Cisco Cisco ASA for Nexus 1000V Series Switch Data Sheet
White Paper
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 5
Characteristics
Desktop Software Updates
●
Basic SSL VPN access can operate without any special-purpose desktop software, thus no
updates are required. Full network application access is provided using software that
automatically installs and updates without any user knowledge or intervention.
automatically installs and updates without any user knowledge or intervention.
●
IPsec VPNs can automatically update, but is more intrusive and requires user input
Customized User Access
●
SSL VPNs offer granular access policies to define what network resources a user has
access to, as well as user-customized Web portals
●
IPsec offers granular access policies, but no Web portals
Which To Deploy: Choosing Between IPsec and SSL VPNs
IPsec is a widely deployed technology that is well-understood by end users and has established IT
deployment support processes. Many organizations find that IPsec meets the requirements of
users already using the technology. But the advantages of dynamic, self-updating desktop
software, ease of access for non-company-managed desktops, and highly customizable user
access make SSL VPNs a compelling choice for reducing remote-access VPN operations costs
and extending network access to hard-to-serve users like contractors and business partners. As
such, organizations often deploy a combination of SSL and IPsec approaches. IPsec is commonly
left in place for the existing installed base. SSL is deployed for new users, users with “anywhere”
access requirements, contractors, and extranet business partners. By offering both technologies
on a single platform, Cisco remote-access VPN solutions make the choice simple—deploy the
technology that is optimized for your deployment and operating environment. Table 2 summarizes
the issues to consider when evaluating which VPN technology best fits your operating
environment.
Table 2.
Choosing a Remote-Access VPN Technology
SSL VPN
IPsec VPN
“Anywhere” Access from Non-Company-Managed Devices, such as
Employee-Owned Desktops and Internet Kiosks
Employee-Owned Desktops and Internet Kiosks
X
Business Partner Access
X
User-Customized Access Portals
X
Minimized Desktop Support and Software Distribution
X
Greatest Flexibility to the End-Users
X
X
Greatest VPN Client Customizability
X
Ability to Maintain Existing IT Deployment and Support Processes
X
Remote-Access VPN Security Considerations
Worms, viruses, spyware, hacking, data theft, and application abuse are considered among the
greatest security challenges in today’s networks. Remote-access and remote-office VPN
connectivity are common points of entry for such threats, due to how VPNs are designed and
deployed. For both new and existing IPsec and SSL VPN installations, VPNs are often deployed
without proper endpoint and network security. Unprotected or incomplete VPN security can lead to
the following network threats:
●
Allows remote-user VPN sessions to bring malware into the main office network, causing
virus outbreaks that infect other users and network servers
●
Allows users to generate unwanted application traffic, such as peer-to-peer file sharing, into
the main office network causing slow network traffic conditions and unnecessary
consumption of expensive WAN bandwidth