SlideShare ist ein Scribd-Unternehmen logo

Porque cambiar de IPSec a SSL VPN

A
aloscocco

Este documento comenta los motivos por los cuales es conveniente cambiar el acceso remoto al protocolo SSL

Technologie
1 von 17
Downloaden Sie, um offline zu lesen
Why Switch from IPSec to SSL VPN And Four Steps to Ease Transition
Table of Contents The case for IPSec VPNs 1 The case for SSL VPNs 2 What’s driving the move to SSL VPNs? 3 IPSec VPN management concerns 4 IPSec VPN security concerns 5 Why switch to SSL VPN? 6 Overcoming obstacles and objections 7 Best practices: 4 steps to an easy transition 8 Real-world lessons 13 Conclusion 14
The case for IPSec VPNs Internet Protocol Security (IPSec) virtual private networks (VPNs) were originally developed over a decade ago to help businesses avoid the costs of privately-leased WAN lines. IPSec VPNs work by establishing a tunnel over the Internet to connect the internal corporate network to a site outside a corporate firewall or gateway. IPSec needs compatible hardware or software, often from a single vendor, at both endpoint locations. IPSec VPNs remain viable solutions for connecting trusted endpoint devices that are directly managed by IT (such as branch or remote office computers), but not for mobile or personal devices. Still, IPSec VPNs are not the best choice for today’s modern mobile workforce. 1
The case for SSL VPNs Today’s highly mobile teleworkers demand more secure The old corporate network has inverted. The enclosed- access to more resources from more remote devices and perimeter model has evolved into a distributed global platforms than ever before. Corporate boundaries are network that connects employees, partners and blurring. In daily operations, partners, vendors and customers over multiple Internet, intranet and VoIP channels. consultants have become as crucial as employees. SSL VPN is ideal for secure remote access from anywhere with granular access control. SSL VPNs can: Detect what is running on the endpoint device, Protect applications with granular access control based on user identity and device integrity, and Connect users securely and easily to applications on any device. 2
What’s driving the move to SSL VPNs? ■ Remote access is required to connect employees, partners and customers, without hands-on IT intervention. ■ Mobile devices—both IT-issued and personal—are increasingly being used for both data and voice. ■ Disaster recovery could suddenly spike demand for remote access to include the majority of your workforce. ■ Wireless users are now often treated as remote, due to concerns over who actually has access to their wireless device. ■ Extranet access for collaborating with business partners must not compromise security. ■ Enforcing policy to meet regulatory compliance has become more complex across disparate points of entry. ■ Network Access Control (NAC) is expected to cover application access control, as well as host integrity and network access. ■ Green IT initiatives dealing with rising transportation costs and environmental concerns are leading towards increased flexibility for employees wanting to work from home. 3
IPSec VPN management concerns With an IPSec VPN, IT must install and maintain individual VPN clients on each remote device. An IPSec VPN may also require changes to the desktop configuration. If users don’t have IPSec clients preinstalled on their remote computers, they can’t access needed resources. A remote teleworker would need to call the help desk to download a compatible client—if one is available—in order to get connected. Partner and vendor VPN clients can be incompatible. Network Address Translation (NAT), firewall traversal, broadband access and wireless hotspots can also create difficulty for IPSec VPN connectivity. IPSec VPN client configuration can result in higher support costs 4
IPSec VPN security concerns Because they create a tunnel between two points, IPSec VPNs provide direct (non-proxied) access and full visibility to the entire network, which can be effective in certain highly-controlled branch office environments where authorized users on IT-managed devices are connecting to a corporate headquarters. When users work from home PCs or over wireless, however, they face a host of threats from malicious hackers, viruses, worms and malware. With IPSec VPNs, home PC risks become corporate security risks. Unless accompanied by an additional network security appliance, companies also face the possibility that hackers will use the remote IPSec VPN network tunnel to gain unauthorized access to the corporate network. 5
Why switch to SSL VPN? SSL works at the application layer instead of the network layer, providing the highly granular policy and access control needed for secure remote access. Because SSL is included in all modern browsers, SSL VPNs can empower today’s mobile workforce with clientless remote access—while saving IT departments the headache of installing and managing the complexity of IPSec VPN clients. SSL VPNs: ■ Increase productivity: SSL VPNs work in more places, including home PCs, kiosks, PDAs and unmanaged devices, over wired and wireless networks. ■ Lower costs: SSL VPNs are clientless or use lightweight Web-delivered clients rather than “fat” IPSec clients, reducing management and support calls. ■ Broaden security: SSL VPNs provide granular access and endpoint control to managed and non-managed devices. SSL is the standard protocol for secure message transmission on the Internet. 6
Overcoming obstacles and objections Since the sunk costs of existing IPSec VPN solutions are often fully amortized, IT can defend allocating budget to replace depreciated technology with newer SSL VPN solutions. IPSec clients and configurations can be efficiently removed from existing managed devices during scheduled maintenance or upgrades. SSL VPNs can provide the same user experience as IPSec VPN —but with less management complexity and greater control. SSL VPN users do not require special training or hand-holding, as they can access their applications and resources with the same familiar interface. The user transition is simple: they just click the new VPN icon instead of the old icon. It’s easy to provision SSL VPN access whether or not the user’s device is managed by IT. If they are working from a personal device, they just open a browser and navigate to the SSL VPN URL. 7
Best practices: 4 steps to an easy transition While SSL VPNs can be up and running in a matter of minutes, the timeline for a phased migration—from initial implementation of SSL VPN for unmanaged devices to expanded deployment to replacing existing IPSec VPN clients—will depend upon the size of the enterprise. Phased transitioning may take from 2-18 months. This usually gives administrators enough time to run an SSL VPN pilot in a lab environment to establish and evaluate their security policy and configuration before phasing out IPSec VPN. A successful migration strategy for replacing an IPSec VPN with an SSL VPN might include the following four steps: 1 Define Security Policy. 2 Implement Security Policy. 3 Deploy SSL VPN. 4 Phase out IPSec VPN. 8
