Why Reports of IPsec’s Death Have Been Greatly Exaggerated

Posted: May 3, 2011 in Rethink Remote Access
Tags: , , , ,

By Nicholas Greene

There’s a camp of IT folks who have been fervently predicting that IPsec is nearing the end of its days, for at least a couple of years now. But the reality is, it’s not dying. Instead, as if it wants to spit in the faces of naysayers, it’s defiantly sticking around. Not only that, IPsec actually seems be thriving and undergoing a resurgence of sorts. This may shock some people, but if one looks closely at the facts, IPsec’s continued existence as a security protocol isn’t really all that shocking.

So, what is it about IPsec that’s allowed it to hold against the alternatives for so long? What drives its staying power? In order to answer this, we’re going to have to take a closer look at IPsec’s primary alternative, SSL, and its successor, TLS. Of all the different security suites, SSL is most often touted as the best competitor to IPsec. While SSL certainly does have its advantages, whether or not it’s actually “better” is entirely in the eye of the beholder.

First, let’s briefly look at a few of the advantages SSL has over IPsec. The first — and the most significant — is ease of installation. Most browsers have SSL capability straight out of the box. In other words, whatever “client software” is required for SSL to run comes prepackaged with most every computer system. On top of that, SSL allows for more precise control of user access.

Consequently, SSL/TLS are “application to application” level security protocols. This means, although SSL/TLS are less complicated, they also provide less security, in a sense. A lot of the time, if you want to use SSL/TLS for anything but the basics, you’re going to need to install additional software, thus increasing the complexity of the system. SSL/TLS is, in other words “application dependant.”

This is, without a doubt, one of the primary reasons SSL/TLS hasn’t overtaken IPsec. The fact that it’s application dependant is a major block- if the client software doesn’t support SSL, you can’t use SSL. So while it’s a lot easier to install initially, you’ll need to install client support for each application that you’re going to need secured.

On the other hand, while IPsec can be complicated to install and configure, it operates completely independently of software. Any online application you use is covered. At its disposal, IPsec also has a considerable array of available options and features. While this certainly does make it more complex, that complexity isn’t necessarily a bad thing. There are a few more advantages and disadvantages to each security option, but I’ve covered those which directly relate to the deployment of the two protocols.

For IPsec, the future’s looking pretty bright- it’s not going away any time soon. IPv6, the newest version of the Internet Protocol Suite, was developed in conjunction with IPsec. As a result, IPsec’s a mandatory element in any implementation of IPv6 that complies with industry standards. Compare this to IPv4, where IPsec was an optional extension. It’s most likely that IPsec and TLS are going to continue evolving in tandem. After all, they’re ultimately just different solutions for different problems. And just as IPsec isn’t necessarily always the solution, neither is SSL/TLS.

Comments
  1. […] already know that IPsec is here to stay, especially since it’s such an integral part of IPv6. So, how did IPv6 become so ingrained with […]

  2. […] IPv6. At the end of the day, both standards ultimately use the same security. As you might recall, IPsec was designed with IPv6 in mind, and simply adapted to function with IPv4. It’s ultimately the same security system, either […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s