|
VPN all the way
Demand for IPSec VPNs is cooling as SSL VPNs catch on, observes
RAHUL NEEL MANI
 |
According to SANJAY JOTSHI, the productivity improvements
and cost savings that VPNs offer, combined with the ease of deploying them
enterprise-wide, are the primary drivers for their growth worldwide |
EARLY this year, Express Computer did a story on IPSec VPNs which were hot
at that time. In less than half a year since then, this category has cooled
off and SSL (Secure Socket Layer) VPNs have come up to speed in a shorter than
expected period. Companies are utilising Internet and remote access connectivity
because private circuits—leased lines, frame relay, ATM and satellite connectivity—are
very expensive. The increased penetration of secure handheld access devices
has boosted remote access technologies, IPSec and SSL VPNs, which have emerged
as cost-effective solutions for providing mobile workers with remote access.
Choosing one of the two is proving to be a difficult task for IT managers as
both technologies have their own pros and cons.
Great potential
According to Infonetics Research, managed VPNs and security are poised to grow
to $38 billion by 2008. Cost, integrated design, and ease of implementation
and usage are factors boosting the adoption of VPN solutions. Says Sanjay Jotshi,
director, Channel Sales, Nortel Networks India, “The productivity improvements
and cost savings that VPNs offer, combined with the ease of deploying them enterprise-wide,
are the primary drivers for their growth worldwide, and India is no exception.”
As is commonly known, VPNs have become a popular option for enterprises that
need to connect far-flung areas where the telephone network is spotty and dedicated
links are out of the question. VPN solutions have become extremely popular ever
since corporate customers realised that they offer secure connectivity to their
mobile executives. “The critical components that enterprises are looking
for in VPNs are performance, reliability and availability. These factors are
prompting them to start looking at appliance-based firewalls, IDS and VPN solutions
that provide enhanced performance, ease of deployment and manageability,”
says Java Girdhar, country manager, Juniper Networks, India & SAARC. Manufacturers
and the service industry are the biggest adopters of VPN technology in India.
Sub-segments such as heavy engineering, consumer durables and FMCG have pioneered
the concept of using VPNs to access ERP applications from regional, branch and
area offices.
Muthu Kumar, managing director, Aventail India, feels that remote access VPNs
are a critical component of enterprise networks. The secure extension of company
resources guarantees that users remain productive, regardless of whether they
are working from home or on the road. “Originally, remote access VPNs were
designed for users (over dial-up connections) who needed occasional access to
corporate files or e-mail. But as employees began to extend work hours and enterprises
had to deal with fully distributed workforces, remote access VPNs have become
an always-on necessity to access a wide range of applications,” explains
Kumar. On the other hand Rajiv Sharma, chief executive officer, Bharti Broadband
and Data Group, feels that while earlier trends in India showed that enterprises
other than manufacturing and distribution focused entirely on leased lines because
of apprehensions regarding security and latency, “New trends show that
customers in India are now more willing to adopt VPN as this technology has
been proven to be secure in more developed markets. Enterprises across verticals,
including banks and financial institutions, are looking at VPNs as their connectivity
option.”
A report from the Burton Group says that rather than being an add-on to existing
networks, VPNs are becoming a major factor in the way corporate networks are
designed. Indeed, VPNs, both remote access and site-to-site, either home-grown
or as part of managed services, are changing the shape of business networks.
A tough call
 |
MUTHU KUMAR opines that IPSec continues to be the
best solution for site-to-site connections, but when it comes to providing
secure anywhere-to-anywhere access, SSL VPN is a better alternative |
The same Burton report mentions that the IPSec VPNs are already
in the enterprise mainstream, whereas SSL VPNs have been accepted to the point
that major corporations are installing SSL gear as their primary remote access
technology. In addition, network-based MPLS VPNs are becoming more trusted and
an ever-increasing alternative to other Layer 2 and Layer 3 links among corporate
sites. This increasing popularity of network VPN services is putting pressure
on carriers and equipment vendors to increase inter-operability between the
two.
While many companies that buy SSL already have IPSec, they
find that SSL meets most of their needs. One shortcoming of SSL is that without
use of Java or Active X downloads it supports only Web applications or applications
that have been customised to be accessible via a browser. It’s also true
that all SSL vendors don’t support all the apps. On the other hand, IPSec
does not generate any such support issue. Connecting via an IPSec tunnel makes
a remote machine a node on a corporate network, giving users the same access
that they get when their computers are connected directly to the LAN. Using
SSL gear, one can access all the resources needed—files, e-mail, corporate
information—from behind firewalls at client sites, hotels and other locations
not controlled by the enterprise.
