Dutch  English

A true VPN solution?

The Defzone range of firewall products offer an implementation of IPSec- as well as SSL/TLS VPN. Starting in the DefZone 700ssl we offer an IPsec- and SSL/TLS VPN gateway solution. This solution makes it very easy to connect road warriors or home users to the network of your company. No client software is needed and a network extender as well as a transport extender are available.


The DefZone 700sll, 1650ssl and 1850ssl support IPsec VPN as well as SSL/TLS VPN. We have a true SSL VPN solution that can replace an IPSec implementation. What we offer is a site to site tunnel. One of the major disadvantages of IPSec is its complexity in deploying and maintaining the IPSec infrastructure. Another major issue is that IPSec runs in kernel space however, non-essential processes should never interfere with the kernel in order to maintain a high level of stability and security. SSL/TLS VPN uses a virtual interface that is controllable and accessible without a kernel dependence. The flexibility of this architecture allows IPSec and SSL VPN to run on the same machine at the same time. SSL/TLS is much easier to implement than IPSec and provides a platform that is solid, simple, and well-tested.


It is important to note that SSL/TLS based VPNs are able to encrypt link traffic for site-to-site connectivity just like IPSec VPNs. The RSA handshake (or DH) is used exactly as IKE in IPSec, and the SSL crypto library is used to secure the symmetric tunnel after that, again using similar encryption techniques to those protecting IPSec tunnels. This tunnel can pass arbitrary traffic, just like an IPSec VPN. 


These are some advantages of SSL/TLS VPN :

 

1 - SSL/TLS operates in ring 3 of the secure OS ring architecture so there is no intertwining with the OS kernel like IPSec. You can use IPSec and SSL /TLS simultaneously on a windows machine.

An IPSec client operates in ring 0 so when the IPSec client software becomes unstable the whole OS can become instable.


2 - Very easy configuration of the client. The major advantage of SSL/TLS over IPSec is the simple configuration of the client. Additional configuration can be pushed to the client. Solutions are available for windows 2000/XP, mac OS-X and Linux. SSL/TLS clients are available against no additional cost. There is no licensing structure for DefZone SSL/TLS VPN tunnels.


3 - No packet loss during re-keying. SSL/TLS uses a secondary channel for rekeying. Data transfer will not be interrupted while re-keying with IPSec tends to loose some packets when old keys are dropped and the new keys become available.


4 - SSL/TLS works perfectly with NAT. SSL/TLS does not run authentication on the packet source address so it can successfully traverse a NAT device.


5 - Load balancing/fail over: you can make redundant tunnels by

using an additional ADSL- or Cable connection.


6 - The most widely deployed/tested security protocol. SSL/TLS uses by default the blowfish protocol for encryption and the SHA 1 protocol for authentication. These security protocols are widely deployed and thoroughly tested and do not have known security flaws.


7 - The SSL server can push IP addresses as well as routes to the client. Information about available DNS or WINS servers can be pushed as well.