Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Factors to Consider When Choosing SSL VPNs

There a number of advantages and disadvantages to consider when choosing an SSL VPN:

Advantages of SSL VPNs
  1. No client software required for accessing Web-enabled applications.
    Benefit: Deployment, management, and administration are extremely simple and effective.
  2. SSL is a de facto standard.
    Benefit: Interoperability exists between different vendors and applications.
  3. It is included as the default setting in a number of Web browsers.
    Benefit: There are no client software costs.
  4. As commonly deployed, only servers require digital certificates to establish encrypted sessions.
    Benefit: Enormous reduction in the requirement to manage certificates.

Cost is another very important consideration. Management of authentication certificates can be very time consuming and is not necessary with SSL VPNs. This makes SSL VPNs much cheaper, and this factor alone may be a key issue when deciding whether to use SSL or IPSec VPNs. Unlike most IPSec environments, you do not need paid-for client software. In addition, set up and management is typically much easier.

Disadvantages of SSL VPNs

  1. Optional (as opposed to built-in) user authentication. This is a major security weakness.
    Answer: Integration with third-party strong authentication products such as VASCO.
  2. Requires Java or ActiveX downloads to facilitate access to non-Web-enabled applications.
    Answer: Download is transparent to users. Depending on implementation and network topology, this may cause a problem if the firewall (whether on the server side or on a personal firewall) is set to block Java or ActiveX controls.
  3. SSL tunneling (to mimic IPSec) is not supported on Linux or non-Windows operating systems.
    Answer: True—SSL vendors offering SSL tunneling as an option utilize the virtual adapter technology within Windows to encapsulate traffic, which is not currently available in other operating systems.
  4. SSL is processor-intensive, leading to poor performance under high loads.
    Answer: This can be true, but it can be addressed by clustering, load balancing multiple appliances, by utilizing SSL accelerators or traffic prioritization technologies, or by using high-performance SSL appliances.
  5. Some enterprises need broader application support than SSL provides.
    Answer: SSL vendors are addressing this by enhancing proxy support and supporting port redirection.