SSL making strides against IPSec VPNs

Secure Sockets Layer remote-access gear is winning out over IPSec in some businesses because use of browser-based SSL technology can lead to cost savings, simpler administration and easier connections with partners.

Secure Sockets Layer remote-access gear is winning out over IPSec in some businesses because use of browser-based SSL technology can lead to cost savings, simpler administration and easier connections with partners.

Assent, a national equities-trading firm in Hoboken, N.J., lost potential business because it connects customers to Assent servers via IPSec VPNs, says Pankaj Chandhok, director of networking. The security policies of many potential customers forbid Layer 3 access through firewalls, which is a requirement of IPSec, Chandhok says.

SSL technology operates at Layer 7, which makes it simpler to limit the resources to which remote users can connect, and therefore makes it easier to prevent remote users from gaining access to sensitive material. Most companies that ban IPSec traffic accept SSL, Chandhok says, prompting Assent to adopt Nortel SSL appliances and phase out IPSec as a way to expand its customer base.

Assent is among a growing number of companies that prefer SSL to IPSec. According to a Frost & Sullivan study, worldwide revenue for IPSec remote-access gear last year was $2 billion. Revenue for SSL VPNs was $89.7 million, less than 5% of what IPSec took in. But revenue for SSL gear is predicted to grow to 25% of what IPSec takes in by 2008, the firm says.

This growth is remarkable because the SSL gear has just one function: remote access. IPSec gear that can be used for remote access almost always includes a firewall and can include intrusion detection, virus and content scanning, Web filtering and other security applications, says Jason Wright, an analyst with Frost & Sullivan. A customer might have many reasons to buy IPSec gear, but only one for buying SSL.

While many companies that buy SSL already have IPSec, they find that SSL meets most of their needs. In Europe, $46.5 billion energy company E.On is migrating rapidly to SSL from IPSec, says Gary Cooper, the director of corporate application development.

E. On has used IPSec gear for three years, but added SSL last year, Cooper says. Currently there are about 600 users on just SSL and 1,000 on just IPSec, and that is with only e-mail available via SSL, which is the only need most users have for remote access. He expects the balance to tilt dramatically toward SSL as the company turns on Citrix in its Whale Communications SSL gear.

"We're still in a blur about who needs SSL and who needs IPSec," Cooper says.

One shortcoming of SSL is that without use of Java or Active X downloads, it supports only Web applications or applications that have been customized - some say Webified - to be accessible via a browser. Not all SSL vendors support all applications, so customers should check for the support they need. One vendor's support for a particular application might be more complete than another's. Whale gear has a download to support Citrix that E.On has been testing to make sure it supports applications well enough to bring it into production, Cooper says.

IPSec has no such problem. Connecting via an IPSec tunnel makes a remote machine a node on a corporate network, giving users the same access they get when their computers are connected directly to the LAN. While SSL doesn't treat remote machines as corporate nodes, even without Java or Active X agents, in many cases it allows access to enough applications to meet the bulk of users' needs.

International law firm Hunton & Williams has made SSL the default remote-access method for its 800 traveling attorneys, even though all their laptops also are equipped with IPSec clients, says Pete Nelson, senior technical analyst for the firm. Hunton & Williams has installed optional Aventail client software on its laptops that automatically establishes connections to corporate sites whenever users try to access resources hosted within the firm's network.

Users don't have to launch the session manually but just log on when prompted. This cuts the number of help desk calls, Nelson says.

"Things have to be idiot-simple for lawyers to use them," he says. Using Aventail SSL gear, the attorneys can access all the resources they need - files, e-mail, corporate information - from behind firewalls at client sites, hotels and other locations not controlled by the law firm.

SSL is immune to the network address translation problems that plague IPSec gear when it tries to establish tunnels through firewalls that change private IP addresses into public IP addresses. SSL traffic flows through firewall TCP Port 443, which is almost always left open, so no special firewall configuration is needed, as is the case with IPSec.

While there are similarities between the two technologies, the differences give the edge to SSL in many cases, Wright says. IPSec and SSL use the Internet to connect remote users to corporate networks via secure IP tunnels.

IPSec requires client software on remote PCs to create tunnels to IPSec gateways placed behind corporate firewalls. SSL, on the other hand, uses the SSL support in Web browsers as a remote client. There are no remote-access clients to maintain, so administration costs are reduced.

The ubiquity of browsers also gives users the flexibility to use any Internet-connected PC with a browser as a remote machine rather than requiring a company-managed machine, as IPSec does.

Cooper says many E.On remote users tap into corporate e-mail via SSL from their own computers. "If the PC isn't working, it's not the company's responsibility to fix any problems," he says. "It's cost avoidance - we avoided buying notebook PCs used just for e-mail."

This wide choice of remote machines has a downside. Materials downloaded to an unsecure computer, such as one at an Internet kiosk, can be used by subsequent users. Many SSL remote-access vendors have added features to purge downloaded files and records of passwords, but these can vary in their thoroughness. Some vendors are adding a virtual desktop, or sandbox, in which secure SSL sessions are held, and when the sessions end, the virtual desktop is wiped out.

Unsecure machines also might harbor malicious code that can be passed into corporate networks, so many SSL vendors supply software that evaluates the remote machine for anti-virus software and whether its operating system is properly patched. If the machine fails, a user can be denied access or allowed a lower-level access to keep the machine from passing along infections. Not all SSL vendors offer this option.

One reason SSL makes inroads in some companies is that it is simpler to add users. "IPSec VPNs are limited in deployment because it is such a pain in the neck," Wright says. "SSL can roll out to so many more people because of its simplicity. It's easier to let more people use it."

That being said, many businesses still require IPSec. One large client requires Hunton & Williams lawyers to use IPSec to connect to its network, Nelson says. Perhaps because SSL is younger, some users perceive it to be not as secure, says Steve Harris, an analyst with IDC. "We ask if they know why it's less secure, and they say no," he says of corporate users he surveys.

"It's just a feeling within our IT security staff that IPSec is more secure. They prefer IPSec with a secure laptop and an encrypted disk rather than an insecure PC," E.On's Cooper says.

Still, the burden of installing, managing and maintaining IPSec clients and configuring VPN routes is too much of a burden for many IT departments, Harris says. As a result, companies will come to rely more on SSL for users who don't need full network access, and companies will always have power users who need that type of access, Harris says.

"SSL is going to grow," Harris says, "but I don't believe for a second that IPSec is dead."

Copyright © 2004 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022