Step 1 : Define security policy SSL VPN lets you restrict access to applications based on the user, the user’s role, the user’s device integrity and your established security policy, and segment access only to resources on the network that are appropriate. Prior to deploying SSL VPN, it is a good idea to establish a written corporate security policy covering: ■ How a user’s organizational role determines what resources they may access. ■ How users may access the network from IT-managed and non-managed devices. Make sure corporate security policy is understood by all users. For example, a financial manager needs access to account receivables applications, but not human resources applications; and a human resources manager needs access to human resources records, but not account receivables applications. Alternately, a CEO might be allowed access to both resources; however, while attempting access from a public airport kiosk, that same person might be identified in the role of “kiosk user,” and be restricted from accessing either resource. 9
Step 2 : Implement security policy SSL VPNs let you implement policies ranging from wide-open access to very granular controls. Choose an enforcement method appropriate to your security policy. Granular policies are useful for remote access control from either IT-managed or non-managed devices, as there will always be trust concerns when you don’t control the access environment. Generally, you will want to enforce different access for those devices that are managed by IT and those that are not. For implementing your security policy, consider these controls: ■ Restrict sensitive data types (such as social security or credit card database information) from being downloaded, or limit access to view-only. ■ Apply two-factor authentication using tokens or client-based digital certificates. This protects against passwords being viewed and stolen in public places, or personal computers being sold or discarded with login information still remaining on the disk. ■ Establish endpoint controls to interrogate the endpoint device to confirm whether it is managed or unmanaged, and in a secure state before attempting access. For example, you might confirm the device has recently run a current-version anti-virus software scan, or that it contains a watermark based upon a device certificate. ■ Set up different access groups that allow you to differentiate access based on user identity and endpoint interrogation. This ensures that appropriate access is provided for a business partner, an IT technician working from a home PC, or an executive traveling with an IT-managed laptop. 10
Step 3 : Deploy SSL VPN Unlike IPSec VPN deployment, SSL VPN deployment is relatively simple and straightforward, usually consisting of providing users with a URL. For example, SonicWALL® Aventail® E-Class Secure Remote Access (SRA) appliances offer flexible deployment solutions for: ■ Unmanaged devices: SonicWALL Aventail WorkPlace™ provides out-of-the-box clientless browser access to Web and client/server applications and file shares from unmanaged devices using Windows®, Windows Mobile®, Macintosh® and Linux® platforms, including home computers, public machines, smartphones and PDAs. ■ Managed devices: SonicWALL Aventail Connect™ adds a Web-delivered thin client on the same broad range of platforms for managed devices, enabling a complete “in- office” experience without having to access a portal. ■ Application-to-application: SonicWALL Aventail Connect Service Edition delivers remote access for scenarios where no human intervention is required. ■ Mobile devices: SonicWALL Aventail Connect Mobile™ provides “in-office” access for Windows Mobile-powered device users. 11
Step 4 : Phase out IPSec VPN During the deployment phase, prior IPSec VPN users will have been provided parallel SSL VPN access via either an SSL VPN agent on IT-managed devices or a browser on unmanaged devices. The final phase is to deactivate the now-unused IPSec connections. Once all users have migrated, the IPSec VPN may be deactivated at the appliance. Since, in general, SSL VPN tunneling should not conflict with IPSec, you might optionally leave both IPSec and SSL VPN agents running on the same device for a set period of time before deactivation to help transition users from the old technology to the new. To mini- mize administrative impact, deactivated IPSec clients and configurations can be removed from IT-managed devices during scheduled maintenance or replacement. 12
Real-world lessons Real-world Network Manager at Norwich University, Richard Quelch, shares some of his experiences in replacing IPSec with an SSL VPN: “We found it best to add a minimal amount of users first, representing different areas of our organization. Time needs to be given to address access issues, to discover how the SSL VPN is used, which applications are accessed via the SSL VPN and to determine key areas of interest. “It was very easy for us to roll out SSL VPN to our users. They needed minimal training—usually we only needed to give the users the URL to get them started and connected. We’ve found that the maintenance and support time for SSL VPN is much less then was with IPSec, resulting in less cost. Also, end-user productivity is higher, because access to resources over the VPN is available more often. “While the replacement process wasn’t difficult for us at all, it is important to know the applications well that will be accessed through the SSL VPN and to thoroughly test each application before deployment. And you should consider rolling out more advanced SSL VPN features over time, so that you don’t initially overwhelm your users with too many new options.” 13
Conclusion IPSec VPN technology is designed for site-to-site VPNs, SonicWALL has a VPN solution to match your specific such as those connecting highly-controlled IT-managed requirements. SonicWALL TZ and NSA Series appliances branch office devices to corporate headquarters. SSL VPN offer integrated IPSec VPN for secure site-to-site access. technology, on the other hand, works much better for SonicWALL Aventail E-Class Secure Remote Access (SRA) secure remote access. appliances and SonicWALL SSL VPN appliances offer secure remote access for today’s mobile workforce, SSL VPNs: including remote access, disaster recovery, wireless ■ Allows access to more resources from more endpoints. networking, extranet access, mobile networking, policy ■ Lowers costs by easing administration with clientless enforcement, and network access control. (and easy-as-clientless) access and centralized control. ■ Adds security with granular access and endpoint control. Best practices for transitioning to an SSL VPN include establishing a corporate security policy, conducting a lab environment pilot and implementing a phased migration. 14
How Can I Learn More? ■ Download the Whitepaper “IPSec vs. SSL VPN: Transition Criteria and Methodology” ■ Opt-in to receive SonicWALL Newsletters For feedback on this e-book or other SonicWALL e-books or whitepapers, please send an e-mail to feedback@sonicwall.com. About SonicWALL SonicWALL® is a recognized leader in comprehensive information security solutions. SonicWALL solutions integrate dynamically intelligent services, software and hardware that engineer the risk, cost and complexity out of running a high-performance business network. For more information, visit the company Web site at www.sonicwall.com. ©2008 SonicWALL, the SonicWALL logo and Protection at the Speed of Business are registered trademarks of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice. 11/08 SW 477

