In this age of digital piracy it is extremely important to make sure that participants of a given transaction are really who they say they are and that the content is not altered in any way during the transaction. Authentication of both client and server sides, as well as encryption of content in transit, is critical to limit exposure on both ends of the transaction. Filtering of encrypted content provides additional services like content abuse protection.

SSL and IPSec VPN technologies both serve this purpose in the communications infrastructure. Each has merits and shortcomings. Each has certain scenarios in which it shines.

Unless rigidity and an inflexible network are the objective, there's a place for both remote-access protocols, working together to satisfy a broader range of access scenarios than either one alone could provide.

The proven and popular protocols available to implement secure VPNs are IP Security (IPSec) and Secure Socket Layer (SSL):

• IPSec refers to a suite of IETF security protocols that protect Internet communications at the network layer through encryption, authentication, confidentiality, data integrity, anti-replay protection and protection against traffic flow analysis at the network layer.
• Secure Socket Layer protocol encrypts communications between Web servers and Web browsers for tunneling over the Internet at the application layer.

Because both protocols have merits, the only loser is the enterprise that chooses a wait-and-see strategy and forfeits the productivity and cost savings of VPNs while waiting for a single choice to surface. Since remote-access users — ranging from employees, business partners and suppliers to customers — are anything but standard, many IT managers will find they're better off to not standardize on one VPN protocol and restrain their business reach, but rather, to embrace diversity to match diverse access scenarios.

VPNs transform an inherently insecure medium — public shared networks and the open Internet — into an extension of an enterprise's trusted private network, with each type offering different kinds of benefits for securing content across a network:

• Enterprises enjoy secure connectivity with business partners far beyond the reach of their private network, using extranet VPNs. They achieve new levels of efficiency and customer service by securely linking the entire supply chain — manufacturing, distribution, resellers, retailers and consumers — without the expense of dedicated, leased lines.
• They use the Internet or public data networks to connect business sites, such as branch offices and home offices. With intranet VPN service, authorized users gain the performance of a private network without the capital and operating costs or the limitations of private networks or leased lines.
• They can forget the days when they paid an average of $1,500 per user per year for modem banks to give remote access to dial-in users. With remote access VPN service, enterprises can give users a broader range of the latest high-speed access technologies, such as cable modems and digital subscriber line (DSL).

IPSec: Network-layer security for IP traffic

The IPSec suite of protocols secures IP traffic at the network layer through encryption, authentication, confidentiality, data integrity, anti-replay protection, and protection against traffic flow analysis.

IPSec tunnels can secure traffic from one VPN server to another or from a user to a VPN server. An IPSec server (known as a VPN gateway), can secure traffic for many users and devices. A single IPSec tunnel secures all traffic between the devices, irrespective of traffic type or application.

To establish the encrypted connection, both devices must agree on "security associations," policies that must be configured on each end of the connection. That means each user (client) device must have special IPSec client software installed, ensuring only authorized users have access. IPSec VPN vendors typically offer client software for user workstations, PCs, laptops, handheld access devices, edge routers and firewalls — sometimes auto-downloaded from the IPSec gateway.

Because IPSec operates at the network layer, authorized remote users have the same degree of access as if they were physically in the enterprise building and directly connected to the enterprise LAN.

For this flexibility in choice, IPSec trades off flexibility in other areas, such as accessibility from temporary workplaces, ease of management and configuration parameters.

SSL: Application-layer security from any Internet-connected device

SSL protocol uses encryption and authentication to secure communications between clients and servers at the transport layer. However, since an SSL session applies only to one application at a time, and provides application security services and not network security services, it is an application-layer security solution.

Originally developed for electronic commerce, SSL is built into most browsers, Web servers and e-mail applications to provide data encryption, server authentication, message integrity and optional client authentication between users and their applications — one application at a time.

Because no specific client software is required, authorized users can access applications from public kiosks or third-party PCs. This avoids the problem of loading client software on PCs that don't belong to the company and makes SSL a complementary solution to IPSec VPNs for certain extranet applications.

Read part two of this Guest Commentary.