Re: SSL VPN

["Bryan S. Sampsel" <bsampsel () libertyactivist org>]

IPSEC does require a client.  Simply because a version is included with,
say Windows XP, does not negate this fact.  And not all clients are
created equal for performance or for configuration ease of the client
users.

Likewise, not all SSL-VPN solutions are "clientless" (i.e.-OpenVPN).  some
use a web-portal where they load a client via the webpage...so
technically, even those have a client, just not one that requires
installation.

Having used and configured both, the SSL VPN solutions are a little easier
to manage and have lighter network overhead (better performance).  A solid
Cisco IPSEC solution with heavy hardware behind it does improve IPSEC
performance, but not everyone is able to afford those prices.

Depending on your budget, you could implement OpenVPN on a PC, terminate
it outside of your firewall, and use your firewall to selectively restrict
what traffic goes inside.  I'd use the same setup with an IPSEC VPN
solution, as I don't want to swiss-cheese my perimeter too heavily.

The firewall argument is becoming less prevalent as people configure their
IPSEC VPN solutions to deal with NAT and other issues (proxies).  But,
from what I've seen, the SSL based solution does often require less elbow
grease when dealing with various firewall solutions the client may run
into.

Either way, you have something solid.  So, pick what works for you in a
cost-effective method and go for it.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org


Chad Loder wrote:
> On Thu Jan 17/2008 @ 11:01:P +1100 asdasd, Ivan . wrote:
> > one would assume that a clientless solution would require less
> > management overhead
>
> My whole point is that IPSEC does not require a client. So what
> are the *other* reasons for wanting to move to an SSL VPN?
>
> > This may help - VPN Decision Guide
> > http://www.juniper.net/solutions/literature/white_papers/200232.pdf
> >
> > cheers
> > Ivan
> >
> > On Jan 17, 2008 10:49 AM, Chad Loder <cloder () loder us> wrote:
> > > On Tue Jan 15/2008 @  8:01:P +0530 asdasd, Kartik wrote:
> > > > Hi List,
> > > >
> > > > Currently we have 100+ home users who connect to our VPN gateway
> > > > (IPSEC) and access the resources. As the business is growing, within
> > a
> > > > couple of months we'll be having more than 300 users operating from
> > > > home.
> > > >
> > > > Management asked us to give them a "cost effective" solution to
> > > > migrate the existing home users to "SSL VPN" so that there won't be
> > > > any requirement of installing the software client etc (keeping in
> > mind
> > > > that the associates working from home will be growing) and it will
> > be
> > > > more secure.
> > >
> > > Can you explain, in more detail, the perceived need for the SSL VPN?
> > > If the only reason is "We don't want a software client", then there
> > > would be no reason to switch away from IPSEC since all major operating
> > > systems include a built-in IPSEC client.