Array looks to simplify SSL VPN access

Company's program sets up secure site-to-site networks.

By Tim Greene , Network World , 10/09/2006

Share/Email
Tweet This
Comment
Print

With its SSL site-to-site VPN gear, Array Networks is making it possible to rachet down controls on network access between business partners and to simplify the infrastructure of corporate VPNs.

Array's new Site2Site software for its existing SSL appliances will support SSL VPN connections over the Internet between LANs in separate buildings. To date, SSL VPNs have been restricted to remote-access connections between single computers and VPN gateways.

Closing the gaps in enterprise data security: A model for 360� protection: Download now

Gateway-to-gateway VPN links were the sole province of IPSec VPNs, and customers could use either IPSec or SSL VPNs for remote access.

Insurance broker Hub International in New York City chose IPSec for site-to-site access and SSL for remote access because SSL has certain advantages over IPSec, says Tarron Weir, vice president and CSO for the firm.

Related Content

IPSec vs. SSL for site-to-site connections
IPSec used to be the only site-to-site VPN option, but Array Networks' new site-to-site support in its SSL VPN gear presents the same connectivity but with some differences.

IPSec	SSL
Network-layer connection opens all resources to the other site unless they are restricted physically.	Access can be restricted per application by configuring the SSL gateway.
If both site-to-site and remote access modes are used, client software must be deployed to all remote-access machines.	Remote-access machines without clients can gain remote access to the VPN.
VPN sessions occur as if machines are on the same LAN, with data retained on remote machines.	Sessions can be conducted on safe desktops that are encrypted when the session ends.
VPN requires close integration with firewalls (and usually is sold bundled with a firewall).	All traffic goes through SSL ports that generally are open anyway in corporate firewalls.

Click to see: IPSec vs. SSL for site-to-site connections

SSL requires only a Web browser on remote machines to make a VPN connection to Web applications. With SSL, client software or a software agent can be downloaded on the fly to give remote machines full network-layer access equal to that of IPSec. IPSec remote access, on the other hand, involves installing client software and setting up tunnels ahead of time.

Hub uses Cisco IPSec gear as a backup to its frame relay network; if the frame network goes down, the IPSec equipment connects company offices to headquarters over the Internet, Weir says.

He says he will phase in Array's site-to-site features over the next two months to save on VPN administration time. "You have no idea how much time it takes to administer IPSec tunnels to business partners and vendors," he says.

With SSL, these connections can be made through standard SSL ports in firewalls. In addition, IPSec creates network-layer access, opening up all a business's resources to the remote-access user unless the business takes extra steps to isolate specific resources, says Michael Suby, an analyst with Stratecast Partners. SSL can restrict users per application via its application-layer connectivity, Suby says.

For this reason, Weir says the site-to-site SSL VPN will make it simpler to restrict the access of business partners and vendors to Hub's network. "These are trusted partners, but I still don't want to give them total access," he says.