Tunnel Vision

Tunnel Vision

SSL & IPSec VPNs explained

With home and remote working now commonplace it’s essential for businesses to provide secure access to their private network when employees access it from a public network. We look at the options when it comes to SSL and IPSec VPNs.

What is a VPN?

Virtual private networks (VPNs) create a tunnel between a public network and a private network, allowing users on the public network to send and receive data as if they were directly connected to the private network or to access protected resources securely through insecure networks. The most common VPNs are SSL and IPSec VPNs.


Secure Sockets Layer (SSL) Protocol and its successor, Transport Layer Security (TLS) are protocols used in standard web browsers to provide the secured link between remote users and VPN terminating equipment. By using the same ports and protocols as a webserver, many restricted networks will allow VPN connections of this type through unhindered (IE: Public networks / hotspots, guest connections, etc.)

To implement an SSL VPN, organisations can purchase a stand-alone appliance that functions solely as an SSL VPN server; a bundled device, such as a next-generation firewall or unified threat management product that offers SSL VPN capability; or as a service, using a virtual SSL VPN appliance.

Clientless SSL VPN

With Clientless SSL VPN end users are able to securely access resources on a corporate network from any location via a SSL-enabled web browser and the use of HTTPS connections. A clientless SSL VPN does not require a software or hardware client, however software ‘helpers’ may be installed dynamically once connection is made (IE: RDP Clients or Email viewers).

The end user simply authenticates with a Clientless SSL VPN gateway, which then allows the user to access pre-configured network resources. The terminating equipment then proxy’s specific supported internal resources to the client’s web browser. The security appliance recognises which connections to proxy based on access control lists and permissions.


Internet Protocol Security (IPSec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an IP network.

IPSec provides the necessary infrastructure to extend an enterprise’s private network across the internet to reach out to employees, customers and business partners creating a virtual private network (VPN) with the VPN data protected from outside access. VPNs can be set up using one of the two IPsec modes: tunnel mode and transport mode.

IPSec tunnel mode is usually used between secured network gateways, enabling hosts behind one gateway to securely communicate with hosts behind another gateway. For example, users of systems in a branch office can connect securely with head office systems if both offices have secure gateways acting as IPSec proxies for hosts within each office. The tunnel is established between the two gateway hosts and the tunnel can then carry traffic from any hosts inside the protected network.

Because IPSec tunnels are created between VPN terminating appliances, and these appliances have dedicated hardware to encrypt and decrypt information, performance is typically higher (Depending on type of encryption: AES[128,256], DES, etc.).

Transport mode is when two hosts set up a directly connected IPSEC VPN securing data as it travels between them, typically for a single session. For example, a connection might be established to enable an IT support engineer to log in to a remote server to carry out maintenance, the connection is then cut off after the session is complete.


With a traditional IPSec VPNs, packets ‘tunnel’ through two network security appliances between their local networks. An IPSec ‘Tunnel Mode’ connection is not managed with a software application as it works on the Network Layer of the Open Systems Interconnection (OSI) Model and must be managed deep within the actual OS network code on the security appliance. The client computer (on the remote network), when connected through an IPSec ‘Tunnel’, is effectively communicating with the corporate network as a routable stub, potentially allowing access to everything on internal network that a local computer could access. To interface with the network most IPSec VPN solutions require third-party hardware to be installed.

The main benefit of an IPSec based VPN is the additional security layer intrinsic to a system which requires specific and compatible hardware to run correctly. This makes it far more difficult for cyber criminals to attack and access exposed networks. Additional layers of security can be added to the Authentication process (ie: Certificate based, IP or Pre-Shared Key authentication) to further secure remote endpoint validation.

However, on the downside, it is costly for a business to pay for and maintain initial hardware installation, licences and the tech support needed to maintain and update the software.

Clientless SSL is a common protocol, supported by most modern web browsers. The majority of internet accessible computers already have the “client software” necessary to connect through an SSL VPN. Licences are also required.

Clientless SSL based VPNs allow tunnelling to specific applications when network wide access is unnecessary. This is a great security and data protection feature. It is also much easier to assign different administrative rights to users depending on their seniority and access needs within the SSL framework.

SSL VPN, Clientless SSL VPN and IPSec VPN Partners

Xcomm works with many security appliance suppliers (Cisco, Pulse Secure (previously Juniper), Palo Alto, Draytek, Sonicwall etc.) to supply customers with the most suitable security appliance depending on their business needs. These security appliances provide best-in-class performance and reliability, built with the throughput and capacity to support mobile, cloud and IoT. Models include the PSA300, PSA3000, PSA5000, PSA7000 and Cisco ASA NGFW/Firepower range of security appliances.

We’re here to help!

If you’d like to find out more or discuss in more detail how we can help you with your remote working, disaster recovery or business continuity, please call us on 03333 447 092 or email sales@xcomm.co.uk and one of our team will be happy to help.

Check out our sister company and other brands Acuity Unified Communications and LineBroker