Making the VPN connection

When a VPN does its job correctly, remote users don’t notice it’s there. Packets move from site to site, user to user. Encryption algorithms scramble the data and then safely unscramble it at the other end. Information flows. Work gets done.

But this unseen extension to the enterprise network is in the midst of a major technology shift — the biggest since the mid-’90s, when VPNs first provided inexpensive Internet alternatives to carriers’ proprietary private networks. For years, software solutions based on IPSec have ruled VPNs. But new SSL appliances are changing all that.

Tried-and-true IPSec provides a layer 3 VPN solution that terminates at the firewall and grants remote users access to the entire network. On each remote computer, a client must be installed and configured — either third-party software (typically licensed from a network hardware vendor) or a client built into the operating system, such as L2TP (Layer 2 Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol) in Windows 2000 and XP.

SSL solutions, on the other hand, operate at the application level and terminate at an appliance inside the firewall. Network administrators use the box to control user access application by application in conjunction with network authentication and authorization services. And because SSL is browser-based, users can log on securely with a Web browser using almost any device.

A host of vendors now offer SSL appliances, including Array Networks, Aventail, F5 Networks, Neoteris, and Netilla. According to research firm In-Stat/MDR, a mere $21 million in SSL devices was shipped in 2002. That number is expected to rise to $1.3 billion by 2007.

More Options for Mobility

Away from the office, users may need to tap data stored behind the firewall using various devices; not just the corporate laptop, but handhelds, computers at customer sites, or a PC in the bedroom. The need for multiple entry points was a key reason Tom Paceck,  Virtua Memorial Hospital’s assistant vice president of technology, chose an SSL.

“For us, it all comes down to mobility,” he says. “We never know where our people will be to access applications.” Many of the physicians on the hospital staff are mobile, and many more lack the patience to carry around a laptop or sign on through a VPN client.

SSL VPNs are picking up steam mainly because, unlike established IPSec VPNs, client software needn’t be installed on the user’s computer. Jeffrey A. McConocha, president of NCS DataCom, a VPN solution provider using Neoteris SSL appliances, says switching his customers to an SSL-based VPN “has virtually eliminated client [tech] support for mobile users.”

Click for larger view.

Another plus is that remote users don’t need to worry about local firewalls when they log on via SSL VPNs. By contrast, attempts to connect via IPSec client behind a NAT firewall usually fail. “SSL provides a nice,  clean solution for NAT transversal,” says Steve Schall, director of security application product management at Nokia.