SSL: The next-generation VPN

A big part of my job is translating between IT professionals, vendors and venture capitalists. It isn’t as easy as it sounds because they often use the same words to mean different things.

Take the concept of competition. To vendors, service provide and venture capitalists, a “competitive” product very often is one that looks, smells and feels a lot like yours – it relies on the same fundamental technologies to solve the same sets of problems. Under this definition, Sprint and AT&T compete with each other, and Cisco and Juniper compete with each other, but you wouldn’t say that, for example, Cisco competes with AT&T.

IT professionals generally use a different definition. To them, “competitive” products are different approaches to doing the thing you need done. For example, if you’re trying to get more bandwidth to a remote office, you might look into broadband services. You also might consider buying a router with compression or prioritization abilities that can help you do more with less. Under this definition, Cisco and AT&T do compete, because your choice is between buying a Cisco box and more bandwidth from AT&T.

Most recently, I’ve run up against this odd dichotomy of perspective when it comes to SSL vs. IPSec. Several vendors of IPSec and SSL VPN products and solutions insist that their offerings “don’t compete” with the other guys. “Oh, we’re IPSec, they’re SSL,” the CEO of one such company sniffed at me. “They’re very different technologies.”

True: SSL and IPSec are different. Or as we techies like to say, they’re orthogonal.

SSL defines a secure, encrypted communications mechanism between applications, most commonly between a Web browser and server. It’s independent of the underlying protocols (particularly IP). IPSec provides a secure, encrypted communications mechanism at the IP layer. It’s independent of the application, meaning that any application that uses IP can run across it.

However, both schemes solve the same fundamental business problem: managing and controlling third-party access to your network, applications and resources.

So I’m with the IT professionals on this one. IPSec and SSL do compete. More to the point, SSL is gaining real traction as a VPN service offering. For example, Fiberlink Communications, a managed services provider, is partnering with Neoteris, a manufacturer of SSL-based VPNs, to let Fiberlink set up and manage policy-based VPNs for companies and their third-party partners, contractors and suppliers. And Aventail and Bell Canada just signed a similar deal.

Why are SSL-based VPNs gaining momentum? Because unlike IPSec, SSL doesn’t require changes to the remote machine or network. Users don’t need to install or configure special-purpose client software, making it easier to configure and manage VPNs. The drawback is that SSL is defined for a relatively narrow set of applications.

Increasingly, though, corporations are “Webifying” their legacy apps – or even jumping whole hog into Web Services – which makes SSL increasingly attractive. So I’m confident the trend of SSL-based VPN services only will continue.