Is IPsec Out of the Picture?
SSL virtual private networks (VPN) and IPsec VPNs both have their pros and cons. The major benefit of using SSL for VPNs is that it is so darn easy to deploy because most popular browsers support SSL by default. IPsec, however, has a better security footprint than SSL, although they both do a terrific job. If a company has thousands of current clients deployed using IPsec, and it is working, there probably is not a compelling urgency to swap it out. The two technologies can both be configured on the same server, and clients, depending on the situation, can use either service. For example, if a user is at a kiosk or a borrowed computer and only needs access to one specific server, that user can open up a browser using the clientless VPN functionality and after authenticating have specific access to that one specific server. (This is where the clientless SSL VPN feature excels, when connections to only one or a few servers are needed and the full-tunneled Cisco AnyConnect Secure Mobility Client cannot be installed on the local computer.) When a user is done, she logs out, and the PC that she was using does not have a client installed or any software-installed remnants related to it. That same exact user, the next day on her own PC in a different city, may connect to the corporate network using the Cisco AnyConnect Secure Mobility Client full-blown SSL VPN client and gain full access to all the resources as a typical remote-access VPN user would. That same user could launch her IPsec VPN client (if it was installed and if the server was supporting IPsec) and build a tunnel to the corporate headquarters and have effectively the same features and feel that the Cisco AnyConnect Secure Mobility Client SSL VPN provided. Table 8-2 shows a comparison of IPsec versus SSL.
