Evaluating VPN security alternatives

Users looking for a fast, secure way to link remote employees and business partners are finding myriad choices to avoid deploying traditional IP Security-based VPNs and instead install products or services based on Secure Sockets Layer technology.

Whether SSL is an actual replacement for IP Security isn’t really up for debate, experts say, because SSL is clearly a good supplement to IPSec for remote access. Rather, the question becomes: How do you go about evaluating which SSL remote-access alternative will fit your particular needs?

The place to start, say experts and businesses using SSL equipment, is figuring out what your needs are. If you have a small number of end users who just need to access Web-based applications or applications with Web interfaces, most SSL products will do.

If you have thousands of end users and they need to access client-server applications that have no Web interface, then choose more carefully, users and experts say. And depending on how demanding your need for full access to network resources, you might need to go with an IPSec VPN after all.

The players

There are plenty of SSL alternatives from which to choose: Netilla, Neoteris, Aventail, Rainbow Technologies, OpenReach, Ingrian, Aspelle, SafeWeb – to mention a few. Despite the choices, the total sales of this type of equipment for the last quarter was only US$5 million, according to Infonetics Research Inc. But Gartner Inc. projects that by 2004, 60 percent of corporate users will use SSL for remote access at least some of the time.

These SSL alternatives are attractive because they require no remote client other than the standard Web browser that already is loaded on the PC, thereby eliminating the need to install, manage and maintain client software. The idea is that SSL’s simplicity translates into an easier installation and long-term cost savings because of simpler ongoing support.

But the browser and its SSL capabilities only allow access to Web-based applications. While these applications and Web interfaces for legacy applications are becoming more prevalent, they are not ubiquitous. Customers who want to access these other applications cannot do so with just a browser.

So to get around this problem, SSL remote-access vendors write interfaces between these applications and SSL. In some cases, this requires loading an SSL client on the remote machine to perform this integration. Aventail, one of the oldest vendors specializing in this technology, has built a bank of non-Web applications it supports via its Connect client.

Others, such as Neoteris, send down Java applets that run as a local proxy between the application client on the remote PC and SSL. This might require users to make sure the SSL remote-access vendor supports the Java machine software on their remote PCs. If not, the applet clients won’t work.

Check Point Software and Nortel, two major IPSec vendors, recently announced entry into SSL remote access, and it will take them awhile to catch up, says David Thompson, an analyst with Meta Group.

It will take another year for his company to develop support for a breadth of non-Web applications, says Mark Tuomenoksa, chairman of OpenReach, another IPSec VPN provider that now also supports SSL remote access.

Downloading these applets takes time that can delay a remote-access session and also delay individual SSL exchanges once the applet is running, Tuomenoksa says. “Reverse proxying takes up a lot of computing power,” but as PCs become more powerful, this will become less noticeable, he says.

Managing clients

Some users don’t mind adding an SSL-proxy client to their remote machines if someone else manages them. Deloitte Consulting in Atlanta uses Aventail’s SSL managed service because it enables remote access to legacy applications without Deloitte having to distribute, update and manage the clients, says Larry Quinlan, the firm’s CIO. Deloitte also uses Aventail’s clientless remote-access service because sometimes its consultants borrow machines at their customers’ sites, he says. SSL is not only on these machines already, but it lets the consultants send traffic through the customers’ firewalls without having to reconfigure them.

Also, because Deloitte relies so heavily on the technology – it has no other remote-access system – the firm wants a provider that will make sure it keeps running, Quinlan says.

Beyond applications support, customers might demand strong authentication of users accessing corporate networks via SSL. SecureSoft Systems, a medical care software application provider in Laguna Hills, Calif., says security is critical because its customers access medical records that federal requirements demand be kept confidential. SecureSoft already used SSL extensively and used Rainbow Technologies gear to accelerate SSL processing, but still needed stringent authentication, says Christopher Berlandier, SecureSoft’s CEO.

When Rainbow combined its SSL proxying gear with its iKey authentication token, SecureSoft found what it needed to protect was the privacy of medical data between SecureSoft and its clients, Berlandier says. “The end user doesn’t have to set anything up. We send the iKey and we no longer have to worry about user names and passwords,” he says.

Authentication methods

Vendors offer a range of authentication methods from username and password to tokens, and some are working on biometric security schemes. Because of the ubiquity of SSL on browsers, customers should be sure they use a strong authentication method, according to consultant Kent Dallas. He says that, at a minimum, users should create strong passwords.

Meta Group’s Thompson says customers should find out how many simultaneous SSL sessions vendors support. Vendors say their devices support thousands to tens of thousands of sessions, and potential customers need to make sure they buy a box with enough horsepower. They also should check what the vendor means when it quotes a session. For some, a session is a remote-user session with an application that is protected by SSL, which might consist of several individual SSL sessions. For others, it might be the number of SSL sessions that are up at any given time, regardless of how many users are supported. The second method gives a higher count.

While there seems to be developing interest in SSL for remote access, there is also a glut of vendors, Thompson says, which will be thinned out as some get bought by larger vendors and some fold. That means the stability of the company should be a consideration for users.

“Do they have money? Are they making any money? You need to ask,” Deloitte’s Quinlan says.

The market is too young to rank the leaders yet, says Jeff Wilson, a research director at Infonetics.

Thompson says that new SSL remote-access vendors will crop up for the next six to 12 months before the weeding out process starts and some of them are bought or fold.