Weir, vice president of network operations for HUB International, a New York-based brokerage, and Raquel, the IT director for Southern California medical laboratory Pathology Inc., both switched from a traditional Internet Protocol Security-based (IPsec) VPN to one powered by the SSL protocol last year. And when you question them about their reasons for their shift in secure remote-access strategies, they answer by extolling the technology’s benefits just as a vendor product manager would.
Weir, for instance, uses an SSL VPN system from Array Networks to "extend a variety of small custom applications, such as databases, out to users," he says. "We also give vendors access to virtual sites, as well. That’s one of the beauties of SSL — its ability to compartmentalize different sections of your network for different people based on what they need access to."
Raquel, for his part, relies on an SSL VPN from Aventail because it significantly reduces ongoing maintenance of end-user access connectivity resources. When he relied on an IPsec VPN, he says he was forced to create a network security key for each user, then load the IPsec VPN client software on each user’s PC or notebook.
Both are time-consuming tasks that Raquel is freed from performing with the SSL VPN. Plus, the SSL VPN also makes it significantly easier for the physicians, technicians and sales reps to access information remotely than with an IPsec-based solution, he says.
All those features are, of course, precisely the advantages vendors in the SSL market talk about when promoting their products. They’re also why vendors and analysts say that more and more enterprises are now deploying SSL VPNs and foregoing those based on IPsec.
"The small to medium business [SMB] market is driving the growth," says Charles Kolodgy, research director for security products at IDC. "The real issue here is [that] people in the SMB market want to start at the low end with SSL."
Reggie Best, executive vice president and general manager of AEP Networks — a secure application access business, agrees: We’re absolutely seeing growth in SSL VPN sales, he says. "There’s a growing need to give mobile users with PCs, notebooks, and PDAs simple, effective connectivity into applications available inside the corporate data center."
Market research numbers back up vendors’ claims. Jeff Wilson, a principal analyst at Infonetics Research, says the SSL VPN market grew 61 percent between 2004 to 2005, up to about $300 million from about $200 million. The IPsec market, which is significantly larger, at about $2.5 billion, grew at a more tame eight percent rate, according to Wilson.
The access puzzle
While HUB International, with about 3,000 employees nationally, may not fit exactly into the SMB space, Pathology Inc., with about 80, does. A large number of Pathology’s employees, including physicians, salespeople and a few suppliers, need to access the company’s internal systems from remote locations for several reasons.
Physicians, for instance, track patient tests, such as biopsies, and the lab’s outside sales representatives often check on the status of diagnostics tests, particularly when "patients complain they haven’t seen their lab results," says Raquel. He also grants access to billing-related applications to some accounting department employees, as well as certain network resources to outside vendors.
Raquel says he moved to an SSL VPN for two key reasons. First, it eliminated the need for him to generate a network key and then load IPsec client software on each end-user PC. The SSL VPN from Aventail also allows Raquel to determine on a case-by-case basis which resources within the network his employees and vendors can access from the outside.
"With an IPsec VPN, once you’re in our network, it’s wide open," and thus there is no accountability, "whereas with an SSL VPN, I can control on a per-user basis where they can hit and what systems they can see," he explains.
HUB International’s Weir faced similar issues when he switched his company’s New York City offices from an IPsec to an SSL VPN. Like Raquel, he was concerned with the IPsec VPN’s side effect of "opening my network." The SSL VPN’s compartmentalization capabilities, on the other hand, allow him to create "virtual sites with a lot of flexibility in what we deliver to our customers and vendors."
The SSL VPN also reduces his IT staff’s administrative burden. "If we want to make changes to what [users] can access, we just push it out via their browser, from the backend, and it’s effortless to them," he explains.
Some would argue that IPsec VPNs have their place. They emerged as the method of choice for site-to-site remote-access connectivity in the late 1990s. The technology creates a secure, layer-three network encrypted "tunnel" from one location to another. As noted, it requires installing a so-called "thick" client component on each end-user PC, which can lead to significant management issues when VPN vendors modify their software.
