As more people gain access to your IT infrastructure, there’s growing demand to secure that access at a reasonable cost.
IP security – or IPsec – is a great security method for client/server situations. It was built to support packet exchange at the IP layer and is pretty common in virtual private networks. For IPsec to work, both the sending and receiving ends have to share a public key using management protocols that authenticate the sender while letting the receiver get a public key.
IPsec for VPNs makes sense, but what about for your intranet and the Internet?
The proliferation of Web-based technology means people can have access from home, on the road and from a variety of mobile devices. Most IT departments would be loathe to give everyone an IPsec client. They don’t really want to start supporting and tweaking IPsec for everyone’s machines.
Instead, there’s a move to adopt SSL, the Secure Sockets Layer protocol, for transmitting documents via the Internet using public-key encryption. It provides the necessary level of security for basic functions such as Web-based e-mail, limited client/server applications (Microsoft Corp.’s Exchange and Outlook, as well as Lotus Notes) and some intranet functions. And when combined with Nokia Corp.’s new Secure Access System, the flexibility of SSL makes it possible to open up safe new ways of accessing corporate intranets and the Internet.
Consider four devices in which this type of security appliance can be effective in providing SSL protection: a company-issued laptop, a home machine, a handheld, and a public kiosk or public wireless network. Each can be managed to limit file upload and download capability, depending on the circumstances.
For example, upload capability could be restricted to machines that have current virus controls installed. Different levels of access for each location for a single user can be defined and automatically set using SSL. The security appliance, sitting behind the firewall, is rules-based, so different user groups can be configured for access. In addition, it’s possible to ratchet up from 64-bit encryption to 128-bit, depending on the sensitivity of the documents or pages. Data isn’t cached on the browser, so all the data remains within your security fortress. And there’s a fairly easy interface with LDAP directories, making it possible to overlay access rules on top of existing rights and permissions.
Sure, IPsec is still necessary for power users accessing multiple platforms. But consider that, with no client to deploy and no VPN, SSL costs less, and because you’re using standards-based technology, maintenance headaches are reduced. I’d say SSL looks good enough to complement IPsec. It’s one answer to securing access at a reasonable cost.