Empfohlen

Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Cisco Canada
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...NetworkCollaborators
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
Cevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryCevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryUKTI2014
 
Secure access to applications on Microsoft Azure
Secure access to applications on Microsoft AzureSecure access to applications on Microsoft Azure
Secure access to applications on Microsoft AzureZscaler
 
Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?Zscaler
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationWestermo Network Technologies
 

Empfohlen

Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Cisco Canada
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...NetworkCollaborators
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
Cevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryCevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryUKTI2014
 
Secure access to applications on Microsoft Azure
Secure access to applications on Microsoft AzureSecure access to applications on Microsoft Azure
Secure access to applications on Microsoft AzureZscaler
 
Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?Virtualized Firewall: Is it the panacea to secure distributed enterprises?
Virtualized Firewall: Is it the panacea to secure distributed enterprises?Zscaler
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationWestermo Network Technologies
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Zscaler
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Canada
 
Meraki Company And Product Overview
Meraki Company And Product OverviewMeraki Company And Product Overview
Meraki Company And Product Overviewxanstevenson
 
Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Maticmind
 
Cisco Meraki: Let Simple Work For You
Cisco Meraki: Let Simple Work For YouCisco Meraki: Let Simple Work For You
Cisco Meraki: Let Simple Work For YouCisco Canada
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Vpn rsvp
Vpn rsvpVpn rsvp
Vpn rsvpSwarup Kumar Mall
 
Meraki Overview
Meraki OverviewMeraki Overview
Meraki OverviewCloud Distribution
 
Ottawa e-NFV Session
Ottawa e-NFV Session Ottawa e-NFV Session
Ottawa e-NFV Session Cisco Canada
 
Cisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Russia
 
Cisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitiveCisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitiveCisco Canada
 
Isf 2015 continuous diagnostics monitoring may 2015
Isf 2015 continuous diagnostics monitoring may 2015Isf 2015 continuous diagnostics monitoring may 2015
Isf 2015 continuous diagnostics monitoring may 2015abhi75
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco Canada
 
