• United States
Executive Editor

Cisco, Nortel to embrace SSL-based VPNs

Nov 10, 20035 mins
Cisco SystemsNetwork SecurityNetworking

Cisco and Nortel – arguably the two biggest names in IP Security VPNs – are getting ready to shake up the fast-growing Secure Sockets Layer segment of the market, which they’ve largely ignored until now.

Cisco and Nortel – arguably the two biggest names in IP Security VPNs – are getting ready to shake up the fast-growing Secure Sockets Layer segment of the market, which they’ve largely ignored until now.

Cisco today is expected to announce that in January it will add SSL support to its existing VPN 3000 IPSec concentrators. The support will come as a free software upgrade called WebVPN for current customers that have support contracts. Cisco says that over time it will add SSL support to its IOS, making the functionality available to other devices.

Meanwhile, Nortel says it will add SSL support to its Contivity IPSec VPN gear in the second quarter of next year. The company next month is set to release a new hardware platform called VPN Gateway 3050 that will support SSL remote access. An upgrade to the 3050 in the second quarter of next year will support IPSec VPNs.

Nortel already has SSL support on its Alteon load-balancing switch, but this is its first IPSec/SSL product. The new device will cost about $11,000, one-third less than a comparable Alteon box.

The network giants, Cisco in particular because of its enormous corporate installed base, are likely to shake up the young SSL VPN world, which until now has been dominated by relatively new companies with a single focus on SSL remote access. SSL remote access has grown in popularity because it lets users connect securely to corporate networks from any Internet-connected computer, eliminating the need to distribute and manage client software on remote machines. This also gives users more options for connecting, such as at Internet kiosks and wireless hot spots, or via home computers. SSL also can save companies money because it requires less administration.

A wealth of SSL remote-access companies sprung up – some have grown, some have been bought and some have folded – before Cisco and Nortel came up with hybrid SSL/IPSec offerings. The list includes AEP, Aspelle (now folded), Aventail, Netilla, Neoteris (bought by NetScreen Technologies), SafeWeb (bought by Symantec) uRoam (bought by F5 Networks) and Whale Communications. These companies sell gear priced from $3,000 to $10,000, says Joel Conover, principal analyst of enterprise infrastructure for Current Analysis.

Adding SSL functionality at no charge will pressure other vendors to drop prices, which were destined to come down anyway. “Usually when you add functionality, you charge for it,” Conover says.

Even before Nortel and Cisco made their moves, they affected users’ decisions. Most of the likely customers wanted to see what Cisco would do before adopting SSL remote-access technology in their business networks, says Zeus Kerravala, an analyst with The Yankee Group, which surveyed network executives. “The mass market has been sitting on the sidelines waiting,” he says. Now the wait is over.

But for all its clout, Cisco might have waited too long for some customers. Catholic Health Systems of Buffalo, N.Y., has installed SSL remote-access gear from Neoteris because distributing IPSec client software to PCs owned by doctors in private practice didn’t work, says Doug Torre, director of networking and technical services for the healthcare provider.

When Cisco upgrades its VPN 3000s, the box that Catholic Health uses for site-to-site IPSec VPN links, the health organization will try out the SSL feature, Torre says, but will be skeptical.

“We will definitely try [the Cisco upgrade] to see what it can and can’t do,” Torre says. He is curious to see whether the Cisco gear handles all the Catholic Health applications that the Neoteris equipment can, and whether adding SSL will slow performance in handling IPSec traffic. “All-in-one boxes usually do not cut the mustard,” he says.

Nortel Contivity customer Analog Devices has used Aventail SSL gear to grant business partners access to Analog Devices’ network. The company will weigh the Nortel SSL capabilities because having both features on one device rather than two could simplify network architecture, says Ben Lasher, Analog’s communications and computing services director.

Cisco has some catching up to put its products’ features on par with those from other vendors, Conover says. For instance, the company says it still is working on the ability to wipe all traces of SSL transactions from remote machines so unauthorized users cannot reestablish connections. “They have 60% to 70% of what the competition has. It’s not a 100% solution,” he says, but that should come with later software upgrades.

Even competitors acknowledge that it’s just a matter of time before Cisco becomes a force in this area. “You always worry about Cisco,” says Evan Kaplan, CEO of Aventail. “Cisco is under no pressure to get it right the first time. Their distribution muscle, their account ownership, their capability . . . they’re under no pressure. . . . They will get it right.”

Senior Writter Phil Hochmuth contributed to this story.

The truth about SSL
Pros Cons
Uses standard Web browsers, not separate clients.
Controls access appliction by application.
Requires less administration.
Opens networks to partners without altering partner networks.
No support for voice and streaming traffic.
No site-to-site connections.
Might not support all applications.
Doesn’t allow access to individual workstations.