Another characteristic of SSL VPN is its immunity to network address translation
(NAT) problems while trying to establish tunnels through firewalls that change
private IP addresses into public IP addresses. SSL traffic flows through firewall
TCP Port 443, which is almost always left open, so no special firewall configuration
is needed. By contrast, with IPSec, such configuration becomes necessary.
IPSec operates at the network layer, SSL at the application layer. IPSec VPNs
provide secure site-to-site and remote access when the endpoint is trusted (such
as a company laptop), and operate at the network layer. “SSL VPNs are platform-independent
and support mobile users very well. In IPSec VPN it is challenging to roll out
the VPN client software to thousands of remote access users, as well as manage
and maintain them. But SSL VPN software, once deployed, is easy to manage,”
says Girdhar.
Kumar of Aventail says that SSL VPNs do not require complex and intrusive clients,
making them easier to install and support, which leads to significant cost savings.
“Since SSL is pre-installed by default on every major browser, SSL VPNs
offer a clientless solution. IPSec VPNs require a device-specific client installation
on the remote end-user side of the secure tunnel, which is often difficult (and
in some cases even impossible) to implement on external, non-corporate-controlled
devices,” he notes. SSL VPNs can extend remote access to a broader range
of locations and network resources from more Internet-enabled devices. Kumar
also points out that SSL VPNs provide strong security for remote access. “IPSec
VPNs create a tunnel between two points, providing direct (non-proxied) access
and full visibility to the entire network; once the tunnel is created, it is
as if the user’s PC is physically on the corporate LAN. This creates various
security risks, especially if the user is not a fully trusted employee. This
granular access control is often impossible, or at best difficult, and scales
poorly with a remote access IPSec VPN,” he says.
There are contrary views too. Providers in India deploy IPSec on their IP VPN
backbones. It is more widespread and is what you might think of as the “conventional”
VPN. IPSec-based VPNs can use up to Triple-DES encryption— the highest
level of security available today—to secure communications from remote
users to your network. “This requires that software be installed on remote
users’ machines. The other VPN solution using SSL doesn’t require
any software installation on remote PCs. This type of remote access can be cheaper
to implement and/or operate than its IPSec counterpart, but with trade-offs
that may limit how well it can address your remote access needs,” cautions
Sharma of Bharti.
While these two technologies are not drastically different,
SSL has an edge in many cases. IPSec and SSL use the Internet to connect remote
users to corporate networks via secure IP tunnels. IPSec requires client software
on remote PCs to create tunnels to IPSec gateways placed behind corporate firewalls.
SSL, on the other hand, uses the SSL support in Web browsers as a remote client.
There are no remote-access clients to maintain, so administration costs are
reduced. The widespread presence of browsers also gives users the flexibility
to use any Internet-connected PC with a browser as a remote machine rather than
requiring a company-managed machine, as IPSec does.
 |
JAVA GIRDHAR says that MPLS-based VPN technology not
only creates an efficient network, but also allows service providers to
accommodate virtually any customer's requirement for remote access, Intranets,
Extranets and Internet access |
This wide choice of remote machines has a downside. SSL VPN vendors have added
features to purge downloaded files and records of passwords, but these can vary
in their thoroughness. One reason SSL makes inroads in some companies is that
it is simpler to add users. By contrast, IPSec VPNs are limited in deployment
because it is difficult to add users to it. Besides, SSL can roll out to so
many more people because of its simplicity. That said, many businesses still
require IPSec. Some users perceive SSL to be not as secure as IPSec, perhaps
because SSL is younger. Kumar feels that as remote access demands have snowballed,
IPSec VPNs are too limited in the access they can provide, as well as too costly
to administer and support. “IPSec continues to be the best solution for
site-to-site connections. However, when it comes to providing secure anywhere-to-anywhere
access, SSL VPN is a better alternative for enterprises,” states Kumar.
Endorsing his views, Jotshi says that enterprises are moving from test-bed SSL
VPNs to widespread business use, thus motivating major vendors and service providers
to acquire SSL start-ups or introduce their own SSL products and services for
remote access. “So while service providers will have to work with the network-based
VPN offerings (L2-L3 based), enterprises will add, if they want to, another
layer based on SSL working on the application layer,” says Jotshi.
MPLS VPN: another milestone
MPLS combines the multi-service and traffic management capabilities of ATM with
the scalability of packet networks to create a best-of-breed service provider
network. Key drivers towards MPLS deployment include
(i) Cost reduction through data network convergence. MPLS facilitates the convergence
of disparate Frame Relay, ATM, Ethernet and IP networks onto a single infrastructure
to reduce capital and operational expenses.
