In recent decades, remote work has become a central part of America’s business landscape. Being able to complete tasks outside the office leads to greater productivity and flexibility, which is why working remotely has been embraced by more employers each year. For remote work to be effective, employees must have access to their company’s network wherever they travel. A virtual private network (VPN) serves this function. Using a VPN, remote team members can connect directly to the network, performing tasks just as they would while in the office. VPNs also encrypt data to ensure remote access is secure. Clearly, setting up a VPN is a common request from businesses that managed services provider (MSPs) should know how to address.
But there’s more to the story. There are two main types of VPN security protocols, IPsec and SSL, and it’s essential to know the differences between them in order to ensure your customer’s security. In this article, we’ll explain the difference between IPsec and SSL VPN protocols and how to choose the right one to meet your clients’ needs.
Internet Protocol Security (IPsec) is the traditional VPN method. Introduced in the 1990s, it is well established, regularly updated, and continues to be widely used. IPsec requires third-party client software on the user’s device to access the VPN—it is not implemented through the web browser. Companies need to purchase client software, install it on each user’s computer, keep it updated, and sometimes pay to maintain their license. This makes IPsec rather complicated to implement and configure.
The purpose of IPsec is to give the remote computer direct access to the central network, making it a full member. Remote users have access to any file storage locations, programs, printers, and backups, exactly as if they were in the office. IPsec is therefore a robust system that gives users whatever resources they need, wherever they are located.
Security is a key factor to consider when implementing remote access. The more outside connections there are to a network, the more opportunities arise for nefarious parties to intercept data being transmitted. That’s why IPsec protocols use encryption. IPsec encryption works by scrambling data in transit so it cannot be deciphered if intercepted. Data can only be read if the user has the correct key to mathematically unscramble it. VPNs also mask a user’s Internet Protocol (IP) address for further security. The VPN assigns a new IP address, hiding the user’s original address and making it harder for an internet service provider to track them.
VPN access is protected by a password. It’s essential for users to select strong passwords with combinations of letters and numbers, upper- and lowercase, special characters, and no dictionary words. The most locked-down systems won’t let users choose a weak password. Two-factor authentication (2FA) makes VPNs even more secure. This method requires a one-time code—sent via text message or generated by a mobile app—in addition to the password to log in. Even if a hacker discovers the password, he or she won’t be able to access the VPN without the second code.
Yet IPsec has additional security advantages besides encryption. Since it requires special client software, it is more difficult to break into. Potential hackers would need to know the right software to use and configure it with the correct settings in order to access an IPsec VPN.
IPsec has two modes of securing data: transport and tunnel. In transport mode, only the payload of an IP packet (that is, the data itself) is encrypted; the header remains intact. In tunnel mode, on the other hand, the entire packet is encrypted and then encapsulated in a new IP packet with a new header. The choice of which mode to use is complicated. Tunnel mode is typically used between gateways whereas transport mode is used between end-stations.
Secure Sockets Layer (SSL) is IPsec’s major rival as a VPN protocol. Though its origins also trace to the 1990s, SSL is a more recent method for implementing VPNs, and it is becoming increasingly popular. The SSL protocol was replaced by a successor technology, Transport Layer Security (TLS), in 2015, but the terms are interchangeable in common parlance and “SSL” is still widely used.
SSL VPNs are implemented through the remote user’s web browser and do not require the installation of special software. All major web browsers—including Chrome, Firefox, Internet Explorer, and Safari—come with SSL support. This makes SSL easy to set up and use, especially when a team member is installing it without help from tech support.
SSL gives users more specific access than IPsec. Rather than becoming a full member of the network, remote team members are granted access to particular applications. This makes it simple to provide different levels of access to different users. Security is maintained by restricting access to only what’s needed.
Like IPsec, SSL has two modes. In portal mode, users access the VPN through a page in their web browser (the portal). This mode can only be used for web-based programs. It’s ideal for email, chat, file sharing, and other browser-based applications. In tunnel mode, by contrast, users can access any applications on the network, including ones that are not web based. Browser-based applications are becoming the industry standard, but older, offline programs can only be accessed using tunnel mode.
Choosing between IPsec vs SSL is an important decision when implementing a client’s VPN. As you can see, each type has its own advantages and disadvantages. Security and convenience are two key factors to consider. Because IPsec requires third-party client software, it is more complicated and expensive to set up and maintain. However, this also makes it more secure. It’s tough for a hacker to penetrate an IPsec system without knowing which client it uses and the exact settings to get that client to work properly. SSL is already supported by the remote user’s browser, so it needs no extra software and is simpler to configure. This simplicity, however, comes at the cost of being more vulnerable to security threats.
Once a user is logged into the network, SSL takes the upper hand in security. SSL VPNs work by accessing specific applications whereas IPsec users are treated as full members of the network. It’s therefore easier to restrict user access with SSL. If one of your clients works with a freelance employee, for example, they can give that person limited access to the programs they need without letting them see sensitive or proprietary company data. Restricting access in IPsec is possible with network user permissions, but that adds an extra step to the process.
Beyond security concerns, it’s also crucial to think about what services VPN users will need to access. If they will only be using web-based applications like email and cloud storage, SSL may be the right choice. Remote users can quickly connect to the applications they use without being confused by the ones they don’t. This makes SSL ideal for clients and freelance employees. But if users require full access—such as central office team members who are traveling—IPsec is the way to go. IPsec VPNs give users the ability to do whatever they can normally do while sitting in the main office from wherever they are.
Don’t forget that even a user on an IPsec or SSL VPN with ironclad encryption is still vulnerable to other security threats. Email phishing or phone-based social engineering attacks can strike a secure system at any time. That’s why it’s essential your clients provide their employees with mandatory, regular, and up-to-date security training. Knowing not to click on a suspicious link in an email or reveal a password over the phone is the first line of defense for maintaining a secure environment.
These are only some of the factors to consider when thinking about SSL vs. IPsec VPNs. IPsec is a time-tested system, while SSL is growing increasingly common. Each protocol has its strengths and weaknesses. MSPs will need to decide which solution is right for each client’s individual needs.
SolarWinds MSP is here to help. Interested in learning more about IPsec vs. SSL? Contact our team to get additional ITSM resources.