I am going to start having employees work from home. I know a little bit about VPN, but have never used one. What are the cost/benefits between IP Sec and SSL?

I see you've been given some advice on your question but if you are going to have employees work remotely, you do NOT want rely on SSL security. Most companies rely on this but are still being attacked.

I invite you to visit this website to learn why SSL and anti-virus protection isn't going to stop malware attacks and why each employee needs to have "keystroke encryption" software security installed on their home computers.

www.GuardedID4RemoteWorkforces.com

This is the first layer of security you should be considering for protecting your business. Lots of eye opening info on the website.

Feel free to contact me directly if you have any questions. Glad to be of assistance as you move to using a remote workforce.

eaden@idteli.com

As anyone in the industry knows, there is no one solution that is going to provide 100% degree of security from malware attacks... and this includes firewalls, patched OSs, filters, anti-virus, authentication, lock downs etc.

As a matter of fact, even Symantec will tell you their anti-virus solutions CANNOT stop 70% of the malware attacks. Actually, Symantec is better than most. However, this means anyone with a computer (even with authentication or secured access) is exposed to keylogging attacks by "known" and worse, "unknown" keyloggers. Keyloggers are designed to grab keystrokes AS they are being typed. So with secure access, anything typed can be captured by keyloggers. Most in circulation are undetectable.

SSL security offers a very important level of security between the web browser applications and the web servers. If anyone knows anything about malware attacks, you would know the cyber crimimals are stealing the information from the data stack between the keyboard and the web browser. There is no amount of updating anti-virus/anti-spyware that can stop the THOUSANDS of "unknown" variant keyloggers in daily distribution from stealing keystrokes. These products no longer provide a high degree of protection they once did. Otherwise, the government and major corporation investing in standard state-of-the-art solutions would not encounter the problems we see reported daily in the news. ;-)

The reality is, there is no panacea for security. It takes a layered approach to apply security at multiple levels where vulnerability exists. This includes, but is not limited to keyboard encryption (data in motion) which should be everyone's first level of defense, data in transit encryption, and data in storage encryption in addition to SSL. Data transmitted from the keyboard to the web server needs to be kept as secure as possible.

Education, keeping anti-virus programs updated and physical security is very important but if security was that simplistic, the cyber thieves wouldn't be as successful as they are.

Working from home presents a host of security issues. I would also discourage remote workers form using a shared computer (period) to conduct your business activities. You are asking for trouble if this is not part of your remote workforce strategy and security is of importance to you.

The bad guys are throwing everything they know at us. The best we can do is do everything we can to protect our information at all levels. Protecting one or two areas isn't sufficient security because malware attacks occur when vulnerable areas are exploited... and the bad guys are very good at finding the weaknesses. I liken it to getting pregnant... all it takes is one. ;-) This is why we continue to see zero day attacks occuring.

In closing:

Before you or anyone entertains the advantages of utilizing a remote workforce, ensure you have a sound security program in place to protect your business and the worker. This includes ensuring they have their firewalls in place (one is provided with Windows and usually their router), anti-virus (minimum of 2 programs) AND critically important... keystroke encryption software!

Recommendations:

There are some very good free anti-virus programs I can suggest based on the technical recommendations I've received from my computer experts. You can get the downloads from www.cnet.com

Malwarebytes (free version)
AVAST (free version)
CCleaner (free version-good to keep computer free from gunk)
Spybot Search & Destroy (free version)

Don't get in a hurry when clicking for downloads. Be sure you a selecting the "free" versions.

Keystroke Encryption (not free but inexpensive)

www.GuardedID4Business.com

All the best!

At the end of the day, you can have the best VPN encryption, Patch and A/V Management, however, all of this is futile if the end user isn't educated about the different attack vectors crackers are using to compromise systems.

What about those 0-day attacks, where vendor patches and A/V signatures are not even available yet? These types of attacks target users by enticing them to visit malicious Web sites, or open malicious e-mail attachments. The fact of the matter is, when staff work from home, they have the freedom to browse the web more freely, which opens them up to these types of attacks. No Proxy Gateway URL filtering, or IPS's at home!

Also, other family members using work PC's opens up even more risks. Portable USB storage devices, another risk. Home wireless networking is also another major risk these days.

Security awareness / education is the key, followed by all the other defense-in-depth layers mentioned above.

I suggest the organisation supplies SOE hardware/software with strict security policies set in the O/S (password policies and hard-coded Patch/anti-virus configuration, inability to freely install software without Admin privs, etc, etc).

Users also need to periodically complete an online CBT based training session about computer security (with a compulsory assessment at the end). They should also be made aware of their responsibility and potential ramifications if they are to breach acceptable usage security policies etc.

You can clearly see the layers of the onion at work here :)

In general SSL VPN's are easier to configure and deploy. I would highly recommend them if your workforce will be working from home or traveling around.

IPSec VPN's are useful in a more static environment such as multiple buildings of employees wanting to connect.

That being said there are always exceptions. You need to take into account the types of applications you will be using and the OS that your clients will be using.

I've configured and maintained Juniper and Citrix SSL VPN appliances and have found them both to be very good.

Feel free to email me if you have any questions.

www.sbosolutions.net

Well, I'd need a lot more clarification on what the employee home IT security policy, training, support, and accounting situation is like first. Probably an hour videoconference would answer most of the essential matters needed to give an answer to this question.

Or, when your kid uses the node and her friend downloads some bittorrent games and suddenly the entire security everywhere is compromised; how that is handled needs to be addressed first. IMHO.

Either IP Sec or SSL can be deployed effectively and economically, the key is the credential used to activate the session. With a strong Federated identity using PKI you can deploy an effective VPN solution with the confidence of individual accountability. We are currently deploying for many clients, with a cost saving over proprietary/ fat client solutions.

All of these other points are valid, but in laymens terms, IPSEC is now being superceded by SSLVPN for remote user security which is simpler to deploy and allows users to employ their home PC's to access email and files without having to install anything on their home machines. It is however recommended that you should use a commercial strong authentication product that uses either one-time-passwords or a certificate on a USB token to positively identify valid users accessing your system remotely.