting for a single choice to surface. Since remote-access users
— ranging from employees, business partners and suppliers to customers — are
anything but standard, many IT managers will find they're better off to not
standardize on one VPN protocol and restrain their business reach, but rather,
to embrace diversity to match diverse access scenarios.
VPNs transform an inherently insecure medium — public shared networks and the
open Internet — into an extension of an enterprise's trusted private network,
with each type offering different kinds of benefits for securing content across
a network:
Enterprises enjoy secure connectivity with business partners far beyond the
reach of their private network, using extranet VPNs. They achieve new levels of
efficiency and customer service by securely linking the entire supply chain —
manufacturing, distribution, resellers, retailers and consumers — without the
expense of dedicated, leased lines.
They use the Internet or public data networks to connect business sites, such as
branch offices and home offices. With intranet VPN service, authorized users
gain the performance of a private network without the capital and operating
costs or the limitations of private networks or leased lines.
They can forget the days when they paid an average of $1,500 per user per year
for modem banks to give remote access to dial-in users. With remote access VPN
service, enterprises can give users a broader range of the latest high-speed
access technologies, such as cable modems and digital subscriber line (DSL).
IPSec: Network-layer security for IP traffic
The IPSec suite of protocols secures IP traffic at the network layer through
encryption, authentication, confidentiality, data integrity, anti-replay
protection, and protection against traffic flow analysis.
IPSec tunnels can secure traffic from one VPN server to another or from a user
to a VPN server. An IPSec server (known as a VPN gateway), can secure traffic
for many users and devices. A single IPSec tunnel secures all traffic between
the devices, irrespective of traffic type or application.
To establish the encrypted connection, both devices must agree on "security
associations," policies that must be configured on each end of the connection.
That means each user (client) device must have special IPSec client software
installed, ensuring only authorized users have access. IPSec VPN vendors
typically offer client software for user workstations, PCs, laptops, handheld
access devices, edge routers and firewalls — sometimes auto-downloaded from the
IPSec gateway.
Because IPSec operates at the network layer, authorized remote users have the
same degree of access as if they were physically in the enterprise building and
directly connected to the enterprise LAN.
For this flexibility in choice, IPSec trades off flexibility in other areas,
such as accessibility from temporary workplaces, ease of management and
configuration parameters.
SSL: Application-layer security from any Internet-connected device
SSL protocol uses encryption and authentication to secure communications between
clients and servers at the transport layer. However, since an SSL session
applies only to one application at a time, and provides application security
services and not network security services, it is an application-layer security
solution.
Originally developed for electronic commerce, SSL is built into most browsers,
Web servers and e-mail applications to provide data encryption, server
authentication, message integrity and optional client authentication between
users and their applications — one application at a time.
Because no specific client software is required, authorized users can access
applications from public kiosks or third-party PCs. This avoids the problem of
loading client software on PCs that don't belong to the company and makes SSL a
complementary solution to IPSec VPNs for certain extranet applications.