"IT departments are increasingly being asked to provide distributed
access to business critical applications and information assets," remarks
Mark Fabbi, vice president, enterprise communications, Gartner Group in a
technology report.
Fabbi’s remarks assume significance, as remote access is
increasingly becoming a challenge to many enterprises. Cost cutting for remote
communication and at the same time putting in place an agile solution that
enables mobile employees to connect with the corporate network from anywhere are
on top of every CIOs IT agenda these days.
However, it is easier said than done, as most of the time,
perception factors influence a CIO and hence putting in place a new technology
has always been a challenge. This applies to remote access technologies
also.
For instance, the most preferred remote access
technology now is the IP Sec VPN. But the inherent strength of an IP Sec- secure
and reliable gets defeated if one factors the cost implications and the
technology limitations. However, a new trend is emerging in the VPN space called
Secure Sockets Layer (SSL) VPN. This is fast becoming a technology that is
challenging the traditional IP Sec VPN. Some of the biggest drivers that will
propel SSL VPN are - it is simple, easy to use, and cost effective.
IP Sec Limitations Over the years, remote access has been achieved through leased and dial up
methods. But this was a cumbersome process marked by slow transmission speeds.
With the advent of virtual private networks (VPN), the whole remote access
landscape changed. Users of VPN typically dial the local POP and connect to the
corporate network. But the limitations of this technology became evident. For
instance, an IP Sec VPN requires client software to be deployed on each user’s
system. So deploying the client software in thousands of corporate user systems
is a time consuming and laborious process. Moreover, IP Sec VPN also calls far
training each user and if the client software changes in time, it demands
frequent training programs. Yet another major lacunae in IP Sec environment is
that the employees have to carry their notebooks with them, and they cannot gain
access to their corporate network if their notebooks fails to interface with the
local network settings, like for instance from a conference hall.
Questions
to Ponder
If
you are a CIO and planning to roll out a VPN initiative, here are
few questions to be asked.
n
Can
the service provider define and ensure a consistent quality of
service?
n
What
are the security measures to ensure data protection?
n
Can
the network accommodate bursts in traffic as per business needs?
n
Does
the vendor have expertise and proof of concept in a similar
industry?
n
Does
the service provider offer other connectivity options for current
and future expansions?
n
Is
the focus of the service provider retail or corporate?
n
What
kind of processes and infrastructure does the service provider
deploy for network management?
Says Rakesh Singh, general manager, Asia Operations,
Netscaler, " Today most enterprises are using VPNs based on IP Sec. Though
robust and secure, IP Sec VPNs have significant limitations. For instance, the
administrative challenges in rolling out the VPN client software to thousands of
remote access users lead to significant incremental and operational costs."
The client specific software becomes a sore point in IP Sec.
This is mainly because there is no interoperability agreement between the
manufacturers of VPN gateways and hence software conflict happens. This
limitation puts IP Sec as a preferred choice for site-to-site connectivity
rather than for remote access. If you are a CIO struggling to manage your remote
access even after IP Sec deployment, then it is time to review SSL VPN that
might offer panacea.
SSL’s Rise Secure Sockets Layer (SSL) was originally developed to conduct online
commerce and hence all popular browsers have SSL embedded in it. Moreover, SSL
has been around for years and it is only in the recent times that it got
graduated as a complimentary VPN technology. Says a MIS manager of an auto
ancillary company in Chennai, "The core strength of an SSL-based VPN is
that it allows remote access from virtually any browser and aptly suited for the
user on the go. It does not call for any complex set up procedures and users can
access corporate data from an independent system even form a cyber café. At an
appropriate time we will be evaluating SSL VPN at our company."
"The
beauty of a SSL solution is that the user no longer needs VPN client
software installed on their laptop or computer to get
connected"
"Increasingly
enterprises are facing demand to connect remote users to enterprise
applications and corporate network resources. This remote access is
possible through SSL technology"
Paul
Serrano sr director, marketing, Asia Pacific, Netscreen Technologies
Agrees V Thyagarajan, DGM, IT, Ashok Leyland, " SSL is
simpler to use and access is possible without too much hardware being carried in
the form of digital certificates and authentication devices. On the other hand,
IP Sec VPN necessitates a user to be notebook dependant."
With growing interest in SSL, the question that surface now
is - will it replace IP Sec VPN? But technology specialists strongly disagree to
such schools of thought. Quips Sharad Sanghi, managing director, Netmagic
Solutions, "SSL is not an alternate to IP Sec, rather it is a complementary
technology. For instance, IP Sec VPNs have two distinct offerings - the
network-to-network and remote access. So the organization’s demands will drive
SSL, if the requirements are purely remote access. That way it makes more sense
to adopt SSL than running a IP Sec based VPN."