(ii) Integration of voice, video and data services. MPLS’ traffic management
capabilities enable this service’s triple play on a common backbone.
(iii) New high-margin revenue opportunities through MPLS-based service offerings.
MPLS’ flexibility, high availability and multi-service support enable service
providers to offer strict SLAs, increasing revenue and margins.
Says Jotshi, “In India, many service providers are in the process of either
deploying or testing this technology for their backbone networks. Nortel Networks
has a very strong play in this area, and our next-generation MPLS addresses
the shortcomings of current products…it provides a carrier-grade MPLS network
which effectively supports multi-service traffic.” A new trend setting
in now is Generalised MPLS (GMPLS). It is the application in the optical domain
of the control mechanisms that make MPLS so useful in the packet domain. This
extended version of MPLS enables devices in both the packet and optical layers
to establish optical paths on demand, optimise resources and share intelligence.
In turn, this sets the stage for profitable optical services such as optical
VPNs, storage area networks and bandwidth trading. Girdhar of Juniper shares
a similar opinion. He feels that enterprises in India have learnt and are appreciating
the value of MPLS-based VPN services as a viable corporate wide area network
(WAN) alternative. “The technology not only creates an efficient network,
it also allows service providers to accommodate virtually any customer’s
requirement for remote access, Intranets, Extranets and Internet access.”
MPLS VPNs will start becoming more widely used than IPSec-based IP VPNs because
now the myth about security and shared networks has been destroyed, and they
will probably become almost as popular as leased lines in the future. Says Sharma,
“Today most of the large providers have positioned themselves with MPLS-based
IP VPNs in order to keep up with market demand. A major challenge was to provide
differentiated classes of services to users. In terms of connectivity it will
take some time because of last-mile availability and inter-carrier inter-operability
issues which need to be resolved.”
Hidden costs
According to one expert, despite the cost savings offered by VPNs, there isn’t
much saving in comparison to conventional networks. This is especially true
when an enterprise builds its own VPN network. Although using the Internet for
carrying WAN traffic can save money compared to leased circuits or frame relay,
VPNs are yet to show the desired level of savings. The time taken to set up
the boxes, their configuration, and the required troubleshooting kills the savings.
One must be aware of these costs and only then decide to deploy a VPN network.
Considering this, a managed service offered on a flat rate can be handy and
useful. Even the manageability part can be taken care of without much additional
cost if you sign a service level agreement with your managed service provider.
IPSec or SSL?
The choice of technology depends on user requirements and the goals the organisation
has set for itself. Once a technology is decided upon, the next step is to find
the best vendor, then select the one who offers the most suitable solution based
on that technology.
| |
Pros |
Cons |
| IPSec |
- All IP types and services are supported (ICMP, VoIP, SQL .Net, Citrix)
- The same technology base works client-to-site, site-to-site, and
client-to-client
- The IPSec client provides the opportunity to embed other security
features (personal firewall, configuration verification, etc)
- Gateways are typically integrated with firewall functions for access
control, content screening, attack protection and other security controls
|
- Typically requires a client software to be installed; not all client
operating systems may be supported
- Connectivity can be adversely affected by firewalls or other devices
between the client and gateway (i.e. firewall or NAT devices)
- Inter-operability between one vendor’s IPSec clients and another
vendor’s IPSec servers or gateways is generally difficult
|
| SSL |
- SSL is integrated with all leading Web browsers (Internet Explorer,
Netscape Communicator, Mozilla)
- Popular applications such as mail clients/servers (Outlook, Eudora)
support SSL
- Operates transparently across NAT, proxy and most firewalls
- Web plug-in may provide network-level connectivity for client/server
applications
|
- Only supports TCP services natively over SSL. These are typically
only Web (HTTP) or e-mail (POP3/IMAP/SMTP)
- SSL usually requires more processing resources on the gateway than
IPSec
- No native software installed in clientless scenarios. Limited ability
to push security software to the endpoint (e.g., personal firewall,
integrity checking, etc)
- If sessions are not terminated at a firewall, it requires punching
a hole through an organisation’s firewall(s), which precludes content
inspection of the data within the HTTPS connected by firewalls
- Web plug-ins may have limited application support, or require administrator
privileges on the PC to operate
- Not used for site-to-site VPNs. IPSec is generally used for this,
which means different technologies must be used for remote access VPN
and site-to-site VPN
|
rahul@expresscomputeronline.com
|
