Many of the recent trends in data center evolution have involved doing more with less by consolidating systems and unifying management - recent technologies such as server and storage virtualization come to mind. But there's one area where a once-promising new technology was tried and rejected before it had a chance to truly evolve, and that area is SSL VPN.
Too many of today's network administrators are enduring the help desk calls and configuration woes of IPSec VPN technology because early attempts at SSL VPN were rejected. It's a pity, because while thousands of companies continue to spend more and get less when it comes to controlling and securing remote access via IPSec VPN technology, newer SSL VPN solutions have eliminated the early issues and have gone on to deliver far better security and application support with lower costs than ever before.
To see how, let's look at the pros and cons of IPSec VPN and then compare them with today's SSL VPN solutions. To begin with, IPSec is a well-proven technology that provides an encrypted tunnel through which remote users can access corporate networks with reasonable performance.
But IPSec has several critical drawbacks – drawbacks that have grown exponentially as a result of the growth and sophistication in users accessing corporate networks remotely:
Client Required - IPSec VPNs allow access to any device with a properly configured client, period. IPSec VPNs are useless for devices without such company-distributed clients, such as hotel business center PCs, internet cafes, employee smart phones or wireless PDAs.
No Endpoint Security Checks – IPSec VPNs don't check the integrity of the device connecting to the corporate network – once the VPN connection is established, a virus- or worm-infested device can unleash a costly, debilitating malware outbreak.
No Granular Access Control – IPSec VPNs don't allow network administrators to limit access to specific servers or other network resources – once the VPN connection is established, users can move anywhere about the network whether you want them to or not.
Complex and Expensive Management – IPSec VPNs all require software clients that are difficult to distribute, install, configure, upgrade and manage. The efforts involved incur high support costs before users ever access the VPN for the first time, and once these clients are installed and running, users continue to have problems (such as sessions timing out) and therefore continue calls for desktop support.
SSL VPNs initially came from Web technology as a way to provide secure remote access without the management messiness of configurable clients. The idea was that remote users could log into a network using just a browser, but there have been problems:
Application Flexibility – Browser-based access works for some applications, but it doesn't provide access to many other "non-webified" applications that users and enterprises may need (Microsoft Office, in-house applications, etc.).
Poor Performance – SSL VPN technology was initially far slower than IPSec VPN because these early solutions established two TCP connections per tunnel – one inside the other – to provide access. As a result, access performance degraded exponentially compared to IPSec VPN, and it often ground to a crawl due to the phenomenon called "TCP-over-TCP meltdown" – the asynchronous data packet retransmission due to those two TCP connections. Many network administrators couldn't stand the howls of complaint from users whose remote computing experience was thus diminished, so they went back to tried-and-true IPSec VPNs.
But SSL VPN technology has evolved considerably in the past few years, and these early problems have now been eliminated in advanced products in today's market. In terms of application flexibility, for example, SSL VPNs now allow users support for most applications by running VPN session-only applets. These applets are downloaded transparently when the session begins and are removed when the session is finished – all without any intervention from the IT department. These applets are downloadable to any browser, so access is now available to users on hotel PCs as well as smart phones and other wireless devices.
Along with browser-based access, some SSL VPN vendors now offer client-based operation that supports any application, without the configuration nightmare of IPsec clients for when browser-based access or session-only applets aren't enough. As a result, IT managers have even more application flexibility with SSL VPNs than they do with IPSec VPNs.
In terms of performance, there are advanced new SSL VPN products that deliver performance equal to or better than any IPSec VPN solution by eliminating the double-TCP connection problem and, along with it, TCP-over-TCP meltdown performance degradation.
If addressing older issues was all new SSL VPN products did, one might forgive IT managers for not wanting to switch. But in sticking with IPSec technology, companies are also missing out on the chance to significantly reduce costs and improve access security. Here are some advantages to be gained from today's advanced SSL VPN products:
Endpoint Security – SSL VPNs can reduce security exposure from malware outbreaks by performing endpoint security checks that scan a device before granting it access to a network. These scans look for the existence of security applications such as anti-virus and personal firewalls, as well operating system and browser updates, specific browser settings and much more. The results of the scan determine the safety level of a device attempting to access the network, and then pre-established policies enable access to specific network resources based on the device's security policy compliance level. SSL VPN is miles ahead of IPSec VPN in this area.
Lower Costs – With browser-based and self-downloading clients, SSL VPN isfar simpler and less costly to administer because it eliminates the need for the IT department to distribute, install, manage and maintain configuration-heavy clients. Instead, the VPN gateway interacts with policy management from existing directory services to authenticate users, and with policy managers to apply security policies and validate those endpoint requirements are met.
Better Access Control – SSL VPNs can also provide highly granular network access. The most advanced SSL VPN products now provide policy-based network access that can control which part of the network (and in some cases, which resources) a user can access once they've been granted corporate network access through the SSL VPN.
IPSec VPNs were once a great remote access solution as long as there was no comparable SSL VPN solution available. But in today's market, there's just no excuse for sticking with SSL VPN other than perhaps not wanting to ruffle the feathers of one's existing big-name network equipment supplier. For those that take another look at SSL VPN, they'll find that it not only performs as fast and offers even better application flexibility, but that it also improves security while slashing administrative costs.
Michel Susai is president and CEO, NeoAccel
