Vendors tout easier VPNs

A new breed of products is emerging to rival traditional Internet-based VPN offerings that give remote users and business partners secure access to corporate networks.

The IP Security (IPSec) VPN alternatives promise to save customers vast amounts of administrative time by using easily configurable hardware and requiring little or no software on remote machines.

Among the companies pushing the products – which are based on the Secure Sockets Layer (SSL) technology found in most Web browsers – are start-ups Neoteris Inc., NetSilica Inc. and Netilla Networks Inc. While each newcomer is unique, they share a common goal of making VPNs easy to use and they all are passing on IPSec.

One customer says it took a half day to install and configure NetScreen Technologies Inc.’s IPSec VPN client software on each of roughly 300 remote PCs. Switching to technology made by Neoteris meant the same remote users could access the network securely by using their Web browser, says Patrick Wilson, director of IT for Finisar, an optical components maker in Sunnyvale, Calif. “It’s not a be-all and end-all, but it’s a very good tool.”

Part of the simplicity is because these new VPNs don’t do as much as IPSec VPNs. In particular, they don’t support legacy client-server applications. But even stripped down as they are, they handle most of the traffic VPNs typically support.

The SSL model works for the majority of end users, according to Zeus Kerravala, an analyst with The Yankee Group Inc. “For the 80 per cent of users that need access to only 20 per cent of corporate information, it is very useful.”

How these vendors do what they do varies. But they rely on SSL, the security protocol that is already on most corporate PCs outfitted with Web browsers and used for Internet monetary transactions. These remote machines require no additional software installation or maintenance. SSL provides 168-bit encryption, the same strength as Triple-DES encryption used with IPSec.

These vendors also rely on servers that sit between the remote PC and the server storing data on the corporate LAN. This intermediary server sets up an SSL connection with the remote machine, then patches that Web link together with a link to the data server. It also buffers the corporate network from the Internet. This secure Web traffic comes through the corporate firewall via a single SSL port that can be set to allow access only to the intermediary server.

By contrast, IPSec remote access requires a remote client that has to be configured with the right security parameters. Installing and maintaining hundreds or thousands of them in a corporate VPN can be a nightmare, Finisar’s Wilson says. The secure tunnels between the clients and a VPN gateway must be integrated with the firewall, a source of more work for the IT staff.

Of users that do not have IP VPNs, one-third said they don’t because they are happy with their current access networks, while about 13 per cent said IP VPNs are too complex and 14 per cent said the technology isn’t mature enough, according an IDC study.

The same study says that by year-end, nearly three-quarters of corporations will use IP VPNs for at least some remote access.

But SSL-based offerings have a long way to go before they undercut IPSec, says Steve Harris, an analyst with IDC. The major contenders in VPN technology are IPSec, Layer 2 Tunneling Protocol and Point-to-Point Tunneling Protocol.

“[Use of] IPSec definitely blows the others away,” Harris says.

While SSL-based offerings promise lower administration and maintenance costs, the products aren’t inexpensive. Neoteris’ Instant Virtual Extranet appliance costs between US$15,000 and US$100,000, depending on the number of users. VPN gateways start at less than that and range higher in cost, depending on their capacity.

The SSL products do not address all the uses IPSec VPNs do, vendors readily admit. “We can’t run applications and we can’t update files. That’s what VPNs do,” says Robert Marmon, CEO of NetSilica, a start-up scheduled to launch its software next month.

NetSilica relies on the secure HTTP Web protocol, so its software can’t handle client/server applications that aren’t Web-enabled. IPSec, on the other hand, can support client/server applications because it transports the packets over legacy interfaces.

For end users who need to access their client-server applications, Finisar still uses its NetScreen VPN gear, Wilson says, because Neoteris cannot handle them.

Still, he transitioned 210 users from an IPSec VPN to SSL secure access via Neoteris, eliminating the work of managing that many IPSec clients, he says.

Some Web-based VPN products will support non-Web applications, but it requires extra work to write customer interfaces for each application. Netilla’s offerings will handle client/server applications but will require custom Java development, says Jim Slaby, an analyst with Giga Information Group Inc.

Netilla describes its software as middleware analogous to Citrix in that it also uses terminal server capabilities found in Microsoft, Unix and Linux servers. Netilla Service Platform uses SSL to connect remote PCs to a Netilla server that translates the secure HTTP Web traffic to the protocols supported by the terminal services on the corporate servers.

Products from Netilla and the like are particularly well-suited for setting up secure Internet links to share data with business partners. “The issue with IPSec is not that you can’t build a tunnel between your gateway and some other guy’s gateway. [Rather], it’s convincing their IT security director to let you through his firewall with your tunnel,” Slaby says.