Legacy versus web-enabled applications, Authentication differences, Connectivity considerations – Fortinet FORTIOS V3.0 MR7 User Manual

FortiOS v3.0 MR7 SSL VPN User Guide

14

01-30007-0348-20080718

Comparison of SSL and IPSec VPN technology

Configuring a FortiGate SSL VPN

Legacy versus web-enabled applications

IPSec is well suited to network-based legacy applications that are not web-based.
As a layer 3 technology, IPSec creates a secure tunnel between two host devices.
IP packets are encapsulated by the VPN client and server software running on the
hosts.

SSL is typically used for secure web transactions in order to take advantage of
web-enabled IP applications. After a secure HTTP link has been established
between the web browser and web server, application data is transmitted directly
between selected client and server applications through the tunnel.

Authentication differences

IPSec is a well-established technology with robust features that support many
legacy products such as smart cards and biometrics.

SSL supports sign-on to a web portal front-end, from which a number of different
enterprise applications may be accessed. The Fortinet implementation enables
you to assign a specific port for the web portal and to customize the login page if
desired.

Connectivity considerations

IPSec supports multiple connections to the same VPN tunnel—a number of
remote VPN devices effectively become part of the same network.

SSL forms a connection between two end points such as a remote client and an
enterprise network. Transactions involving three (or more) parties are not
supported because traffic passes between client and server applications only.

Relative ease of use

Although managing IPSec VPNs has become easier, configuring SSL VPNs is
simple in comparison. IPSec protocols may be blocked or restricted by some
companies, hotels, and other public places, whereas the SSL protocol is usually
unrestricted.

Client software requirements

Dedicated IPSec VPN software must be installed on all IPSec VPN peers and
clients and the software has to be configured with compatible settings.

To access server-side applications with SSL VPN, the remote user must have a
web browser (Internet Explorer, Netscape, or Mozilla/Firefox), and if Telnet//RDP
are used, Sun Java runtime environment. Tunnel-mode client computers must
also have ActiveX (IE) or Java Platform (Mozilla/Firefox) enabled.

Access control

IPSec VPNs provide secure network access only. Access to the network
resources on a corporate IPSec VPN can be enabled for specific IPSec peers
and/or clients. The amount of security that can be applied to users is limited.