Meraki overview sales deck inside sales
Meraki overview sales deck inside salesMeraki overview sales deck inside sales
Meraki overview sales deck inside salesHaffizulla Rahman
 
Cisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideCisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideMaticmind
 
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...www.securitysystems.best
 
Innovation at Meraki
Innovation at MerakiInnovation at Meraki
Innovation at MerakiCisco Canada
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudZscaler
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8Irsandi Hasan
 
Meraki Solution Overview
Meraki Solution OverviewMeraki Solution Overview
Meraki Solution OverviewClaudiu Sandor
 
Protocole IKE/IPsec
Protocole IKE/IPsecProtocole IKE/IPsec
Protocole IKE/IPsecThomas Moegli
 
Juniper SA Overview
Juniper SA OverviewJuniper SA Overview
Juniper SA OverviewDaniel Rohan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Zscaler
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Canada
 
Meraki Company And Product Overview
Meraki Company And Product OverviewMeraki Company And Product Overview
Meraki Company And Product Overviewxanstevenson
 
Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Maticmind
 
Cisco Meraki: Let Simple Work For You
Cisco Meraki: Let Simple Work For YouCisco Meraki: Let Simple Work For You
Cisco Meraki: Let Simple Work For YouCisco Canada
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Ottawa e-NFV Session
Ottawa e-NFV Session Ottawa e-NFV Session
Ottawa e-NFV Session Cisco Canada
 
Cisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Russia
 
Cisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitiveCisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitiveCisco Canada
 
Isf 2015 continuous diagnostics monitoring may 2015
Isf 2015 continuous diagnostics monitoring may 2015Isf 2015 continuous diagnostics monitoring may 2015
Isf 2015 continuous diagnostics monitoring may 2015abhi75
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco Canada
 
Meraki overview sales deck inside sales
Meraki overview sales deck inside salesMeraki overview sales deck inside sales
Meraki overview sales deck inside salesHaffizulla Rahman
 
Cisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideCisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideMaticmind
 
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...www.securitysystems.best
 
Innovation at Meraki
Innovation at MerakiInnovation at Meraki
Innovation at MerakiCisco Canada
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudZscaler
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8Irsandi Hasan
 
Meraki Solution Overview
Meraki Solution OverviewMeraki Solution Overview
Meraki Solution OverviewClaudiu Sandor
 

Was ist angesagt? (20)

Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
 
Meraki Company And Product Overview
Meraki Company And Product OverviewMeraki Company And Product Overview
Meraki Company And Product Overview
 
Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017
 
Cisco Meraki: Let Simple Work For You
Cisco Meraki: Let Simple Work For YouCisco Meraki: Let Simple Work For You
Cisco Meraki: Let Simple Work For You
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Vpn rsvp
Vpn rsvpVpn rsvp
Vpn rsvp
 
Meraki Overview
Meraki OverviewMeraki Overview
Meraki Overview
 
Ottawa e-NFV Session
Ottawa e-NFV Session Ottawa e-NFV Session
Ottawa e-NFV Session
 
Cisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed Networking
 
Cisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitiveCisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitive
 
Isf 2015 continuous diagnostics monitoring may 2015
Isf 2015 continuous diagnostics monitoring may 2015Isf 2015 continuous diagnostics monitoring may 2015
Isf 2015 continuous diagnostics monitoring may 2015
 
Cisco's 2016 Annual Security report
Cisco's 2016 Annual Security reportCisco's 2016 Annual Security report
Cisco's 2016 Annual Security report
 
Meraki overview sales deck inside sales
Meraki overview sales deck inside salesMeraki overview sales deck inside sales
Meraki overview sales deck inside sales
 
Cisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideCisco Meraki Portfolio Guide
Cisco Meraki Portfolio Guide
 
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
 
Innovation at Meraki
Innovation at MerakiInnovation at Meraki
Innovation at Meraki
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the Cloud
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8
 
Meraki Solution Overview
Meraki Solution OverviewMeraki Solution Overview
Meraki Solution Overview
 

Andere mochten auch

Juniper SA Overview
Juniper SA OverviewJuniper SA Overview
Juniper SA OverviewDaniel Rohan
 
6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WINDGate™ - Powering the New-Generation of IPsec Gateways6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WINDGate™ - Powering the New-Generation of IPsec Gateways6WIND
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationMichelle Holley
 
Qu’est-ce qu’un poste de travail sécurisé ?
Qu’est-ce qu’un poste de travail sécurisé ? Qu’est-ce qu’un poste de travail sécurisé ?
Qu’est-ce qu’un poste de travail sécurisé ? Microsoft Technet France
 
