IPSec VPN alternatives gain ground

Vendors say Secure Sockets Layer gear now can connect remote users to corporate networks as if they were on the LAN, just like IP Security gear does, but without having to install permanent VPN clients on remote machines.

Vendors say Secure Sockets Layer gear now can connect remote users to corporate networks as if they were on the LAN, just like IP Security gear does, but without having to install permanent VPN clients on remote machines.

With Neoteris’ introduction of Network Connect software last week and the earlier availability of VPN Connector from uRoam (since bought by F5 Networks) and Aventail Connect from Aventail, customers can avoid the hassles of distributing and managing dedicated clients.

Instead, software agents are downloaded to remote PCs after they are authenticated to an SSL appliance located between the Internet and the corporate network.

The clientless aspect of SSL remote access has been considered a big advantage by many customers that lack the resources to maintain large IPSec deployments (For more on the SSL-IPSec debate, see our face-off forum).

The downside had been that SSL gear supported only proxy access to Web-based applications and certain client/server applications. Server-initiated applications, such as Net Meeting, and some custom-written applications were inaccessible. Because IPSec creates a network-layer connection, any application available on the LAN is also available via an IPSec tunnel.

Previously, SSL vendors acknowledged that when users needed network-layer access, IPSec was the way to go. Now that argument is decreasing.

Maxim Management Services, a medical administration service provider in Buffalo, N.Y., is weaning its remote users off IPSec-based Cisco remote-access gear in favor of Neoteris’ Network Connect because it dramatically reduces time spent solving client-software problems, says Randy Coleman, Maxim’s CIO.

The company has used Cisco VPN gear for two-and-a-half years to give doctors and affiliated medical groups access to Maxim applications. The company tried to switch to SSL but one of its applications, called Medent, would not connect through the previous version of the Neoteris gear because it used unpredictable and uncommon firewall ports. With Network Connect, that limitation is gone. “We will use the Cisco [VPN gear] as a backup,” Coleman says.

“There is no reason for IPSec to be preferable” over SSL, says David Thompson, an analyst with Meta Group, but customers should be aware of what peripheral security is on the remote machine. Without a personal firewall and without anti-virus protection, the machine could become an access point for hackers and viruses, he says. Aventail and Neoteris have partnered with firewall and anti-virus vendors to provide these features.

Support issues have driven businesses from IPSec to SSL for years, with many organizations maintaining both for different sets of users.

While some SSL vendors offer network-layer support that gives access to applications as if the remote machine were on the LAN, they all also offer Layer 7 access to Web applications and many client/server applications as well. So it is not necessary to give everyone network-layer access. With IPSec, network-layer access is the only option.

Loews, a conglomerate in New York, uses both Cisco IPSec VPN gear and Whale Communications SSL remote-access equipment for this reason, among others. The IT staff needs network-layer access to perform its job, and uses the IPSec VPN. But most users – about 500 of them – need access to just a few resources such as e-mails, faxes and access to the company’s intranet, and they use the SSL gear, says Al Alexander, manager of Loews’ information center.

Cisco’s IPSec is more difficult to manage and maintain, he says. A recent upgrade required users to download custom batch files and reboot their machines three times before it was installed. This leaves a lot of room for error and calls for help. “It’s a support issue. It’s a time issue for downloading, and it’s an administrative issue to keep after people that haven’t done it yet,” Alexander says.

IPSec gear can cost less initially, but support for it can quickly eat up that savings, Coleman says. Cisco gear for his network cost about $6,000, and the Neoteris equipment was about $20,000, he says.