But, in addition to those already noted, IPsec VPNs now suffer from a few other issues. For instance, they often encounter problems with firewalls and when traversing a network address translation (NAT) implementation, notes Infonetics’ Wilson. The latter occurs because NAT modifies IP packets by replacing a public IP addresses for a private address.
Cisco Systems, Juniper Network (via its NetScreen acquisition), Nortel Networks and Check Point Software are the clear IPsec VPN market leaders, notes Joel Synder, a senior partner at Opus One, an IT consulting firm focused on security. These vendors generally integrate their VPN capability into a multifunction device, such as a router or firewall.
SSL VPNs also create a tunnel into a network, but at the application layer. They require only a browser on the client PC to establish a link to internal resources, such as web and email servers. As such, they are well-suited for limited-trust scenarios and where installing a digital certificate is not feasible, such as with business partner desktops and employees’ home PCs. Unlike IPsec, SSL is insulated from IP address modification, so it passes easily through NAT.
Still, SSL VPNs have their own set of trade-offs. For example, users must often download a Java applet or ActiveX control to access certain applications, such as Windows Terminal Service, which do not lend themselves to web-based access. Applications that require Java applets or ActiveX controls, especially unsigned Java/ActiveX agents, can conflict with corporate security policies that prohibit such applets, which can be used to install trojans, retrieve files or execute malware.
Juniper Networks, Nortel, Aventail and F5 Networks lead the SSL VPN market, according to Gartner, Inc. A number of other, mostly smaller players, including AEP Networks, Array Networks, Check Point Software, Citrix, Whale Communications, Nokia, and Symantec also offer SSL VPN products often aimed at niche markets.
As examples, USRobotics and AEP target their SSL VPN products directly at the SMB space. Jim Thompson, a senior product manager with USRobotics, calls the company’s USR8200 SSL VPN product "the backbone of a small office network" because it offers both a firewall and VPN capability.
Similarly, Check Point Software’s SSL VPN "doesn’t do a lot of things, but it is very easy to install," says Snyder. "You just put in a CD, and it gives any PC an SSL VPN, and you don’t even have to buy hardware from them."
Cisco, Juniper and Nokia, of course, all aim their products at high-end enterprise deployments.
Whatever the niche — enterprise, SMB, SSL or IPsec — it’s clear user demands for secure remote access via a VPN continue to grow. It’s also increasily clear that neither the SSL or IPsec VPN will go away, and security managers should hedge their bets by considering the pros and cons of each technology.
Jim Carr is an Aptos, CA-based freelance business writer. He can be reached at firstname.lastname@example.org.
Integrating SSL VPN
With the demand growing rapidly for Secure Sockets Layer (SSL) virtual private networks (VPNs), it is no big surprise that those selling traditional Internet Protocol Security (IPsec) VPNs would jump on the SSL VPN bandwagon. After all, there is a role for each technology in the typical enterprise network, where vendors target their combination platforms.
In general, vendors have moved into the SSL VPN market by integrating SSL VPN capabilities into their IPsec VPN products. Cisco Systems, Juniper and Nortel are among those who have followed this strategy, adding them to their routers.
Delivering a combination SSL/IPsec VPN product allows the vendor to "not take sides in the camp of one protocol or another," says Pete Davis, Cisco’s product line manager for remote-access VPNs. "Both technologies have a place in the remote access connection.
"Our viewpoint is that both make sense in the market," he adds. "Our major customers already use IPsec, and they have no need to change that. But when they’re looking at connecting partners, an SSL VPN is just easier to deploy."
The integration of SSL VPN capabilities into an IPsec VPN solution offers enterprises several benefits. The most obvious: It lowers the cost of adding SSL capabilities by eliminating the purchase and management of a second device.
More importantly, however, the combination solution gives enterprise security managers "granular" control of remote access policies based on the trust level of the end-user.
That level of access control is critical to meeting many of the new federal governance regulations, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act.