Security Basics mailing list archives
Re: SSL VPN
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Thu, 17 Jan 2008 11:17:18 -0700 (MST)
IPSEC does require a client. Simply because a version is included with, say Windows XP, does not negate this fact. And not all clients are created equal for performance or for configuration ease of the client users. Likewise, not all SSL-VPN solutions are "clientless" (i.e.-OpenVPN). some use a web-portal where they load a client via the webpage...so technically, even those have a client, just not one that requires installation. Having used and configured both, the SSL VPN solutions are a little easier to manage and have lighter network overhead (better performance). A solid Cisco IPSEC solution with heavy hardware behind it does improve IPSEC performance, but not everyone is able to afford those prices. Depending on your budget, you could implement OpenVPN on a PC, terminate it outside of your firewall, and use your firewall to selectively restrict what traffic goes inside. I'd use the same setup with an IPSEC VPN solution, as I don't want to swiss-cheese my perimeter too heavily. The firewall argument is becoming less prevalent as people configure their IPSEC VPN solutions to deal with NAT and other issues (proxies). But, from what I've seen, the SSL based solution does often require less elbow grease when dealing with various firewall solutions the client may run into. Either way, you have something solid. So, pick what works for you in a cost-effective method and go for it. Sincerely, Bryan S. Sampsel LibertyActivist.org Chad Loder wrote:
On Thu Jan 17/2008 @ 11:01:P +1100 asdasd, Ivan . wrote:one would assume that a clientless solution would require less management overheadMy whole point is that IPSEC does not require a client. So what are the *other* reasons for wanting to move to an SSL VPN?This may help - VPN Decision Guide http://www.juniper.net/solutions/literature/white_papers/200232.pdf cheers Ivan On Jan 17, 2008 10:49 AM, Chad Loder <cloder () loder us> wrote:On Tue Jan 15/2008 @ 8:01:P +0530 asdasd, Kartik wrote:Hi List, Currently we have 100+ home users who connect to our VPN gateway (IPSEC) and access the resources. As the business is growing, withinacouple of months we'll be having more than 300 users operating from home. Management asked us to give them a "cost effective" solution to migrate the existing home users to "SSL VPN" so that there won't be any requirement of installing the software client etc (keeping inmindthat the associates working from home will be growing) and it willbemore secure.Can you explain, in more detail, the perceived need for the SSL VPN? If the only reason is "We don't want a software client", then there would be no reason to switch away from IPSEC since all major operating systems include a built-in IPSEC client.
Current thread:
- Re: SSL VPN, (continued)
- Re: SSL VPN Ivan . (Jan 16)
- Re: SSL VPN mgk.mailing (Jan 17)
- Re: SSL VPN Edy Lie (Jan 17)
- Re: SSL VPN Ivan . (Jan 16)
- Re: SSL VPN Andrea Gatta (Jan 15)
- Re: SSL VPN Kurt Buff (Jan 15)
- Re: SSL VPN Rodrigo Blanco (Jan 15)
- Re: SSL VPN Security (Jan 16)
- Re: SSL VPN Chad Loder (Jan 16)
- Re: SSL VPN Ivan . (Jan 17)
- Re: SSL VPN Chad Loder (Jan 17)
- Re: SSL VPN Bryan S. Sampsel (Jan 17)
- Re: SSL VPN Jurgen Vermeulen (Jan 18)
- Re: SSL VPN Patrick Beam (Jan 21)
- Re: SSL VPN c0unter14 (Jan 21)
- Re: SSL VPN Ivan . (Jan 17)