SSL-VPN: New paradigm in remote access

What’s the best way to stay connected to your company’s network when on the road—IPSec VPN or SSL-VPN? Subash Warrier weighs the pros and cons

These days, when I travel I log into my corporate intranet whenever I can from airport kiosks, wireless hotspots or the offices of another corporate. Depending on what I would like to do, I check e-mail, corporate resources or company documents. I am part of a 33-million strong workforce of employees at large corporations who are ‘mobile,’ according to an estimate by networking vendor Siemens AG, which says that by 2005 more than 50 million workers will access corporate networks from remote locations.

Traditionally, corporations have responded to their remote access requirements by extending their IPSec (Internet Protocol Security) VPNs. However, the costs associated with this technology are prohibitive. An alternative access method employing Secure Socket Layer, or SSL VPN, is gaining in popularity. Less expensive, and easier to deploy, SSL VPN technology provides remote access to Web applications such as e-mail and corporate intranets.

IPSec VPN

IPSec VPN is a technology created out of an IETF (Internet Engineering Task Force) standard. It is terrific technology but has some problems. These problems are:

• Typically, each client must have an installed client that implies one cannot connect using a kiosk.
• Typically, they will not work when inside another corporate network.

Because of the above issues IPSec VPN cannot be used for a large number of users.

What is SSL VPN?

Unlike IPSec VPNs, browser-based SSL VPN products, also referred to as SSL remote access and ‘instant virtual extranets,’ do not require companies to install VPN client software on remote devices. By authenticating to the company’s network, users can make a secure connection from any notebook or desktop PC with a browser. This ability is unique because SSL firewalls are generally kept open, eliminating the need to reconfigure them to provide access.

The benefits of employing SSL VPN are many, including ease of deployment and use, clientless access, eliminating installation problems and IT interaction, elimination of network interoperability issues, ease of maintenance and fewer changes to firewalls.

Perhaps the greatest benefit of an SSL VPN is the cost savings. According to The Yankee Group, SSL VPNs are 45 percent less expensive than IPSec solutions and 72 percent cheaper than dial-up (excluding toll costs).

Because SSL VPNs are easier to manage and less expensive, corporations can extend the reach of remote access to more employees. The solution is ideal for corporations whose employees are often on the go.

Drawbacks of SSL VPN

In spite of its benefits, many corporations are uncertain about implementing SSL VPNs. They are concerned that SSL VPN is not as secure as an IPSec VPN, the most common security protocol for dial-up and broadband remote access. IPSec software is installed on employee computers and it creates a full network connection.

SSL VPN, on the other hand, is referred to as an ‘application layer’ technology. An SSL VPN solution is about the application layer technology and dynamic application intermediation and dynamically transforming traffic at the application layer. With regard to security, if you drill down to the details of IPSec and SSL VPN, they are much the same, just implemented differently. The technology in SSL VPN is just as secure as IPSec VPN is. However, because of the way it is deployed, SSL VPN can be less secure. By providing users access from any location over any device, corporations are taking the risk that computers or devices utilised may have security risks that the IT department is unaware of. With SSL VPN, you have two unknowns—the user and the device. However, with strong two-factor authentication, security problems can be mitigated.

Best of IPSec-VPN and SSL-VPN

In spite of the drawbacks of each, both technologies have their purpose. Since IPSec can be used to secure network connections and SSL is focused on application layer traffic, IPSec is well suited for business needs that require broad and persistent, site-to-site, network layer connections. SSL, on the other hand, is well suited for applications where the system needs to connect individuals to applications and resources.

Conclusion: SSL VPN or IPSec VPN?

Most analysts agree that VPN and SSL VPN technologies will co-exist. Rarely does a new technology replace an existing one overnight. While SSL will be popular for the majority of user-based access needs, traditional IPSec VPNs will always be used for site-to-site requirements and power, or technologically advanced users.

Market dynamics

This belief is backed up by research. The Meta Group, a Stamford, Connecticut-based research firm, predicts that SSL VPNs will be installed in one out of three major companies by 2004, and in 80 percent by 2006. Infonetics Research expects the SSL-based VPN market to grow from $4 million in 2002 to an estimated $986 million by 2005. However, Inonetics contends that IPSec products will continue to make up a huge share of the VPN market. IPSec VPN and firewall hardware is estimated at $1.5 billion this year, and is expected to rise to $2.5 billion in 2005.

Nevertheless, not wanting to lose out to the SSL vendors, traditional IPSec vendors such as Nortel and Checkpoint are recognising the value of SSL VPNs as well, and have already begun incorporating the technology into their products. In February, Nortel announced the addition of SSL encryption and SSL VPN capabilities to its Alteon application switches. And, in July of this year, Checkpoint unveiled its SSL-based VPN.

Even Microsoft sees definite growth potential in the technology, which is why the company has been offering SSL-based access to applications like e-mail and file sharing through its ISA Server 2000 firewall and caching product, making it a suitable platform for partners to build SSL VPN services upon.

SSL VPN will be available in one form or another for the foreseeable future. Ultimately, it is the users who must determine what their requirements are, and choose the technology that provides the functionality that best meets their needs.

The author is the CTO and Founder of vFortress, a vMoksha Group Company. He can be contacted at subash@vMoksha.com