05 01 open-vpn
05 01 open-vpn05 01 open-vpn
05 01 open-vpnNoël
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Authentification TLS/SSL sous OpenVPN
Authentification TLS/SSL sous OpenVPNAuthentification TLS/SSL sous OpenVPN
Authentification TLS/SSL sous OpenVPNIsmail Rachdaoui
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Vpn d’acces avec cisco asa 5500 et client
Vpn d’acces avec cisco asa 5500 et clientVpn d’acces avec cisco asa 5500 et client
Vpn d’acces avec cisco asa 5500 et clientManassé Achim kpaya
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Installation et Configuration de Pfsense
Installation et Configuration de PfsenseInstallation et Configuration de Pfsense
Installation et Configuration de PfsenseIsmail Rachdaoui
 

Andere mochten auch (20)

Protocole IKE/IPsec
Protocole IKE/IPsecProtocole IKE/IPsec
Protocole IKE/IPsec
 
Juniper SA Overview
Juniper SA OverviewJuniper SA Overview
Juniper SA Overview
 
6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WINDGate™ - Powering the New-Generation of IPsec Gateways6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WINDGate™ - Powering the New-Generation of IPsec Gateways
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
 
Qu’est-ce qu’un poste de travail sécurisé ?
Qu’est-ce qu’un poste de travail sécurisé ? Qu’est-ce qu’un poste de travail sécurisé ?
Qu’est-ce qu’un poste de travail sécurisé ?
 
Juniper sa-sslvpn
Juniper sa-sslvpnJuniper sa-sslvpn
Juniper sa-sslvpn
 
05 01 open-vpn
05 01 open-vpn05 01 open-vpn
05 01 open-vpn
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Authentification TLS/SSL sous OpenVPN
Authentification TLS/SSL sous OpenVPNAuthentification TLS/SSL sous OpenVPN
Authentification TLS/SSL sous OpenVPN
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
Vpn d’acces avec cisco asa 5500 et client
Vpn d’acces avec cisco asa 5500 et clientVpn d’acces avec cisco asa 5500 et client
Vpn d’acces avec cisco asa 5500 et client
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
 
VPN: SSL vs IPSEC
VPN: SSL vs IPSECVPN: SSL vs IPSEC
VPN: SSL vs IPSEC
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Ipsec
IpsecIpsec
Ipsec
 
Installation et Configuration de Pfsense
Installation et Configuration de PfsenseInstallation et Configuration de Pfsense
Installation et Configuration de Pfsense
 

Ähnlich wie Porque cambiar de IPSec a SSL VPN

The Virtual Private Network
The Virtual Private NetworkThe Virtual Private Network
The Virtual Private NetworkAbhinav Dwivedi
 
Virtual private network feature and benefits
Virtual private network feature and benefitsVirtual private network feature and benefits
Virtual private network feature and benefitsAnthony Daniel
 
my presentation on vpn
my presentation on vpnmy presentation on vpn
my presentation on vpnjadeja dhanraj
 
VPN (virtual Private Network)
VPN (virtual Private Network)VPN (virtual Private Network)
VPN (virtual Private Network)Chandan Jha
 
Implementing vpn using direct access technology
Implementing vpn using direct access technologyImplementing vpn using direct access technology
Implementing vpn using direct access technologyferasfarag
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper Array Networks
 
4192 sslvpn sb_0412
4192 sslvpn sb_04124192 sslvpn sb_0412
4192 sslvpn sb_0412Hai Nguyen
 
Enterprise VPN: What you need to know
Enterprise VPN: What you need to knowEnterprise VPN: What you need to know
Enterprise VPN: What you need to knowfrancisdinha
 
IIT INDOR VPN AND NETWORK Security Control.pptx
IIT INDOR VPN AND NETWORK Security Control.pptxIIT INDOR VPN AND NETWORK Security Control.pptx
IIT INDOR VPN AND NETWORK Security Control.pptxSonuSingh81247
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private NetworkRicha Singh
 
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALAVIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALASaikiran Panjala
 
Virtual Private Networks
Virtual Private NetworksVirtual Private Networks
Virtual Private NetworksDivam Goyal
 
SD-WAN PROTOCOLS
SD-WAN PROTOCOLSSD-WAN PROTOCOLS
SD-WAN PROTOCOLSbilal anjum
 

Ähnlich wie Porque cambiar de IPSec a SSL VPN (20)

The Virtual Private Network
The Virtual Private NetworkThe Virtual Private Network
The Virtual Private Network
 
Virtual private network feature and benefits
Virtual private network feature and benefitsVirtual private network feature and benefits
Virtual private network feature and benefits
 
Shradhamaheshwari vpn
Shradhamaheshwari vpnShradhamaheshwari vpn
Shradhamaheshwari vpn
 
All About VPN
All About VPNAll About VPN
All About VPN
 
my presentation on vpn
my presentation on vpnmy presentation on vpn
my presentation on vpn
 
Allaboutvpn
AllaboutvpnAllaboutvpn
Allaboutvpn
 
It Infrastructure Management PPT Centurion University of Technology And Manag...
It Infrastructure Management PPT Centurion University of Technology And Manag...It Infrastructure Management PPT Centurion University of Technology And Manag...
It Infrastructure Management PPT Centurion University of Technology And Manag...
 
