SSL-VPNs Making Headway Against IPsec

By Sean Michael Kerner

(Back to article)

As distributed enterprises continue to proliferate so does the need for secure VPN access. Increasing numbers of users are remote from the main office network yet they still need and want the same access that their office counterparts enjoy.

For years IPsec-based VPNs were the norm but recently lower cost SSL-based VPNs have garnered a lot of industry interest. In fact some analysts believe that SSL based VPN's will soon dominate the space.

According to representatives from both Cisco Systems and Juniper Networks the question of SSL vs. IPsec is one commonly asked by today's clients. Both companies offer IPsec- and SSL-based VPN solutions and reps often need to explain the difference between and the respective benefits of each technology.

This is because, according to Juniper Networks Senior Product Manager Johnnie Konstantas, the SSL-VPN technology has only just begun to grab the markets attention.

"There is definitely a change a foot in that the boundaries of the network are disintegrating," Konstantas said. "The notion that I am logging in from home and I have a harder time of getting to the information I need than when I'm in the office is going away. It's being replaced by the idea that I should have the same online experience whether I'm at home, at a hotel or logging in here at the network."

From Cisco's point of view, SSL-VPN is currently more suited for extranets and the casual remote user, according to Product Manager Pete Davis.

"A user with a corporate asset using more complex applications wants the same exact experience as you have in the office and that's where IPsec makes sense," Davis explained.

Cisco offers a hybrid approach and doesn't claim to force one technology over the other. On the other hand, Cisco's competitor Juniper also sees SSL-VPNs as being well suited for remote access. Though Juniper believes that IPsec solutions are best suited for site-to-site connectivity.

The Differences

Juniper's Konstantas explained that one of the primary differences is in terms of modes-of-access.

"With IPsec you get one mode of access and that is full-network-layer connectivity," she said. "With SSL there's the notion of multiple types of connectivity that are possible."

Traditionally SSL-VPNs have allowed remote users access to Web-based applications via a Web browser. Modern SSL-VPN solutions also include application connectivity via a thin client download (usually an Active-X or a Java Client), which acts as an application proxy to the particular application. Full-network-layer connectivity is now available via SSL-VPNs also as a thin-client download.It is the thin-client download type of connectivity that makes SSL-VPNs very similar to its usually more expensive IPsec counterparts. In fact, Cisco's Davis sees a lot of customers looking for SSL to almost become a tunnel-based connection like IPsec.

"We do see with SSL a lot of customers that are starting to understand that it can't solve all their applications in its truest sense of being clientless," Davis said. "In the true sense of clientless you can't access things that are thick-client in nature at all. A lot of customers are saying it's great that I can access my network from anywhere but not all of my applications are Webified."

According to Forrester Research Senior Research Associate Robert Whiteley, CIO's are not currently utilizing the full potential of SSL-VPNs even though they offer the same level of technology and security.

"SSL-VPNs can be deployed such that they are at the same level as IPsec remote-access VPNs," Whiteley told CIOupdate.com. "Most enterprises and CIOs are not currently using SSL-VPNs in this capacity although I believe that will change this year. This is true from both a technology and security perspective."

Overtaking IPsec

Both Forrester Research and Meta Group believe that SSL-VPNs will, within the next two-to-four (Meta Group and Forrester respectively) years, be used for the majority of remote access VPNs.

"I do believe that SSL-VPN will overtake IPsec VPN in terms of market share, probably by 2006, but only for remote access implementations," said Mark Bouchard, Meta Group senior program director. "In fact, I expect that approx 70% of all corporate users will use SSL-VPN as the means for secure remote access by 2006."

Cisco doesn't quite see it as SSL-VPN taking away market share from IPsec, rather they see it as an enlargement of the marketplace for remote access VPN as a whole.

"What we're seeing is less of an overtaking and more of the fact that a lot of companies that perhaps didn't consider remote access before or, perhaps, already have IPsec look to SSL to supplement access for certain types of users," Davis said. "We haven't seen a lot of cannibalization for IPsec deployments for SSL, that's what we're expecting to see in the long run, more the enlargement of the market and less of the taking away of one from the other."

SSL-VPNs is a technology that should be considered by CIO's for remote access, said Bouchard. Technologically speaking it offers the cost savings, ease-of-use and security. Vendors and analysts alike are recommending SSL-VPN for remote access though not to the ultimate exclusion of IPsec, which still has a place in IT infrastructures.

"Bottom line on SSL-VPN is that it is very flexible, easy to implement, and in many instances more secure than remote access VPNs using IPsec," he said. "I'm telling CIOs that SSL-VPNs not only belong in their portfolio of network/security solutions, but should also be displacing IPsec over time, but only in its remote access capacity. IPsec that is used to connect offices (in place of things like Frame Relay) is not in jeopardy."