Keeping IT private – IPsec and SSL VPNs

By | September 15, 2005

Martini may have come up with the slogan, but a growing number of companies and government organisations today want to do business ´anytime, any place, anywhere.´ They can – by using the internet to link their computer systems over Virtual Private Networks (VPNs). But simply using the technology isn´t enough. You have to use it in the right way if you want to keep your business dealings private…

Getting computers to talk to one another regardless of location is an important challenge facing an increasing number of organisations. People want to work from home and sales forces want to stay on the road. Companies may acquire additional sites or merge. And electronic supply chains are streamlining the way business is done. The list of reasons for wanting to connect from A to B is long.

Traditionally, computers were networked over leased lines and dedicated dial-up connections that linked fixed, physical locations. Such private networks are still used by organisations that need to shift high volumes of data between offices and other facilities on a regular basis. Because only staff at either end and the network operator have access to the circuits, they can be made secure, but they are unsuitable for mobile working and are expensive to run and re-configure.

The internet, by contrast, is accessible around the world and, with mobile devices and wireless hotspots, you don´t even need to find a socket to get online. And creating Virtual Private Networks over the internet is a much cheaper and more flexible solution than setting up a traditional private circuit. It involves sending encrypted data through a virtual ´tunnel´ to be unscrambled by the recipient at the other end.

But there are dangers along the way. With private networks that run over leased lines, the end points are defined. While someone could dig up the road and tap in to the cables, in practice only a small number of people in the organisation or in the service provider´s exchanges are in a position to hijack information or mount an attack.

Any organisation that wants to make its private network or its internal IT systems accessible outside of its own premises clearly needs to mandate security measures such as personal firewalls, malware scanning, intrusion prevention, operating system authentication and file encryption.

Beyond these basic steps, two key technologies come into play – IPsec and SSL. Between them, they allow organisations give employees, partners and other authorised people secure access to the facilities they need while barring access to others. But which should organisations choose? It all depends on the facilities they want to make available and, rather than being an “either … or” choice, the best answer may be “both …and”. Let´s take a look at why.


Both technologies were developed over a number of years and continue to be enhanced by the internet Engineering Task Force (IETF).

IPsec is typically used to allow computers to connect to a network from a remote location – perhaps over a dial-in link but, these days, more likely over a broadband connection. A number of solutions were developed over the years to secure such connections, but they were proprietary or vendor specific. The same vendor´s products needed to be used at both ends of each connection.

IPsec created a framework of open standards designed to allow competing vendors´ products to be used together and became the world´s first standardised encryption protocol. Typically, IPsec VPNs use one or more gateways, and special client software has to be installed on each remote access user´s computer.

A drawback is that users need to have specific client software installed on the computer they want to use to connect to their corporate network. That´s OK if you carry your computer around with you, but it means you can´t just sit down and use the first computer you come across – say in an internet cafe or hotel. Furthermore, vendors have developed client software enhancements to simplify the user experience with the ironic result that software from one vendor will not always work with a gateway from another!

However, IPsec has become a mature and largely dependable technology that is in widespread use around the world. An IPsec VPN can be configured to make a remote machine appear to be locally connected and users can have access to a company´s entire network as though they were sitting in the office.

An advantage is that users experience a familiar working environment. Whether in the office or at home, they are connected to the organisation´s network and have access to the same facilities, even if the response time does differ.


The alternative technology is called Secure Socket Layer (SSL). It was developed originally by Netscape, the browser company, to secure the transmission of data through the internet. Today, SSL can provide a secure channel between a remote user and a server-based application.

Based on public-key cryptography, SSL is far more flexible because it doesn´t need client software to be installed on the remote computer and uses standard web browsers. Users access a web site that´s located outside the organisation´s security firewall and are required to log in to gain access to the services on offer. A typical example would be a web-based interface to the organisation´s email system.

Once the user is logged in, software on the web site uses a secure connection to access the organisation´s internal system on the user´s behalf, updating the user´s web browser as data is returned. The process is a little like conducting a conversation through an interpreter. It enables users to access some applications wherever they happen to be but doesn´t allow them into their organisation´s network.

SSL enables access from internet cafes, kiosks and other locations and can therefore be a more flexible and mobile solution to a company´s networking needs. Most leading vendors have incorporated features that ensure that a remote PC is cleaned when the user logs out. Cookies and caches are deleted and all traces of the VPN connection are removed.

That´s the theory – but when a corporate organisation does not control the remote computer, there´s always a need to question the level of security available. Basic, browser-based SSL VPNs only really provide access to web-enabled applications rather than a company´s entire network. Broader access can be achieved, but this means downloading extra software – a feature often blocked by many internet cafes and kiosks – and this can reduce the initial attraction of the technology´s mobility and flexibility.

Mix and match

While life might be simpler if there was a ´right´ answer that would suit all situations, most organisations will find that both technologies have a role to play somewhere in their business, depending on the end-user´s connectivity requirements.

IPsec was developed to protect interconnected networks, while SSL is all about users sharing web-based applications. IPsec, therefore, should be considered for long duration connections or where the range of services users will need to access varies from case to case. In contrast, SSL offers distinct advantages for organisations that have mobile workers who need access to a defined set of facilities.

In both cases, however, what is really important is to select the right combination of options and settings from those on offer in chosen technology. Experience has shown that some of the options defined by each standard are much weaker than others, so the choice can make a lot of difference to the level of security that´s achieved.

The best option is therefore to take expert advice. Organisations that don´t could have a very false sense of their security.

Leave a Reply