CIO Republic is introducing a new monthly column, the VPN Advisor, covering VPN issues and trends. Columnist Salvatore Salamone will answer TechRepublic members’ questions, so we invite you to send in any questions you may have.

What’s the best way to go?
Q: Which is a better VPN implementation, a VPN gateway or server with VPN software installed or a VPN appliance hardware product?

—Michael G. Barroga, network development engineer, Philippine Computer Storage Services, Inc.

Salamone: There is no one best VPN implementation for all situations. Various equipment approaches have advantages and disadvantages, depending on the networking scenario they are used to support.

For instance, using VPN software on a router, server, firewall, or gateway is usually seen as a relatively low-cost way to deploy a VPN. After all, in most cases the VPN software is added to an existing device, so the only required investment is a software upgrade from the equipment vendor.

Another advantage to the additional software approach is that your network does not change. No extra devices need to be installed, and management of the network remains the same. A further advantage is that there is often less training required, since your IT staff will already be familiar with the vendor’s methods for setting up and administering the equipment. The VPN configuration and management tools will often use the same interface and nomenclature as the product you’ve already implemented.

However, one point to consider when adding software to existing hardware is performance. VPN tunneling and encryption tasks will be carried out in software, taking CPU cycles from other processes. This could become an issue. For example, if you buy a router specified to handle a certain packet-per-second forwarding rate and then significantly sap the router’s CPU with VPN software, the router’s performance may no longer meet your networking performance requirements.

For that reason, many router and firewall vendors offer add-on, hardware-assist products for heavy-load VPNs. The hardware add-on product handles computationally intensive VPN tasks, offloading them from the device itself. If such a performance-enhancing hardware add-on is required, what started out as a relatively low-cost solution—adding some software to an existing device—now costs more than expected.

In contrast, a VPN appliance is built to handle all VPN tasks without putting an additional burden on any of your existing networking equipment.

But there are drawbacks to this approach, as well. For example, you’ll be adding a new piece of equipment to your network, thus increasing the complexity of your networking environment. Also, the IT staff will often need more training, since the configuration and management tools will likely be different than the ones used on your corporate routers, firewalls, and switches.

And there’s a performance issue to be addressed. If you start with a VPN appliance designed to support 100 simultaneous VPN sessions, and you vastly expand your VPN to more users, scaling up the VPN will require the purchase of more appliances.

Where and how does SSL fit in?
Q: What are SSL-based VPNs? What makes them different? Are there limitations when using them compared to a normal VPN?

—TechRepublic member who requested anonymity

Salamone: The Secure Sockets Layer (SSL) VPN is a relatively new concept that’s gaining interest in some corporations. The idea behind SSL-based VPNs is to use the encryption technology embedded in a Web browser to provide a secure connection to corporate data or applications.

The market for SSL-based VPNs is somewhat small compared to traditional IPSec VPNs, but it is growing. According to the market research firm Infonetics Research, sales of SSL-based VPN equipment will reach $871 million by the end of 2005. In contrast, revenues for all VPN equipment were $1.3 billion in 2001.

As I noted in the recent article “SSL-based VPNs gaining favor,” a major limitation to the SSL-based approach is that users can access only Web server applications. In contrast, an IPSec VPN would provide access to all resources, including client/server and legacy applications.

While some might find the limitations of SSL-based VPNs a major hurdle, the shortcoming may quickly diminish as many companies move to Web services-enabled applications. Such applications would be accessible using the SSL-based VPN approach.

For now, companies requiring secure access to Web applications might want to consider the SSL-based VPN approach as a simpler and easier-to-use alternative to the traditional IPSec VPNs.