Internet VPNs are not the same as Web SSL VPNs, although SSL VPNs are considered a type of Internet VPN.
Internet virtual private networks (VPNs) dominate the security domain in the corporate world. The proliferation of mobile working is driving the growing need to secure data communications over the Internet. The two major technologies for Internet VPNs are IPsec and Web SSL.
IPsec, an Internet Engineering Task Force (IETF) standard, is a set of protocols developed to secure data traffic over IP networks. It offers transparent communication of any IP-based application. IPsec has two main implementation scenarios:
- gateway to gateway communication, which is used in hub-and-spoke or full mesh topologies to connect remote or branch office network locations; and
- mobile device to gateway communication (also known as “dial-up VPN”).
IPsec has increasingly been criticized for major VPN breaches, such as interoperability, scalability, manageability and a client-centric approach. Despite those issues being perfectly addressed by some leading-edge VPN technology vendors, major network vendors and customers are increasingly focusing on and emphasizing the SSL protocol to establish secure VPN connections.
The fundamental differences between SSL and IPsec are that SSL relies on the web browser as the client technology, whereas IPsec rests on a platform-specific client that can be managed and controlled. IPsec is a central element in IPv6, the next version of Internet Protocol, security. One of the key weaknesses of SSL is in the authenticity aspect of secure communication. Major VPN security breaches, such as the Comodo and DigiNotar incidents, have been caused by a blind reliance on the technology’s certificate authority (CA) model.
Therefore, many network security experts today favor a hybrid approach of IPsec and SSL when it comes to Internet VPNs. The hybrid approach provides the best of both worlds and allows the highest level of security to be applied as required by the situation.