In most instances, the debate on IP Sec verses SSL VPN is
marked by cautious optimism. It is billed as the need-based technology solely
determined by the remote logging patterns and the business critical nature of
remote access to the enterprise.
"SSL
is not an alternate to IP Sec, rather it is a complementary
technology. For instance, IP Sec VPNs have two distinct offerings
—the network-to-network and remote access"
Though
robust and secure, IPSec VPNs have significant limitations. The
adminis–trative challenges in rolling out a client software to
thousands of remote users and managing them is indeed a daunting
task"
Rakesh
Singh, general manager, Asia Operations, Netscaler
Says Rahul Swarup, president, enterprise solutions, Sify,
"SSL VPN can be an alternative where the entire enterprise is web enabled,
and there is no client server application. But an enterprise cannot be without a
client server application and this indeed a difficult pre-requisite, and hence
SSL will be applicable only to specific scenarios of remote access."
Notwithstanding reservations towards SSL VPN, companies like
Netscaler and Netscreen Technologies are bullish about SSL VPN adoption.
Netscreen for instance has more than 1,000 customers spread across the world
with 36% market share in this space.
Says Paul Serrano, senior director-marketing, Netscreen,
"The SSL-based VPN access will take-off in a big way in India as it
continues to grow globally. The key drivers that will move forward this
technology would be the ease of deployment to thousands of users cutting across
employees, partners, and customers. My view is that the VPN deployments will be
characterized by a segmented approach- site to site connectivity will be IP Sec
and remote access will increasingly lean on SSL."
Demystifying
SSL VPN
SSL
VPNs refer to HTTP based Secured Sockets Layer (SSL) VPNs. It can
run SSL-enabled applications like e-mail clients—Microsoft Outlook
or Eudora. SSL VPNs are often called "clientless" because
most computers today ship with a bundled Web browser that supports
both HTTP as well as HTTPS (SSL-based HTTP). This is in contrast to
IPSec remote access scenarios, where a vendor’s IPSec client stack
must be installed on each remote access user’s computer.
SSL
operates over TCP and like IPSec; it has a setup phase, which
consists of an exchange of messages that utilize both public key and
symmetric key encryption. This exchange authenticates the client to
the server through certificates and securely generates session keys
that are used to encrypt the data and provide integrity checks. SSL
makes use of various public keys (RSA, DSA), symmetric keys (DES,
3DES, RC4), and data integrity (MD5, SHA-1) algorithms.
So one is seeing a definitive trend in the VPN space with the
emergence of SSL. But at the same time, before going in for an SSL, a CIO has to
clearly map the remote access pain points and implement appropriate access
technologies. The SSL technology should plug in the limitations of IP Sec. Post
SSL, the enterprise will move towards a remote access regime that is software
independent, offering ubiquitous access from anywhere and granular access
control (access to corporate data as per security at the access point). SSL also
facilitates pervasive remote access to mobile employees unlike IP Sec, which is
restricted to few senior level executives. Since SSL is browser based, it is
also well suited for emerging geographies.
The Indian Scenario India right now is an IP Sec dominated geography with major players like
Sify and Comsat Max, concentrating on IP Sec deployments. Given that, industry
analysts feel that major demand will initially come from enterprises, which
already has a VPN in place. Due to the IP Sec inhibiting factors, the
enterprises will embrace SSL and scale up their remote access capability.
Comments Sanghi, "SSL VPNs have a good market in India,
mainly because the laptop penetration is not that high and the mobile workforce
does not have to carry the laptop always. As long as the SSL VPN gateway is
competitively priced, I do not see any roadblocks towards SSL VPN adoption in
India."
However, it is early days to say the direction SSL will take
in India, as established players are more bent on promoting IP Sec. Meanwhile,
SSL VPN emergence clearly point that future VPN deployment will be mix up of IP
Sec and SSL. The ultimate beneficiary obviously is the enterprises that no
longer need to be stuck with one technology. Rather it can now put in place a
judicious blend of technologies aimed at creating a cost-effective and hybrid
VPN architecture.
"The
beauty of a SSL solution is that the user no longer needs VPN client
software installed on their laptop or computer to get
connected"
"Increasingly
enterprises are facing demand to connect remote users to enterprise
applications and corporate network resources. This remote access is
possible through SSL technology"
"SSL
is not an alternate to IP Sec, rather it is a complementary
technology. For instance, IP Sec VPNs have two distinct offerings
—the network-to-network and remote access"
Though
robust and secure, IPSec VPNs have significant limitations. The
adminis–trative challenges in rolling out a client software to
thousands of remote users and managing them is indeed a daunting
task"
