Cisco Cisco ASA 5525-X Adaptive Security Appliance Hoja De Datos
White Paper
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 5
required for application access across the SSL VPN connection is dynamically downloaded on an
as-needed basis, thereby minimizing desktop software maintenance.
SSL VPNs provide two different types of access: clientless and full network access. Clientless
access requires no specialized VPN software on the user desktop. All VPN traffic is transmitted
and delivered through a standard Web browser; no other software is required or downloaded.
Since all applications and network resources are accessed through a Web browser, only Web-
enabled and some client-server applications—such as intranets, applications with Web interfaces,
e-mail, calendaring, and file servers—can be accessed using a clientless connection. This limited
access, however, is often a perfect fit for business partners or contractors who should only have
access to a very limited set of resources on the organization’s network. Furthermore, delivering all
connectivity through a Web browser eliminates provisioning and support issues since no special-
purpose VPN software has to be delivered to the user desktop.
SSL VPN full network access enables access to virtually any application, server, or resource
available on the network. Full network access is delivered through a lightweight VPN client that is
dynamically downloaded to the user desktop (through a Web browser connection) upon
connection to the SSL VPN gateway. This VPN client, because it is dynamically downloaded and
updated without any manual software distribution or interaction from the end user, requires little or
no desktop support by IT organizations, thereby minimizing deployment and operations costs. Like
clientless access, full network access offers full access control customization based on the access
privileges of the end user. Full network access is a natural choice for employees who need remote
access to the same applications and network resources they use when in the office or for any
client-server application that cannot be delivered across a Web-based clientless connection.
IPsec-based VPNs are the deployment-proven remote-access technology used by most
organizations today. IPsec VPN connections are established using pre-installed VPN client
software on the user desktop, thus focusing it primarily on company-managed desktops. IPSec-
based remote access also offers tremendous versatility and customizability through modification of
the VPN client software. Using APIs in IPsec client software, organizations can control the
appearance and function of the VPN client for use in applications such as unattended kiosks,
integration with other desktop applications, and other special use cases.
Both IPsec and SSL VPN technologies offer access to virtually any network application or
resource. SSL VPNs offer additional features such as easy connectivity from non-company-
managed desktops, little or no desktop software maintenance, and user-customized Web portals
upon login. Table 1 compares the two technologies.
Table 1.
Comparing IPsec and SSL VPN Technologies
Characteristics
Application and Network
Resource Access
Resource Access
●
SSL (using full network access) and IPsec VPNs offer broad access to virtually any
application or network resource
End-User Access Method
●
SSL VPNs are initiated using a Web browser
●
IPsec VPNs are initiated using pre-installed VPN client software
End-User Access Device
Options
Options
●
SSL VPN enables access from company-managed, employee-owned, contractor and
business partner desktops, as well as Internet kiosks
●
IPsec VPN enables access primarily from company-managed desktops
Desktop Software
Requirements
Requirements
●
Only a Web browser is required for SSL VPN
●
IPsec VPN requires proprietary pre-installed client software