VPN (virtual Private Network)
VPN (virtual Private Network)VPN (virtual Private Network)
VPN (virtual Private Network)
 
Implementing vpn using direct access technology
Implementing vpn using direct access technologyImplementing vpn using direct access technology
Implementing vpn using direct access technology
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
 
The vpn
The vpnThe vpn
The vpn
 
VPN
VPN VPN
VPN
 
Vp npresentation (1)
Vp npresentation (1)Vp npresentation (1)
Vp npresentation (1)
 
4192 sslvpn sb_0412
4192 sslvpn sb_04124192 sslvpn sb_0412
4192 sslvpn sb_0412
 
Enterprise VPN: What you need to know
Enterprise VPN: What you need to knowEnterprise VPN: What you need to know
Enterprise VPN: What you need to know
 
IIT INDOR VPN AND NETWORK Security Control.pptx
IIT INDOR VPN AND NETWORK Security Control.pptxIIT INDOR VPN AND NETWORK Security Control.pptx
IIT INDOR VPN AND NETWORK Security Control.pptx
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALAVIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
 
Virtual Private Networks
Virtual Private NetworksVirtual Private Networks
Virtual Private Networks
 
SD-WAN PROTOCOLS
SD-WAN PROTOCOLSSD-WAN PROTOCOLS
SD-WAN PROTOCOLS
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Kürzlich hochgeladen (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Porque cambiar de IPSec a SSL VPN

