VPN Approaches: IPSec and SSL

Here and there on the web one can find discussions of Cisco's licensing policies and the abandonment of the Cisco VPN Client in favor of the Cisco AnyConnect client. But there seems to be a dearth of information on how the different technologies work, and what it means for a user. I'm no VPN expert, but perhaps a few points here can make the picture a bit clearer.

The Cisco VPN Client uses something called IPSec. It inserts itself pretty low in the whole Internet stack, which means that it needs special driver-like permissions in the operating system to work. It also means that, unless it allows some sort of configuration, it takes over all the Internet connection on your system. That is, any connection you make, even to a site unrelated to your corporate network, will go through the VPN. This is nice if you're in another country and want an online movie site to think you're in the US so that it won't restrict access based upon your IP address. This is not so nice if your corporate firewall blocks Facebook access.

The newer Cisco AnyConnect client uses SSL instead of IPSec. Yes, the same SSL technology that you use in your browser. In fact, SSL solutions are usually implemented using your browser's existing SSL implementation, which means that for the most part you can only access corporate web pages.

"But doesn't the Cisco AnyConnect client allow non-browser connections from applications such as the NXClient?" Yes, and the way it does it is clever. You'll notice that you'll have to start AnyConnect from a browser; after that, it starts an ActiveX or Java program that will control the SSL connection and also act as a local server. It also apparently modifies the local machine's hosts record so that corporate sites will be rerouted to the running AnyConnect ActiveX or Java program. Then the conversation is tunneled across a separate SSL connection.

So ignoring the licensing issues, as a user which should you prefer? If you want the fastest performance available, my intuition says that the low-leve IPSec approach of the Cisco VPN Client may be more efficient, and I may have read it may be less subject to latency problems. But if you, like me, are suspicious of low-level drivers that alter how all Internet connections function on your machine, you want to use the AnyConnect client, which is not intrusive and runs at the user level. Likewise, if you don't want non-corporate-related connections forced to go over the VPN, the AnyConnect client is the way to go.