• United States
Bob Violino
Contributing writer

Making way for the new VPN

Dec 23, 20026 mins

Secure Sockets Layer’s arrival on the VPN scene has IP Security-based VPN vendors rethinking their product portfolios.

VPNs based on the IP Security protocol have held a grip on the market, but an alternative using Secure Sockets Layer is steadily gaining ground.

Few people familiar with network security consider SSL a wholesale replacement for IPSec as a VPN protocol. But SSL proponents say that protocol is less-expensive and easier to deploy when workers need remote access to Web applications such as e-mail and corporate intranets. And now, traditional IPSec VPN vendors are scrambling to add SSL to their product mixes to meet demand.

Browser-based SSL VPN products differ from IPSec VPN wares in that they do not require companies to install VPN client software on remote devices. Users who can authenticate to a company’s network can make a secure connection from any laptop or desktop PC with a browser. That’s because SSL firewall ports generally are kept open, so firewalls need not be reconfigured to provide access.

With IPSec VPNs, each remote device must run client software, which must be updated as necessary. Also, firewalls and the IPSec devices must be configured in tandem to allow network access.

SSL in the market

Market researchers predict that worldwide sales of SSL-based VPN gear will increase during the next several years. Infonetics Research expects market growth from about $56 million this year to an estimated $840 million by 2005. However, the firm says, IPSec products will continue to make up a huge share of the VPN market. Infonetics pegs sales of IPSec VPN and firewall hardware at $1.5 billion this year and $2.5 billion in 2005.

“SSL will address all those [remote workers] who don’t really need access to many applications. It’s a simple way to give them access to things like e-mail and benefits and payroll information. Those users who need access to a broad range of applications that are not all Web-based will require IPSec clients,” says Jeff Wilson, executive director of Infonetics.

But the proliferation of Web-based applications – and the growing need for remote access – has turned SSL into a hot topic – a necessary development for traditional IPSec VPN vendors.

Check Point Software, which unveiled an SSL-based or “clientless” VPN in July, says SSL is ideal for companies that need to exchange data with business partners via extranets but don’t want to install VPN clients. IPSec VPN vendors such as Nortel and SonicWall agree. Nortel introduced the Alteon SSL appliance in September; SonicWall began offering SSL products when it acquired Phobos two years ago. In the meantime, NetScreen Technologies says it’s evaluating an SSL offering through possible partnerships.

Other IPSec VPN proponents, such as Symantec, still are evaluating how to fit SSL into their product lines. The holdup in part stems from these vendors having more or less viewed SSL as a competing technology. But as demand grows for clientless VPN connections, logic dictates that vendors add SSL-based products to their lineups.

Smaller vendors that have recognized the need for SSL VPN wares include Aspelle, Aventail, Neoteris and Whale Communications.

SSL by design

Some user companies are finding they want both SSL and IPSec VPNs. Quad/Graphics, a Pewaukee, Wis., printing services company, provides connectivity for the limited number of employees who need access to production systems and other non-Web applications via an IPSec-based VPN from Cisco. But it has given the majority of employees remote intranet and e-mail access via an SSL-based VPN using Whale’s e-Gap Remote Access Appliance.

Before Quad/Graphics installed the Whale SSL product four months ago, most employees didn’t have a remote-access option at all. “With 10,000 employees potentially wanting to get access from home or on the road, we didn’t want to have to install 10,000 [VPN] clients,” says Damian Drewek, director of technical services at Quad/Graphics. “We knew it would be a maintenance nightmare.”

Whale’s SSL appliance runs on a server in the company data center. Using this clientless approach, the company can provide secure connections without having to rewrite applications on those thousands of end-user devices, Drewek says.

Deloitte Consulting in New York also uses a combination of SSL and IPSec VPNs. Most of the firm’s employees access the corporate network while in the field via an SSL-based VPN from Aventail. Deloitte limits the use of IPSec VPNs, which it bought from Nortel, to those people who need to access applications running in the firm’s four data centers.

Larry Quinlan, Deloitte CIO, likes SSL VPNs for their ability to traverse firewalls without the need for firewall reconfiguration. “That’s important because the security department is not eager to reconfigure the firewall,” he says.

On SSL’s downside, Quinlan says, is the typical limitation to Web applications. But IPSec has its drawbacks, too – it doesn’t easily traverse some firewalls, which can cause problems for mobile workers who need to get access from hotels or client offices, he adds.

SSL’s limitation to Web applications has given some users pause. Divine, a professional services company in Chicago, mainly uses an IPSec VPN from NetScreen Technologies. Many of its remote workers are consultants who need broad application access, says Chuck Horvat, director of network services at Divine.

Divine hasn’t found a need for SSL VPNs, Horvat says. Instead, the company relies on an application’s Web front end and built-in SSL encryption. Microsoft Outlook is a case in point. Remote workers are authenticated with a user identification and password to access e-mail and the corporate directory.

“For us, it’s best to have an IPSec VPN pipe because of the applications people need to access,” Horvat says. “They can get to e-mail via SSL, but the majority of people still want to do things other than e-mail. Either solution is great, but each for very specific requirements.”

SSL in the end

While many say SSL will replace IPSec for VPNs to Web applications, most industry watchers say the two types of VPNs will coexist, with plenty of room in the market for both.

Infonetics’ Wilson sums it up: “They will work together to build a bigger remote access market.”

Violino is a freelance writer covering business and technology. He can be reached at

What’s at stake?


Traditional VPN vendors must figure out how to offer Secure Sockets Layer VPN products.


SSL VPN vendors include Aspelle, Aventail, Neoteris, Netsilica and Whale Communications. IPSec vendors include Cisco, NetScreen Technologies, Symantec and WatchGuard Technologies. CheckPoint, Nortel and SonicWall support both.

Outlook for resolution:

Each type of VPN serves a useful purpose.

User impact:
Secure remote access for Web and e-mail connectivity becomes more feasible with SSL VPNs.