  • 1. Why Switch from IPSec to SSL VPN And Four Steps to Ease Transition
  • 2. Table of Contents The case for IPSec VPNs 1 The case for SSL VPNs 2 What’s driving the move to SSL VPNs? 3 IPSec VPN management concerns 4 IPSec VPN security concerns 5 Why switch to SSL VPN? 6 Overcoming obstacles and objections 7 Best practices: 4 steps to an easy transition 8 Real-world lessons 13 Conclusion 14
  • 3. The case for IPSec VPNs Internet Protocol Security (IPSec) virtual private networks (VPNs) were originally developed over a decade ago to help businesses avoid the costs of privately-leased WAN lines. IPSec VPNs work by establishing a tunnel over the Internet to connect the internal corporate network to a site outside a corporate firewall or gateway. IPSec needs compatible hardware or software, often from a single vendor, at both endpoint locations. IPSec VPNs remain viable solutions for connecting trusted endpoint devices that are directly managed by IT (such as branch or remote office computers), but not for mobile or personal devices. Still, IPSec VPNs are not the best choice for today’s modern mobile workforce. 1
  • 4. The case for SSL VPNs Today’s highly mobile teleworkers demand more secure The old corporate network has inverted. The enclosed- access to more resources from more remote devices and perimeter model has evolved into a distributed global platforms than ever before. Corporate boundaries are network that connects employees, partners and blurring. In daily operations, partners, vendors and customers over multiple Internet, intranet and VoIP channels. consultants have become as crucial as employees. SSL VPN is ideal for secure remote access from anywhere with granular access control. SSL VPNs can: Detect what is running on the endpoint device, Protect applications with granular access control based on user identity and device integrity, and Connect users securely and easily to applications on any device. 2
  • 5. What’s driving the move to SSL VPNs? ■ Remote access is required to connect employees, partners and customers, without hands-on IT intervention. ■ Mobile devices—both IT-issued and personal—are increasingly being used for both data and voice. ■ Disaster recovery could suddenly spike demand for remote access to include the majority of your workforce. ■ Wireless users are now often treated as remote, due to concerns over who actually has access to their wireless device. ■ Extranet access for collaborating with business partners must not compromise security. ■ Enforcing policy to meet regulatory compliance has become more complex across disparate points of entry. ■ Network Access Control (NAC) is expected to cover application access control, as well as host integrity and network access. ■ Green IT initiatives dealing with rising transportation costs and environmental concerns are leading towards increased flexibility for employees wanting to work from home. 3
  • 6. IPSec VPN management concerns With an IPSec VPN, IT must install and maintain individual VPN clients on each remote device. An IPSec VPN may also require changes to the desktop configuration. If users don’t have IPSec clients preinstalled on their remote computers, they can’t access needed resources. A remote teleworker would need to call the help desk to download a compatible client—if one is available—in order to get connected. Partner and vendor VPN clients can be incompatible. Network Address Translation (NAT), firewall traversal, broadband access and wireless hotspots can also create difficulty for IPSec VPN connectivity. IPSec VPN client configuration can result in higher support costs 4
  • 7. IPSec VPN security concerns Because they create a tunnel between two points, IPSec VPNs provide direct (non-proxied) access and full visibility to the entire network, which can be effective in certain highly-controlled branch office environments where authorized users on IT-managed devices are connecting to a corporate headquarters. When users work from home PCs or over wireless, however, they face a host of threats from malicious hackers, viruses, worms and malware. With IPSec VPNs, home PC risks become corporate security risks. Unless accompanied by an additional network security appliance, companies also face the possibility that hackers will use the remote IPSec VPN network tunnel to gain unauthorized access to the corporate network. 5
  • 8. Why switch to SSL VPN? SSL works at the application layer instead of the network layer, providing the highly granular policy and access control needed for secure remote access. Because SSL is included in all modern browsers, SSL VPNs can empower today’s mobile workforce with clientless remote access—while saving IT departments the headache of installing and managing the complexity of IPSec VPN clients. SSL VPNs: ■ Increase productivity: SSL VPNs work in more places, including home PCs, kiosks, PDAs and unmanaged devices, over wired and wireless networks. ■ Lower costs: SSL VPNs are clientless or use lightweight Web-delivered clients rather than “fat” IPSec clients, reducing management and support calls. ■ Broaden security: SSL VPNs provide granular access and endpoint control to managed and non-managed devices. SSL is the standard protocol for secure message transmission on the Internet. 6
  • 9. Overcoming obstacles and objections Since the sunk costs of existing IPSec VPN solutions are often fully amortized, IT can defend allocating budget to replace depreciated technology with newer SSL VPN solutions. IPSec clients and configurations can be efficiently removed from existing managed devices during scheduled maintenance or upgrades. SSL VPNs can provide the same user experience as IPSec VPN —but with less management complexity and greater control. SSL VPN users do not require special training or hand-holding, as they can access their applications and resources with the same familiar interface. The user transition is simple: they just click the new VPN icon instead of the old icon. It’s easy to provision SSL VPN access whether or not the user’s device is managed by IT. If they are working from a personal device, they just open a browser and navigate to the SSL VPN URL. 7
  • 10. Best practices: 4 steps to an easy transition While SSL VPNs can be up and running in a matter of minutes, the timeline for a phased migration—from initial implementation of SSL VPN for unmanaged devices to expanded deployment to replacing existing IPSec VPN clients—will depend upon the size of the enterprise. Phased transitioning may take from 2-18 months. This usually gives administrators enough time to run an SSL VPN pilot in a lab environment to establish and evaluate their security policy and configuration before phasing out IPSec VPN. A successful migration strategy for replacing an IPSec VPN with an SSL VPN might include the following four steps: 1 Define Security Policy. 2 Implement Security Policy. 3 Deploy SSL VPN. 4 Phase out IPSec VPN. 8
