Traditionally, corporations have responded to their remote access requirements by extending their IPSec (Internet Protocol Security) VPNs. However, the costs associated with this technology are prohibitive.
An alternative access method employing Secure Socket Layer, or SSL VPN, is gaining in popularity. Less expensive, and easier to deploy, SSL VPN technology provides remote access to Web applications such as e-mail and corporate intranets.
Unlike IPSec VPNs, browser-based SSL VPN products, also referred to as SSL remote access and "instant virtual extranets," do not require companies to install VPN client software on remote devices. By authenticating to the company's network, users can make a secure connection from any laptop or desktop PC with a browser. This ability is unique because SSL firewalls are generally kept open, eliminating the need to reconfigure them to provide access.
The benefits of employing SSL VPN are many, including:
Perhaps the greatest benefit of an SSL VPN is the cost savings. According to The Yankee Group SSL VPNs are 45 percent less expensive than IPSec solutions and 72 percent cheaper than dial-up (excluding toll costs).
|Comparison of Dial-up, IPSec, and SSL Remote Access|
|Dial-Up||IPSec Remote Access||SSL Remote Access|
|Total 1st Year||$840||$415||$235|
|The Yankee Group, Sept. 2002|
Because SSL VPNs are easier to manage and less expensive, corporations can extend the reach of remote access to more employees. The solution is ideal for corporations whose employees are often on the go.
SSL VPN Vendors
A number of vendors provide SSL VPN products today, including: Aspelle, Neoteris, Netsilica, and Whale Communications. With 36 percent of the market, and 25 percent of its customers ranking in the Fortune 1000, Neoteris is considered an industry leader. The company, founded in May 2000, has more than 1 million users worldwide.
"Two key elements accounting for the rise of SSL VPN have been cost and the need to reduce security risks," said Andrew Harding, manager of technical marketing for Neoteris. "Many corporations simply cannot reconcile the cost of building out their extranets. SSL VPN is the only technology that can dynamically enable remote access to all the resources employees need. Some SSL VPN vendors simply provide access to e-mail, others support file access, or intranet content. However, it's those companies that are a full range of features that are truly driving the adoption of SSL VPN technology."
Neoteris can provide customers with a selection of offerings from Web applications to full-fledged network connections. The company provisions access by purpose, rather than limiting deployments to just a few applications or requiring that IT support network connections for every user. Through its Instant Virtual Extranet (IVE) platform and Access Series, Web applications, Java applets, client-server applications and messaging clients can be SSL-enabled.
In addition to the Access Series, Neoteris also offers the Meeting Series, a family of secure online meeting appliances that support real-time, user-to-user collaboration. The company also announced in August that they have expanded their SSL-based access options with the Network Connect Upgrade, enabling connectivity to a range of resources and applications, including H.323 and SIP.
SSL VPN Drawbacks
In spite of its benefits, many corporations are uncertain about implementing SSL VPNs. They are mainly concerned that SSL VPN is not as secure as an IPSec VPN. IPSec, the most common security protocol for dial-up and broadband remote access, software is installed on employees' computers, and creates a full network connection.
SSL VPN, on the other hand, is referred to as an "application layer" technology. "Our SSL VPN solution is about the application layer technology and dynamic application intermediation," Harding said. "We are dynamically transforming traffic at the application layer. With regard to security, if you drill down to the details of IPSec and SSL VPN, they are much the same, just implemented differently."
Neoteris suggests that IPSec solutions can actually result in security vulnerabilities. This risk can be reduced by incorporating host-integrity and security-posture software on the client's machine and by protecting the network against potentially hostile clients.
"In contrast to products that require a network connection," Harding said, "SSL solutions that dynamically intermediate application content can reduce costs significantly because the deployment and maintenance of client software, and the risk of hostile network clients, both disappear with clientless, application-layer access."
Zeus Kerravala, vice president of enterprise infrastructure for The Yankee Group, offers another perspective.
"The technology itself is just as secure as IPSec VPN," Kerravala said. "However, because of the way it is deployed, SSL VPN can be less secure. By providing users access from any location over any device, in the work, corporations are taking the risk that the computers or devices utilized may have security risks that the IT department is not aware of. With SSL VPN, you have two unknowns — the user and the device."
In spite of the drawbacks of each, Harding notes that both technologies have their purpose.
"Since IPSec can be used to secure network connections and SSL is focused on application layer traffic, IPSec is well suited for business needs that require broad and persistent, site-to-site, network layer connections," he said. "SSL, on the other hand, is well suited for applications where the system needs to connect individuals to applications and resources."
The Bottom Line: SSL VPN or IPSec VPN?
Most analysts agree that VPN and SSL VPN technologies will co-exist. "Rarely does a new technology replace an existing one overnight," said The Yankee Group's Kerravala. "While SSL will be popular for the majority of user-based access needs, traditional IPSec VPNs will always be used for site-to-site requirements and power, or technologically advanced users."
This belief is backed up by research. Meta Group, a Stamford, Conn.-based research firm, predicts that SSL VPNs will be installed in one out of three major companies by 2004, and in 80 percent by 2006. Infonetics Research expects the SSL-based VPN market to grow from $4 million in 2002 to an estimated $986 million by 2005. However, Inonetics contends that IPSec products will continue to make up a huge share of the VPN market. IPSec VPN and firewall hardware is estimated at $1.5 billion this year, and is expected to rise to $2.5 billion in 2005.
Nevertheless, not wanting to lose out to the SSL vendors, traditional IPSec vendors, such as Nortel and Checkpoint, are recognizing the value of SSL VPNs as well, and have already begun incorporating the technology into their products. In February, Nortel announced the addition of SSL encryption and SSL VPN capabilities to its Alteon application switches. And, in July of this year, Checkpoint unveiled its SSL-based VPN.
Even Microsoft sees a definite growth potential in the technology, which is why the company has been offering SSL-based access to applications like e-mail and file sharing through its ISA Server 2000 firewall and caching product, making it a suitable platform for partners to build SSL VPN services upon.
It looks like SSL VPN will be available in one form or another for the foreseeable future. Ultimately, it is the users who must determine what their requirements are, and choose the technology that provides the functionality that best meets their needs. Kerravala offers one word of advice before going out and selecting a vendor: "Find a vendor with a strong customer track record, an emphasis on security, and a roadmap of their features."