• United States

Cisco to unveil SSL VPN features

Nov 06, 20034 mins
Cisco SystemsNetwork SecuritySecurity

Cisco on Monday will announce a version of its flagship VPN 3000 Series Concentrator product that includes Secure Sockets Layer VPN features, IDG News Service has learned.

Cisco on Monday will announce a version of its flagship VPN 3000 Series Concentrator product that includes Secure Sockets Layer VPN features, IDG News Service has learned.

The company added an SSL VPN called “WebVPN” to the VPN 3000 Series Concentrator, which will be included with existing IPSec VPN features at no extra cost, according to the information, which was confirmed by industry analysts.

Cisco did not respond to repeated requests for comment.

SSL VPNs are an increasingly popular technology for providing remote users with access to network resources such as e-mail, software applications and network file servers, according to Dave Kosiur, a senior analyst at The Burton Group.

As opposed to VPNs that use IPSec, SSL VPNs are typically “clientless,” meaning they do not require a separate software application to be installed on the remote user’s machine. They also rely on the SSL protocol, which is a part of most common Web servers and Web browsers and widely used to secure e-commerce transactions, Kosiur said.

Companies using SSL VPN pass connections through port 443, which most firewalls automatically allow traffic to. In contrast, IPSec requires multiple ports to be opened on firewalls to handle different elements of the IPsec VPN exchange such as message authentication headers and IKE (Internet Key Exchange) traffic, he said.

Because they use clients, IPSec VPNs can be more difficult to manage for large numbers of users. Also, business travellers who rely on IPSec VPNs often find that Internet providers such as hotels have not modified their firewalls to allow IPSec connections, denying them VPN access to their company network from the road, Kosiur said.

IPSec vendors have made progress in resolving such integration problems, but left a window open that SSL VPN vendors have used to grab market share, Kosiur said.

Cisco will offer 3000 Concentrator customers basic, clientless SSL VPN features that will enable users to access e-mail, file sharing servers and Web applications, according to the information obtained.

In addition, the 3000 Concentrator will support a limited thin client mode, in which a Java Web browser plug-in can be downloaded and used to handle operations such as port forwarding for static communications ports, according to Kosiur, who was briefed on the new features by Cisco.

The new SSL VPN features will take advantage of existing VPN 3000 IPsec capabilities such as load-balancing and high availability features, according to information obtained.

The product will not initially support products that do more sophisticated port switching, such as Citrix Systems’ terminal emulation products or IBM’s Lotus Sametime instant messaging application, Kosiur said.

That will put them somewhat behind dedicated SSL VPN vendors like Aventail.

“(Cisco) is providing what Aventail or Neoteris were offering nine months ago, so they will need to do some catch-up in terms of offering additional functionality,” Kosiur said.

Nevertheless, the features that Cisco is rolling into the 3000 Concentrator should cover around 80% of what companies use VPN for, he said.

For companies that have already invested in the 3000 Concentrator product or other Cisco hardware, that may be enough to convince IT purchasers to stay with the company for VPN as well, according to Zeus Kerravala, vice president of enterprise infrastructure at The Yankee Group.

Cisco scored at the top of a recent Yankee Group poll that asked network managers which SSL VPN vendor they would consider in the next 12 months, even though the company hadn’t even announced its SSL VPN product when the poll was conducted, he said.

In addition, IPSec is still a widely accepted VPN technology, and even preferable for so-called “power users” who need remote access to more complicated network applications and legacy systems, Kosiur said.

Cisco’s move to add both SSL VPN and IPsec on one device, at no extra cost, will put pressure on other VPN vendors to do the same, he said.

Most companies that Yankee Group has spoken with intend to use SSL VPN to extend remote access to users who haven’t had it before, rather than to replace IPSec VPN technology, Kerravala said.

If, as is expected, Cisco decides to follow the introduction of SSL VPN in the 3000 Concentrator by building SSL VPN features into its routers and switches, the company could quickly come to dominate the SSL VPN market, he said.