  • 11. Step 1 : Define security policy SSL VPN lets you restrict access to applications based on the user, the user’s role, the user’s device integrity and your established security policy, and segment access only to resources on the network that are appropriate. Prior to deploying SSL VPN, it is a good idea to establish a written corporate security policy covering: ■ How a user’s organizational role determines what resources they may access. ■ How users may access the network from IT-managed and non-managed devices. Make sure corporate security policy is understood by all users. For example, a financial manager needs access to account receivables applications, but not human resources applications; and a human resources manager needs access to human resources records, but not account receivables applications. Alternately, a CEO might be allowed access to both resources; however, while attempting access from a public airport kiosk, that same person might be identified in the role of “kiosk user,” and be restricted from accessing either resource. 9
  • 12. Step 2 : Implement security policy SSL VPNs let you implement policies ranging from wide-open access to very granular controls. Choose an enforcement method appropriate to your security policy. Granular policies are useful for remote access control from either IT-managed or non-managed devices, as there will always be trust concerns when you don’t control the access environment. Generally, you will want to enforce different access for those devices that are managed by IT and those that are not. For implementing your security policy, consider these controls: ■ Restrict sensitive data types (such as social security or credit card database information) from being downloaded, or limit access to view-only. ■ Apply two-factor authentication using tokens or client-based digital certificates. This protects against passwords being viewed and stolen in public places, or personal computers being sold or discarded with login information still remaining on the disk. ■ Establish endpoint controls to interrogate the endpoint device to confirm whether it is managed or unmanaged, and in a secure state before attempting access. For example, you might confirm the device has recently run a current-version anti-virus software scan, or that it contains a watermark based upon a device certificate. ■ Set up different access groups that allow you to differentiate access based on user identity and endpoint interrogation. This ensures that appropriate access is provided for a business partner, an IT technician working from a home PC, or an executive traveling with an IT-managed laptop. 10
  • 13. Step 3 : Deploy SSL VPN Unlike IPSec VPN deployment, SSL VPN deployment is relatively simple and straightforward, usually consisting of providing users with a URL. For example, SonicWALL® Aventail® E-Class Secure Remote Access (SRA) appliances offer flexible deployment solutions for: ■ Unmanaged devices: SonicWALL Aventail WorkPlace™ provides out-of-the-box clientless browser access to Web and client/server applications and file shares from unmanaged devices using Windows®, Windows Mobile®, Macintosh® and Linux® platforms, including home computers, public machines, smartphones and PDAs. ■ Managed devices: SonicWALL Aventail Connect™ adds a Web-delivered thin client on the same broad range of platforms for managed devices, enabling a complete “in- office” experience without having to access a portal. ■ Application-to-application: SonicWALL Aventail Connect Service Edition delivers remote access for scenarios where no human intervention is required. ■ Mobile devices: SonicWALL Aventail Connect Mobile™ provides “in-office” access for Windows Mobile-powered device users. 11
  • 14. Step 4 : Phase out IPSec VPN During the deployment phase, prior IPSec VPN users will have been provided parallel SSL VPN access via either an SSL VPN agent on IT-managed devices or a browser on unmanaged devices. The final phase is to deactivate the now-unused IPSec connections. Once all users have migrated, the IPSec VPN may be deactivated at the appliance. Since, in general, SSL VPN tunneling should not conflict with IPSec, you might optionally leave both IPSec and SSL VPN agents running on the same device for a set period of time before deactivation to help transition users from the old technology to the new. To mini- mize administrative impact, deactivated IPSec clients and configurations can be removed from IT-managed devices during scheduled maintenance or replacement. 12
  • 15. Real-world lessons Real-world Network Manager at Norwich University, Richard Quelch, shares some of his experiences in replacing IPSec with an SSL VPN: “We found it best to add a minimal amount of users first, representing different areas of our organization. Time needs to be given to address access issues, to discover how the SSL VPN is used, which applications are accessed via the SSL VPN and to determine key areas of interest. “It was very easy for us to roll out SSL VPN to our users. They needed minimal training—usually we only needed to give the users the URL to get them started and connected. We’ve found that the maintenance and support time for SSL VPN is much less then was with IPSec, resulting in less cost. Also, end-user productivity is higher, because access to resources over the VPN is available more often. “While the replacement process wasn’t difficult for us at all, it is important to know the applications well that will be accessed through the SSL VPN and to thoroughly test each application before deployment. And you should consider rolling out more advanced SSL VPN features over time, so that you don’t initially overwhelm your users with too many new options.” 13
  • 16. Conclusion IPSec VPN technology is designed for site-to-site VPNs, SonicWALL has a VPN solution to match your specific such as those connecting highly-controlled IT-managed requirements. SonicWALL TZ and NSA Series appliances branch office devices to corporate headquarters. SSL VPN offer integrated IPSec VPN for secure site-to-site access. technology, on the other hand, works much better for SonicWALL Aventail E-Class Secure Remote Access (SRA) secure remote access. appliances and SonicWALL SSL VPN appliances offer secure remote access for today’s mobile workforce, SSL VPNs: including remote access, disaster recovery, wireless ■ Allows access to more resources from more endpoints. networking, extranet access, mobile networking, policy ■ Lowers costs by easing administration with clientless enforcement, and network access control. (and easy-as-clientless) access and centralized control. ■ Adds security with granular access and endpoint control. Best practices for transitioning to an SSL VPN include establishing a corporate security policy, conducting a lab environment pilot and implementing a phased migration. 14
  • 17. How Can I Learn More? ■ Download the Whitepaper “IPSec vs. SSL VPN: Transition Criteria and Methodology” ■ Opt-in to receive SonicWALL Newsletters For feedback on this e-book or other SonicWALL e-books or whitepapers, please send an e-mail to feedback@sonicwall.com. About SonicWALL SonicWALL® is a recognized leader in comprehensive information security solutions. SonicWALL solutions integrate dynamically intelligent services, software and hardware that engineer the risk, cost and complexity out of running a high-performance business network. For more information, visit the company Web site at www.sonicwall.com. ©2008 SonicWALL, the SonicWALL logo and Protection at the Speed of Business are registered trademarks of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice. 11/08 SW 477