While the need for secure remote connectivity to applications and data continues to drive the virtual private networking (VPN) market, some companies are discovering that deploying an IP Security (IPSec) VPN brings complications they would rather avoid. These problems are especially pronounced when the VPN’s primary goal is to provide remote users—customers, business partners, or employees—with secure access to a limited set of applications.
One alternative to a traditional VPN is an SSL-based VPN. An SSL-based VPN offers comparable security to the traditional IPSec VPN, but promises to be simpler to use. This ease of use has prompted analysts to predict a positive future for the technology, but this simplicity does come with a caveat: a reduction in functionality.
How SSL-VPNs work
SSL-based VPNs use an SSL/proxy server that sits behind the corporate firewall. A user wishing to securely connect to a company’s network enters a URL that brings them to a proxy server. The user is authenticated by the proxy server, and the SSL/proxy server provides the link between various application servers and the remote user. The advantage over a traditional IPSec VPN is that no special client software is required. All a user needs is a Web browser that supports SSL.
In contrast, traditional VPNs require client software—a sticking point to VPN deployment for many companies. Businesses often encounter problems deploying the software to users’ computers and have trouble configuring it correctly. In some cases, the VPN client software creates conflicts with other applications (particularly dialer programs that might share common systems resources).
Over the last few years, many VPN vendors have improved client software to ease distribution, installation, and configuration. Many CIOs have also adopted deployment methodologies that reduce problems. For instance, some enterprises have remote users, such as sales reps, bring laptops into the home office to have the VPN software installed by the IT staff rather than by the user. This way, the tech specialist can resolve any problems on the spot rather than trying to troubleshoot over the phone.
Such complications can be avoided with an SSL-based VPN because the user simply uses a Web browser and enters the URL of the SSL/proxy server.
A handful of vendors, including Aventail, Neoteris, NetSilica, and Netilla Networks, are offering SSL-based VPNs. Yo.net offers a VPN alternative that uses SSL and an authentication gateway to provide secure end-to-end access between a remote user’s computer and a wide range of systems, applications, and network services. All but Aventail, which specializes in large corporate and extranet connectivity, are new to the marketplace. Aventail offers both IPSec and SSL-based VPNs.
The pros and cons of SSL-VPNs
On some levels, the two VPN approaches offer comparable features. For instance, SSL uses 168-bit encryption to secure a session—the same cryptographic protection as Triple-DES encryption, which is common in IPSec VPNs.
A major limitation to the SSL-based approach, however, is that users can access only Web server applications. In contract, an IPSec VPN would provide access to all applications—including client/server and legacy applications. But this shortcoming is not a big concern for some.
“We have two types of users—employees and customers—each needing access to different information,” explained Andrew Goldstone, a network administrator at a medical supply company.
“Employees need access to everything, including a network-based e-mail system, our CRM application, and some custom-developed client/server applications,” said Goldstone. Using IPSec VPNs, Goldstone can provide remote access to all of these applications.
Goldstone acknowledges a slightly different scenario when it comes to customers. “They only need access to an order tracking system, which is Web-based, so we use an SSL approach.”
While some might find the limitations of SSL-based VPNs a major hurdle, the shortcoming may quickly diminish as many companies move to Web services-enabled applications. Such applications would be accessible using the SSL-based VPN approach.
For now, companies requiring secure access to Web applications might want to consider the SSL-based VPN approach as a simpler and easier-to-use alternative to the traditional IPSec VPNs.